Having problems with Tripwire on C6, I installed AIDE from the base repository. x86_64 0.14-3.el6_2.2 base 123 k
typing: aide result: "Couldn't open file /var/lib/aide/aide.db.gz for reading" (directory is empty and aide.db.gz does not exist.) typing: aide -i (for initialise the Aide database) result: "AIDE, version 0.14 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized." (size 10 bytes) typing: aide result: "Couldn't open file /var/lib/aide/aide.db.gz for reading" typing: aide --init (for the second time) result: "AIDE, version 0.14 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized." (now 2,225,108 bytes) typing: aide result: "Couldn't open file /var/lib/aide/aide.db.gz for reading" action: renaming aide.db.new.gz as aide.db.gz typing: aide result: (noticeable delay) "AIDE, version 0.14 ### All files match AIDE database. Looks okay!" (only 1 file in /var/lib/aide = aide.db.gz) typing: aide -u result: (noticeable delay) "AIDE, version 0.14 ### All files match AIDE database. Looks okay! ### New AIDE database written to /var/lib/aide/aide.db.new.gz"
Comment: Looks like I have solved the riddle :-) I did do a 'yum erase aide' followed by a 'yum install aide' to ensure my first experience was not a technical malfunction.
On 9/9/2014 3:48 PM, Always Learning wrote:
Having problems with Tripwire on C6, I installed AIDE from the base repository. x86_64 0.14-3.el6_2.2 base 123 k
typing: aide result: "Couldn't open file /var/lib/aide/aide.db.gz for reading" (directory is empty and aide.db.gz does not exist.) typing: aide -i (for initialise the Aide database) result: "AIDE, version 0.14 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized." (size 10 bytes) typing: aide result: "Couldn't open file /var/lib/aide/aide.db.gz for reading" typing: aide --init (for the second time) result: "AIDE, version 0.14 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized." (now 2,225,108 bytes) typing: aide result: "Couldn't open file /var/lib/aide/aide.db.gz for reading" action: renaming aide.db.new.gz as aide.db.gz typing: aide result: (noticeable delay) "AIDE, version 0.14 ### All files match AIDE database. Looks okay!" (only 1 file in /var/lib/aide = aide.db.gz) typing: aide -u result: (noticeable delay) "AIDE, version 0.14 ### All files match AIDE database. Looks okay! ### New AIDE database written to /var/lib/aide/aide.db.new.gz"
Comment: Looks like I have solved the riddle :-) I did do a 'yum erase aide' followed by a 'yum install aide' to ensure my first experience was not a technical malfunction.
I'm a bit behind on this list, but as I don't see any other replies, I'll comment here.
Aide does not update it's database file. Whenever you run an init or update, it will create a new file. You then have to manually rename that file in order to start using the new database.
On Tue, 2014-09-16 at 16:41 -0400, Bowie Bailey wrote:
Aide does not update it's database file. Whenever you run an init or update, it will create a new file. You then have to manually rename that file in order to start using the new database.
Thank you.
Paul. England, EU.
Learning until I die or experience dementia :-)
On Tue, September 16, 2014 9:40 pm, Always Learning wrote:
On Tue, 2014-09-16 at 16:41 -0400, Bowie Bailey wrote:
Aide does not update it's database file. Whenever you run an init or update, it will create a new file. You then have to manually rename that file in order to start using the new database.
I used aide for some time after tripwire went commercial, stayed without support, and finally a bug (in e-mail...) was discovered. I moved away from aide soon after. You may think of some intrusion detection tool/system that:
1. doesn't keep reference database on the same box (I know, I know, they are signed, etc...)
2. does not rely on binaries living on this same box (think about checking these binaries on another, much more trusted box before using them...)
But of course, there is no limit to paranoia when [computer] security is concerned.
Sorry, not mentioning what I do ("security through obscurity" helps a bit sysadmin's paranoia ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Sep 17, 2014, at 10:26 AM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Tue, September 16, 2014 9:40 pm, Always Learning wrote:
On Tue, 2014-09-16 at 16:41 -0400, Bowie Bailey wrote:
Aide does not update it's database file. Whenever you run an init or update, it will create a new file. You then have to manually rename that file in order to start using the new database.
I used aide for some time after tripwire went commercial, stayed without support, and finally a bug (in e-mail...) was discovered. I moved away from aide soon after. You may think of some intrusion detection tool/system that:
- doesn't keep reference database on the same box (I know, I know, they
are signed, etc...)
