FilesystemIntegrityCheckerSpec

Summary

Aide is the filesystem integrity checker in main. Filesystem checkers aren't typically used by most administrators as they are hard to maintain and report a lot of false positives after system updates.

In order for Aide to be easier to use, a new configuration option will be introduced that will filter files changed by system updates from the daily report. Although not fool-proof, this will enable an administrator to easily install Aide and to get useful intrusion information without investing a lot of maintenance time.

Release Note

Aide now contains a new FILTERUPDATES option that removes files changed by system updates from the daily e-mail report. Changed files will still be listed in the log file. This option parses the /var/log/dpkg.log file and may work better when COPYNEWDB=yes since the dpkg.log file only contains recent information.

Rationale

Filesystem integrity checkers are hard to maintain, as a large number of false positives come from system updates. Introducing a simpler configuration will allow system administrators to simply install it, configure it to send them email, and will benefit from getting file change alerts.

Design

A new configuration option, FILTERUPDATES, is introduced in /etc/default/aide. The option is turned off by default. If enabled, the daily aide cron script will parse the dpkg log file to obtain a list of packages that were upgraded since the last aide database was built. It will then use dpkg-query -L to get a list of files that are contained in those packages, and will filter those files out of the daily e-mail report.

Implementation

Since all of the changes necessary for this to function are in files that are specific to the Debian packaging, there are no patches or code changes to send to the upstream aide project.

Test/Demo Plan

Once the new packages are ready, we can ask for community testing.

Unresolved issues

To be completed.


CategorySpec

SecurityTeam/Specifications/Karmic/FilesystemIntegrityCheckerSpec (last edited 2009-11-25 19:05:32 by c-76-105-168-175)