[Pkg-aide-maintainers] Bug#387463: making aide vserver aware (audit guests from the root server)

Wed Oct 4 13:20:27 UTC 2006

Hi,

I have decided not to include this in the default configuration.
Rationale:
  - It is a rather complex change that is only useful for a quite
    uncommon use case.
  - The rules look a lot more ugly this way
  - One will probably apply different rules to the host system and to
    different vservers.

I have, however, added a paragraph describing this setup to
README.Debian.

On Sat, Sep 23, 2006 at 12:17:54AM +0200, Christian Thaeter wrote:
> Marc Haber wrote:
> > Neat idea. However, I am not convinced that this belongs in the
> > distribution package as it would be necessary to touch _all_ rules
> > files. The use case is rather special, and greatly increases rule
> > complexity. They are already too hard to understand, IMO.
> > 
> > I am open to arguments though.
> 
> I thought about that too ... but since it is evaluated by the
> preprocessor, if no vservers exists the @@{VSERVERS} macro becomes a
> empty '()' regex, which at least doesn't have any more algorithmic overhead.

Yes, but it is ugly to read. I have tried applying the change to the
rules in svn and quickly decided this is too much, especially for the
algorithmically generated rules.

> Well the cost is that we have these /@@{VSERVERS} linenoise (maybe
> rename it to @@{ROOTS} or whatever, but thats matter of taste)
> personally I think thats acceptable even for non-vserver users since it
> is a single uniform scheme while it adds great benefit to vserver users
> who don't need configure anything.

I don't think it is acceptable.

Additionally, I couldn't think about a setup where the exact same
ruleset applied to both host system and to _all_ vservers would make
sense.

> An alternative I can think of is that you provide diffrent sets of
> configs and the user can choose one at installation time, maybe by
> maintaining a generalized set of configs which is runs through some
> other preprocessor (m4?) to generate actual configs, but thats only for
> the package maintainer, users should get the proper config installed
> without having to deal with regeneration (unless they want to alter them).

Please send a patch. I do not have the time to implement this.

How about providing a hook shell script where the generated
configuration is piped trough by update-aide.conf before the actual
config is written? That way, the local admin could hook arbitrary
mechanisms into the process.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835