Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for
better compliance with default Debian configs
Tim Stoop
tim at cidev.nl
Wed Jan 17 16:32:35 CET 2007
Hi Marc,
Thanks for taking the time to look at my changes!
On 17-jan-2007, at 15:46, Marc Haber wrote:
> On Wed, Jan 17, 2007 at 12:12:39PM +0100, Tim Stoop wrote:
>> Since cron-apt downloads new indexes each night and I don't need a
>> confirmation of that each day, I use:
>> !/var/cache/apt/lists
>
> There are actually rules for this, see 31_aide_apt_stable and
> 31_aide_apt_unstable. But, alas, these rules have my local mirror
> hardcoded and are thus useless to external users. I'll fix this asap
> by introducing a macro.
Ah yes, much better. Would a line like:
@@define APTMIRRORS (security\.debian\.org|ftp\.nl\.debian\.org)
in /etc/aide/aide.conf work? If so, I might be able to take some work
off your hands and create a patch for this. (By copying
31_aide_syslog, mostly, and the already-in-place code.)
>> !/var/cache/apt/archives
>
> I consider this a bad idea, since this would make
> /var/cache/apt/archives a good place for an attacker to hide local
> persistent files. That won't happen in the package.
True, but if an attacker would be smart enough to check the default
aide config to determine which directory would be safe to plant an
executable in...
> There is already a rule file 31_aide_apt_frqchg which should cater for
> frequently changing apt files. 31_aide_apt_unstable also excludes
> package files by means of
> !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|all)\.deb$
... don't you think he'll be smart enough to name it something so
this regex will fit?
If someone figures out /var/cache/apt/archives is safe, he'll figure
out blabla_all.deb is a safe filename. I think not catching these
false alarms (at least when cron-apt is installed) does far more harm
(ie. people will get tired of the false alarms and uninstall aide or
something) than leaving the directory "unsafe".
Otoh, I'm no security guru so maybe I misinterpret something here :)
The real solution here is probably to add this file to the cron-apt
package instead of "always on by default". Just my 2 cents, here.
At least, please change the regex to:
!/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|amd64|all)\.deb$
Or even safer, maybe have another macro in the config file that sets
the arch used (is that automatable with debconf or something? wild
guess here) and allow that and "all"?
--
Met vriendelijke groet,
Tim Stoop
Cidev v.o.f.
http://www.cidev.nl
KvK nummer: 14072991
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-aide-maintainers/attachments/20070117/5ad9772b/PGP.pgp
More information about the Pkg-aide-maintainers
mailing list