Should we have AIDE also preinstalled? ANy performance hits?
As easy as installing by default and that’s it? How would users be notified?
I am open for the idea. → Related: Installation of Antivirus Scanners by Default
Running AIDE scans are a one liner once configured. Maybe it can be a whonixcheck subsystem?
Could you test AIDE manually please?
What’s happening during upgrades? Does it detect false-positive backdoors then?
touch /root/aide-test/test1
aide -c /etc/aide/aide.conf --check
Added entries:
---------------------------------------------------
d++++++++++++++++: /root/aide-test
f++++++++++++++++: /root/aide-test/test1
Even running sudo su
once would update file /root/.bash_history
and might be detected.
Output such as this could very quick look very scary when being unaware of AIDE.
Perhaps that is OK if properly worded. However, showing a ton of files modified after upgrade wouldn’t be helpful for anyone as nobody could tell which are malicious and which aren’t. I guess one would have to run AIDE before upgrading and after upgrading?
You can verify the newly created files from the above Aide check reports. It is recommended to update the aide database so that it’s not reported again on the next AIDE check.
^ Also usability issue.
Also you must keep the backup of the old Aide database and rename the updated database on daily basics to keep track.
Not sure realistic.
AIDE looks nice but I don’t know if we can configure it in a way to be mostly transparent for the user? Similar to LKRG which just does its thing without interference.
I tried installing its three main packages but they all fail with vague errors:
snip
Processing triggers for man-db (2.8.5-2) …
Errors were encountered while processing:
exim4-config
exim4-base
exim4-daemon-light
bsd-mailx
aide-common
E: Sub-process /usr/bin/dpkg returned an error code (1)
user@host:~$
This easily goes from one thing to another.
The aide
package “doesn’t contain much”.
https://packages.debian.org/buster/amd64/aide/filelist
Configuration / integration is in aide-common package.
https://packages.debian.org/buster/all/aide-common/filelist
That package depends on bsd-mailx or mailx.
mailx Recommends:
default-mta which is a virtual package provided by exim4-daemon-light or mail-transport-agent which is a virtual package provided by citadel-server, courier-mta, dma, esmtp-run, exim4-daemon-heavy, exim4-daemon-light, msmtp-mta, nullmailer, opensmtpd, postfix, qmail-run, sendmail-bin
MTA seems overkill. Not sure we want to introduce local command mail
or some local command for it to show localhost e-mail? Try this:
sudo apt purge exim*
Then
sudo apt install aide-common --no-install-recommends
I cannot even reproduce maybe because something on my system already satisfies the dependency for default-mta.
Won’t cut it.
This works:
sudo apt install --no-install-recommends mailutils aide-common
Installation successful. But that leaves us with an unnecessary mailutils dependency.
Does that help?
Yeah that fixed it
Installed configured scanned after a simple change like creating a hello file in home. Initial Scan takes 7 mins second scan 12 mins.
The logs are too detailed to be of use. Can easily alarm users with false positives. Maybe we can restrict scans to important system directories instead, but I have no idea if it will reduce security. Also sticking to one hashing algo instead of a bunch.
user@host:~$ sudo aide -c /etc/aide/aide.conf --check
Start timestamp: 2020-06-16 13:12:02 +0000 (AIDE 0.16.1)
AIDE found differences between database and filesystem!!
Verbose level: 6
Summary:
Total number of entries: 108257
Added entries: 3
Removed entries: 0
Changed entries: 8
---------------------------------------------------
Added entries:
---------------------------------------------------
f++++++++++++++++: /home/user/hello
f++++++++++++++++: /root/.bash_history
f++++++++++++++++: /var/lib/aide/aide.db
---------------------------------------------------
Changed entries:
---------------------------------------------------
f >b... mc..C.. .: /etc/aide/aide.conf
d =.... mc.. .. .: /home/user
f =.... mc..... .: /home/user/.config/Thunar/accels.scm
