Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for
better compliance with default Debian configs
Marc Haber
mh+debian-packages at zugschlus.de
Wed Jan 17 16:50:48 CET 2007
On Wed, Jan 17, 2007 at 04:32:35PM +0100, Tim Stoop wrote:
> On 17-jan-2007, at 15:46, Marc Haber wrote:
> >On Wed, Jan 17, 2007 at 12:12:39PM +0100, Tim Stoop wrote:
> >>Since cron-apt downloads new indexes each night and I don't need a
> >>confirmation of that each day, I use:
> >>!/var/cache/apt/lists
> >
> >There are actually rules for this, see 31_aide_apt_stable and
> >31_aide_apt_unstable. But, alas, these rules have my local mirror
> >hardcoded and are thus useless to external users. I'll fix this asap
> >by introducing a macro.
>
> Ah yes, much better. Would a line like:
> @@define APTMIRRORS (security\.debian\.org|ftp\.nl\.debian\.org)
> in /etc/aide/aide.conf work? If so, I might be able to take some work
> off your hands and create a patch for this. (By copying
> 31_aide_syslog, mostly, and the already-in-place code.)
I have found that the _apt_ rules are a horrible mess and will re-work
them completely in the next version. Don't submit any patches agains
the current versions as it is likely that the new rules will not
remotely resemble the current ones.
> >>!/var/cache/apt/archives
> >
> >I consider this a bad idea, since this would make
> >/var/cache/apt/archives a good place for an attacker to hide local
> >persistent files. That won't happen in the package.
>
> True, but if an attacker would be smart enough to check the default
> aide config to determine which directory would be safe to plant an
> executable in...
Yes, that's kind of a red herring, but I'd like to assume that an
attacker might know which directories are likely to be busy on a
Debian system but might miss the fact that aide is in use.
> >There is already a rule file 31_aide_apt_frqchg which should cater for
> >frequently changing apt files. 31_aide_apt_unstable also excludes
> >package files by means of
> >!/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|all)\.deb$
>
> ... don't you think he'll be smart enough to name it something so
> this regex will fit?
He might, but he might not. Excluding an entire directory is something
I'd like to avoid here. Additionally, *.deb files in that directory
might confuse apt so that the files placed there might be noticed by
the admin. There needs to be some compromise.
> If someone figures out /var/cache/apt/archives is safe, he'll figure
> out blabla_all.deb is a safe filename. I think not catching these
> false alarms (at least when cron-apt is installed) does far more harm
> (ie. people will get tired of the false alarms and uninstall aide or
> something) than leaving the directory "unsafe".
The regexp that is already in the packages is supposed to mask the
regular changes to the directory. I have cron-apt running on an hourly
basis on unstable systems and the rule in the package keeps
/var/cache/apt/archives out of the reports.
> The real solution here is probably to add this file to the cron-apt
> package instead of "always on by default".
Yes, other packages' maintainers are cordially invited to include aide
rules in their packages. See NEWS.Debian for 0.11a-3. It is only that
I do not have the time to ask them.
> At least, please change the regex to:
> !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|amd64|all)\.deb$
>
> Or even safer, maybe have another macro in the config file that sets
> the arch used (is that automatable with debconf or something? wild
> guess here) and allow that and "all"?
That's what I intend to do.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-aide-maintainers
mailing list