On Wed, Jan 17, 2007 at 04:32:35PM +0100, Tim Stoop wrote: > On 17-jan-2007, at 15:46, Marc Haber wrote: > >On Wed, Jan 17, 2007 at 12:12:39PM +0100, Tim Stoop wrote: > >>Since cron-apt downloads new indexes each night and I don't need a > >>confirmation of that each day, I use: > >>!/var/cache/apt/lists > > > >There are actually rules for this, see 31_aide_apt_stable and > >31_aide_apt_unstable. But, alas, these rules have my local mirror > >hardcoded and are thus useless to external users. I'll fix this asap > >by introducing a macro. > > Ah yes, much better. Would a line like: > @@define APTMIRRORS (security\.debian\.org|ftp\.nl\.debian\.org) > in /etc/aide/aide.conf work? If so, I might be able to take some work > off your hands and create a patch for this. (By copying > 31_aide_syslog, mostly, and the already-in-place code.)
I have found that the _apt_ rules are a horrible mess and will re-work them completely in the next version. Don't submit any patches agains the current versions as it is likely that the new rules will not remotely resemble the current ones. > >>!/var/cache/apt/archives > > > >I consider this a bad idea, since this would make > >/var/cache/apt/archives a good place for an attacker to hide local > >persistent files. That won't happen in the package. > > True, but if an attacker would be smart enough to check the default > aide config to determine which directory would be safe to plant an > executable in... Yes, that's kind of a red herring, but I'd like to assume that an attacker might know which directories are likely to be busy on a Debian system but might miss the fact that aide is in use. > >There is already a rule file 31_aide_apt_frqchg which should cater for > >frequently changing apt files. 31_aide_apt_unstable also excludes > >package files by means of > >!/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|all)\.deb$ > > ... don't you think he'll be smart enough to name it something so > this regex will fit? He might, but he might not. Excluding an entire directory is something I'd like to avoid here. Additionally, *.deb files in that directory might confuse apt so that the files placed there might be noticed by the admin. There needs to be some compromise. > If someone figures out /var/cache/apt/archives is safe, he'll figure > out blabla_all.deb is a safe filename. I think not catching these > false alarms (at least when cron-apt is installed) does far more harm > (ie. people will get tired of the false alarms and uninstall aide or > something) than leaving the directory "unsafe". The regexp that is already in the packages is supposed to mask the regular changes to the directory. I have cron-apt running on an hourly basis on unstable systems and the rule in the package keeps /var/cache/apt/archives out of the reports. > The real solution here is probably to add this file to the cron-apt > package instead of "always on by default". Yes, other packages' maintainers are cordially invited to include aide rules in their packages. See NEWS.Debian for 0.11a-3. It is only that I do not have the time to ask them. > At least, please change the regex to: > !/var/cache/apt/archives/[-a-zA-Z0-9%\._+]+_(i386|amd64|all)\.deb$ > > Or even safer, maybe have another macro in the config file that sets > the arch used (is that automatable with debconf or something? wild > guess here) and allow that and "all"? That's what I intend to do. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