d =.... mc.. .. .: /home/user/.config/xfce4/panel
f =.... mci.... .: /home/user/.config/xfce4/panel/genmon-12.rc
f >.... mc..C.. .: /home/user/.xsession-errors
d =.... mc.. .. .: /root
f =.... mc..... .: /var/log/tallylog
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /etc/aide/aide.conf
Size : 6598 | 41610
Bcount : 16 | 88
Mtime : 2016-04-16 17:57:29 +0000 | 2020-06-16 13:11:23 +0000
Ctime : 2020-06-16 12:55:53 +0000 | 2020-06-16 13:11:23 +0000
RMD160 : kHZi6LuS1X5nlHkrtCLV9UdgDxo= | nWLCkh/27m8WdtqfvJN5txJk6N0=
TIGER : 4Xz+mZRAxr2kNIGOmTNJa/7Ftv+VpV37 | 03f2cg45KDTZEAcW1PjCoaFk3O1tsHTJ
SHA256 : RN1UT38/wRA8N5o4M4MHU8N+G49sK9nB | HITtrsturCWRVZNwrqWy1hhgsvk/YsLv
0B5VVewz3h8= | y9Rdn3bIZyg=
SHA512 : o4LOstw3erheco5dpKcKLadGav29Ud9E | gKzPRfQxJop9wYn7iEU+xetq/4ijdq0A
ZQd6cPiQZuQ7bsTZkx1MGEW+VYkhz5gj | A87ecmxcGyRQTXebk+aweXo86BkVB2Zx
yKP7Fvoitf+jHcriq57Pgg== | po+A2MXXcuzuXvbb2z0dTQ==
CRC32 : S3Rhfg== | lTwfVw==
HAVAL : +O7017egNOm+/TJW/3HxeQcxmz55pDM7 | jWboJ2XDaiBYzQ9LV/lsc03lAyh8sNp8
S+TXtMWVN/E= | 3gAVUOeXH3I=
GOST : 3NHf+nD39SudMxLJc5fkpkarUQ+unLQf | qO75hParpwqgXUNI2YarEwbcvM8AHO3Z
NhV8dix9LIw= | dnXY4PCOHWE=
Directory: /home/user
Mtime : 2020-06-16 12:46:29 +0000 | 2020-06-16 13:11:51 +0000
Ctime : 2020-06-16 12:46:29 +0000 | 2020-06-16 13:11:51 +0000
File: /home/user/.config/Thunar/accels.scm
Mtime : 2020-06-15 19:38:23 +0000 | 2020-06-16 13:11:55 +0000
Ctime : 2020-06-15 19:38:23 +0000 | 2020-06-16 13:11:55 +0000
Directory: /home/user/.config/xfce4/panel
Mtime : 2020-06-16 12:54:21 +0000 | 2020-06-16 13:04:21 +0000
Ctime : 2020-06-16 12:54:21 +0000 | 2020-06-16 13:04:21 +0000
File: /home/user/.config/xfce4/panel/genmon-12.rc
Mtime : 2020-06-16 12:54:21 +0000 | 2020-06-16 13:04:21 +0000
Ctime : 2020-06-16 12:54:21 +0000 | 2020-06-16 13:04:21 +0000
Inode : 3277116 | 3276910
File: /home/user/.xsession-errors
Size : 4192 | 4792
Mtime : 2020-06-16 13:01:30 +0000 | 2020-06-16 13:11:44 +0000
Ctime : 2020-06-16 13:01:30 +0000 | 2020-06-16 13:11:44 +0000
RMD160 : LP5njQR8Gu4yKORZ1BDm99jqNEQ= | c1PehkzcV1hsyySBC8lCw2uQj/s=
TIGER : BISIzOV00RBOc5CBnoTzRa9j+Isit1GK | 3kHN25Y7QQBxX0VC7e79/0KoXSi4Cazo
SHA256 : +D2LWACvl1ZIwWJdGffBh39T6f3mPp+d | AMc1N7UqWIfopIGTbS8bdknQAkBBftmQ
5uKNNl1/ZVk= | ugg09xYIpFU=
SHA512 : dcmKu991/Q+IFM92+wq2CXB3o37CUPdX | /FrXSNj63xw8mvu8k1AXUnZkel1JOAUo
t5zrXSJgR15Qf0phwstj7vP6y3rcRSKt | 6lPjPFIddtVBuOAcDFHT24b9FrtpKNE4
j37hA9da1/ir+99zNtAOyw== | Wnp3HA/n8zK58rlo10wflA==
CRC32 : BEcY2Q== | TTZJCg==
HAVAL : ims99jAishdeETO1iQxTDNfKTUwfP3rK | 3pVGGMMJEJV3zo02odIf8jO5qbbNKRhI
QCLLadHFxRk= | vA2nm8lVlpA=
GOST : Ib6dU8ALacn+jYSAihJXgTRvz0RpcFKl | IsqK8KSZbFEJmosra7C/agc7JmxqEuaj
vSc8/y9zi1w= | HsbM+plrogg=
Directory: /root
Mtime : 2020-06-15 19:38:26 +0000 | 2020-06-16 13:10:29 +0000
Ctime : 2020-06-15 19:38:26 +0000 | 2020-06-16 13:10:29 +0000
File: /var/log/tallylog
Mtime : 2020-06-16 12:54:58 +0000 | 2020-06-16 13:14:11 +0000
Ctime : 2020-06-16 12:54:58 +0000 | 2020-06-16 13:14:11 +0000
---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------
/var/lib/aide/aide.db
RMD160 : gNa+l3rZdXjw7OCnBbszBqUAuNQ=
TIGER : 6cKfzEhkN4BZE8RuZLeTKoXrvI3I9In+
SHA256 : uJb1CCJwRkgdz8wkuMcJ1NrX11y5Zuw5
Mj6F8qm62Qc=
SHA512 : WFFaJJO39+//fdNH3aFBnJ99cdJy58gS
yp1ouCQe2XCUlElP3TXSHer6DKgTj0id
/DItlBIXK+PCHQDrz6etJA==
CRC32 : NOiIKg==
HAVAL : B9jZC16rRnIx46lJTqZr6Abhk8h9Ia6g
J0/dG9tRC1g=
GOST : i5B1U+40LNPZjIjX6YsxKoxvkmRMrgM8
fMs6QxXYV6k=
End timestamp: 2020-06-16 13:24:13 +0000 (run time: 12m 11s)
Yes, AIDE needs configuration before it could be installed by default to be useful and not just produce unnecessary FUD.
I took a peak in /etc/aide/aide.conf.d/ and there are a lot of application specific exemptions to reduce false positives. /etc/aide.conf is where hashing algos are defined among other settings like verbosity levels. I am testing scan times with just SHA-256. Other algos are either slower or cryptographically broken,
sha256
End timestamp: 2020-06-16 13:52:45 +0000 (run time: 7m 15s)
Using dm-verity would be a much better alternative than AIDE.
Yeah, but have any of the blockers for it been resolved?
Not really but I also haven’t been working on it as much since there’s tons of other work to do.