Bug#407280: [Pkg-aide-maintainers] Bug#407280: aide: Config fixes for better compliance with default Debian configs

Wed, 17 Jan 2007 08:09:17 -0800 

Hi Marc,

Thanks for taking the time to look at my changes!

On 17-jan-2007, at 15:46, Marc Haber wrote:

On Wed, Jan 17, 2007 at 12:12:39PM +0100, Tim Stoop wrote:

Since cron-apt downloads new indexes each night and I don't need a
confirmation of that each day, I use:
!/var/cache/apt/lists


There are actually rules for this, see 31_aide_apt_stable and
31_aide_apt_unstable. But, alas, these rules have my local mirror
hardcoded and are thus useless to external users. I'll fix this asap
by introducing a macro.


Ah yes, much better. Would a line like:
@@define APTMIRRORS (security\.debian\.org|ftp\.nl\.debian\.org)
in /etc/aide/aide.conf work? If so, I might be able to take some work off your hands and create a patch for this. (By copying 31_aide_syslog, mostly, and the already-in-place code.) 


!/var/cache/apt/archives


I consider this a bad idea, since this would make
/var/cache/apt/archives a good place for an attacker to hide local
persistent files. That won't happen in the package.
True, but if an attacker would be smart enough to check the default aide config to determine which directory would be safe to plant an executable in... 


There is already a rule file 31_aide_apt_frqchg which should cater for
frequently changing apt files. 31_aide_apt_unstable also excludes
package files by means of
!/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|all)\.deb$
... don't you think he'll be smart enough to name it something so this regex will fit?
If someone figures out /var/cache/apt/archives is safe, he'll figure out blabla_all.deb is a safe filename. I think not catching these false alarms (at least when cron-apt is installed) does far more harm (ie. people will get tired of the false alarms and uninstall aide or something) than leaving the directory "unsafe". 

Otoh, I'm no security guru so maybe I misinterpret something here :)
The real solution here is probably to add this file to the cron-apt package instead of "always on by default". Just my 2 cents, here. 

At least, please change the regex to:
!/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|amd64|all)\.deb$
Or even safer, maybe have another macro in the config file that sets the arch used (is that automatable with debconf or something? wild guess here) and allow that and "all"? 

--
Met vriendelijke groet,
Tim Stoop
Cidev v.o.f.
http://www.cidev.nl
KvK nummer: 14072991

Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to