FilesystemIntegrityCheckerSpec
|
⇤ ← Revision 1 as of 2009-06-03 12:24:48
Size: 1921
Comment:
|
Size: 2227
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 12: | Line 12: |
| In order for Aide to be easily used, a new subpackage will be introduced containing pre-configuration that will automatically run an integrity check before system updates and a database rebuild after system updates. Although not fool-proof, this will enable an administrator to easily install Aide and to get useful intrusion information without investing a lot of maintenance time. | In order for Aide to be easier to use, a new configuration option will be introduced that will filter files changed by system updates from the daily report. Although not fool-proof, this will enable an administrator to easily install Aide and to get useful intrusion information without investing a lot of maintenance time. |
| Line 16: | Line 16: |
| Aide now contains a subpackage containing scripts that will run an integrity check before installing system updates and will automatically rebuild the hash database after system updates. | Aide now contains a new FILTERUPDATES option that removes files changed by system updates from the daily e-mail report. Changed files will still be listed in the log file. This option parses the /var/log/dpkg.log file and may work better when COPYNEWDB=yes since the dpkg.log file only contains recent information. |
| Line 24: | Line 24: |
| To be determined. Apt hook? | A new configuration option, FILTERUPDATES, is introduced in /etc/default/aide. The option is turned off by default. If enabled, the daily aide cron script will parse the dpkg log file to obtain a list of packages that were upgraded since the last aide database was built. It will then use dpkg-query -L to get a list of files that are contained in those packages, and will filter those files out of the daily e-mail report. |
| Line 28: | Line 28: |
| A new subpackage will be created. This is required in order for current Aide setups to still work, and for the new configuration files to be optional. This is important as some may see the automatic rebuilding of the hash database as a major security issue for a filesystem integrity checker. | Since all of the changes necessary for this to function are in files that are specific to the Debian packaging, there are no patches or code changes to send to the upstream aide project. |
| Line 32: | Line 32: |
| This is targeted to users who don't currently use Aide. Once the subpackage is ready, we can ask for community testing. | Once the new packages are ready, we can ask for community testing. |
Launchpad Entry: security-karmic-fs-integrity
Created: 2009-06-03
Contributors: mdeslaur
Packages affected: aide
Summary
Aide is the filesystem integrity checker in main. Filesystem checkers aren't typically used by most administrators as they are hard to maintain and report a lot of false positives after system updates.
In order for Aide to be easier to use, a new configuration option will be introduced that will filter files changed by system updates from the daily report. Although not fool-proof, this will enable an administrator to easily install Aide and to get useful intrusion information without investing a lot of maintenance time.
Release Note
Aide now contains a new FILTERUPDATES option that removes files changed by system updates from the daily e-mail report. Changed files will still be listed in the log file. This option parses the /var/log/dpkg.log file and may work better when COPYNEWDB=yes since the dpkg.log file only contains recent information.
Rationale
Filesystem integrity checkers are hard to maintain, as a large number of false positives come from system updates. Introducing a simpler configuration will allow system administrators to simply install it, configure it to send them email, and will benefit from getting file change alerts.
Design
A new configuration option, FILTERUPDATES, is introduced in /etc/default/aide. The option is turned off by default. If enabled, the daily aide cron script will parse the dpkg log file to obtain a list of packages that were upgraded since the last aide database was built. It will then use dpkg-query -L to get a list of files that are contained in those packages, and will filter those files out of the daily e-mail report.
Implementation
Since all of the changes necessary for this to function are in files that are specific to the Debian packaging, there are no patches or code changes to send to the upstream aide project.
Test/Demo Plan
Once the new packages are ready, we can ask for community testing.
Unresolved issues
To be completed.
SecurityTeam/Specifications/Karmic/FilesystemIntegrityCheckerSpec (last edited 2009-11-25 19:05:32 by c-76-105-168-175)