- does not rely on binaries living on this same box (think about checking
these binaries on another, much more trusted box before using them…)
That’s kind of an impossible requirement, any kind of userspace measurement of binaries, no matter how many hoops you jump through, have the same potential problems that a compromised system can hide from them using just the legitimate available APIs. A user space integrity checker is only good against malware that isn’t specifically trying to hide itself from the checker, which does actually cover a lot of ground, the only way to reliably find malware that is trying to be stealthy is offline checking. That still doesn’t cover other places where _really_ stealthy malware can hide, like in device firmware, that can survive a disk wipe.
Although probably not relevant for CentOS 6 there are some interesting tools in the Linux Integrity Measurement Architecture that I have recently become aware of but haven’t tested. Apparently with newer versions you can store _signed_ hashes of binaries as an xattr that the kernel will check itself on open(), since they are signed off-box and the public key is in the kernel keyring you get much of the same benefit as AIDE without the heavy cron jobs and without any delay in checking, every time the file is read it is checked.
— Mark Tinberg mtinberg@wisc.edu
checkout samhain (www.la-samhna.de/*samhain*/) if your feeling really paranoid.
Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd (w) +61 (0) 3 9008 5281
Suite 1415 401 Docklands Drive Docklands VIC 3008 Australia
"All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1925
On Thu, Sep 18, 2014 at 1:42 AM, Mark Tinberg mtinberg@wisc.edu wrote:
On Sep 17, 2014, at 10:26 AM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Tue, September 16, 2014 9:40 pm, Always Learning wrote:
On Tue, 2014-09-16 at 16:41 -0400, Bowie Bailey wrote:
Aide does not update it's database file. Whenever you run an init or update, it will create a new file. You then have to manually rename that file in order to start using the new database.
I used aide for some time after tripwire went commercial, stayed without support, and finally a bug (in e-mail...) was discovered. I moved away from aide soon after. You may think of some intrusion detection tool/system that:
- doesn't keep reference database on the same box (I know, I know, they
are signed, etc...)
- does not rely on binaries living on this same box (think about
checking
these binaries on another, much more trusted box before using them…)
That’s kind of an impossible requirement, any kind of userspace measurement of binaries, no matter how many hoops you jump through, have the same potential problems that a compromised system can hide from them using just the legitimate available APIs. A user space integrity checker is only good against malware that isn’t specifically trying to hide itself from the checker, which does actually cover a lot of ground, the only way to reliably find malware that is trying to be stealthy is offline checking. That still doesn’t cover other places where _really_ stealthy malware can hide, like in device firmware, that can survive a disk wipe.
Although probably not relevant for CentOS 6 there are some interesting tools in the Linux Integrity Measurement Architecture that I have recently become aware of but haven’t tested. Apparently with newer versions you can store _signed_ hashes of binaries as an xattr that the kernel will check itself on open(), since they are signed off-box and the public key is in the kernel keyring you get much of the same benefit as AIDE without the heavy cron jobs and without any delay in checking, every time the file is read it is checked.
— Mark Tinberg mtinberg@wisc.edu
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2014-09-29 at 11:39 +1000, Kahlil Hodgson wrote:
My bad :-( Cut and pasted HTML in a hurry. Lets try plain text.
You are good. It works. Thank you.
On Sun, September 28, 2014 8:16 pm, Always Learning wrote:
On Thu, 2014-09-18 at 08:36 +1000, Kahlil Hodgson wrote:
checkout samhain (www.la-samhna.de/*samhain*/) if your feeling really paranoid.
"Sorry, we couldn't find this page for you"
Just as well as I am not paranoid :-)
I'm sure those asterisks aren't supposed to be there. I for one have found webpage he means, and at a first glance the software sounds wonderful...:
http://www.la-samhna.de/products.html
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Sun, 2014-09-28 at 20:42 -0500, Valeri Galtsev wrote:
I'm sure those asterisks aren't supposed to be there. I for one have found webpage he means, and at a first glance the software sounds wonderful...:
Seems great but probably not for me.
Yeah. Not for the fainthearted. For full stealthiness you have to compile and maintain matching (signed) server/client pairs. Not too bad if management is well automated.
K -- Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd (w) +61 (0) 3 9008 5281
Suite 1416 401 Docklands Drive Docklands VIC 3008 Australia
"All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1925
-
Always Learning -
Bowie Bailey -
Kahlil Hodgson -
Mark Tinberg -
Valeri Galtsev