AIDE/OSSEC w/linux removable USB security configuration

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have had to take a 'crash course' in hardening Linux Ubuntu
8.04LTS/8.10 systems due to an issue that we had with a possible
security violation a few weeks ago.  The first step that I took in
responding to this issue was to set up OSSEC HIDS; I believe that
configuration is now about as good as I'll get it without further time
to devote to studying in-depth guides to this system.

The next step that I wanted to take regarding this issue was to set up
AIDE in a manner that will allow me to take hash checksums of any
systems that I need to.  I have been able to configure this for the most
part in a standard configuration from debian/ubuntu packages at this
point.  It was mentioned to me that I might want to make sure that I put
the checksum/hash database and AIDE binary on a removable USB drive to
ensure that it is not tampered with in lieu of rootkit possibilities and
root access being compromised on these machines.  This is the point
where I am struggling a bit right now...

I would, ideally, like to set up a procedure where I can maintain a
hierarchy on removable media of the configurations and PGP/GPG signature
validated binaries of all security installation files that may be
targeted for trojans, as well as applicable databases for programs such
as AIDE (1st choice), or tripwire.  Of course my master set will contain
a hierarchy with separate places for each of our development and
production servers and machines.  That part is trivial, but I have had a
bit of a problem identifying where exactly I might find the applicable
AIDE hash/checksum databases and precisely which files I want to copy to
my removable master copy.

Unfortunately, due to other responsibilities that are being given to me
with higher priorities (from personnel that do not truly understand the
vital nature of security on their systems), my time to work with these
projects is limited a bit currently.  I have at my disposal a weak
personal grasp of google-fu which has not turned up anything for me on
these subjects just yet along with the NSA guides to hardening RHEL...
I do not have at my disposal the time to pour over these in-depth as I
would like at this point.

Can anybody give me a few pointers on what I'm looking for here?  It
would save me some much needed time and I would very much appreciate it,
or any links that I've failed to turn up that might point me in the
right direction in a more timely manner.


Damon Getsman
-=-=-=- /
Systems Administrator/Programmer/IT Customer Relations

Re: AIDE/OSSEC w/linux removable USB security configuration

Ho-kay...  Well as far as the removable media, I managed to get enough
time to crack the NSA's guide to RHEL 5 Secure Configuration and sure
enough in section it goes over exactly what to place on the
removable media.

I'm still interested in any other pointers that people might have for me
in this situation as a whole.  :)


In wrote:
Quoted text here. Click to load it

Re: AIDE/OSSEC w/linux removable USB security configuration

On 12 Feb, 18:15, wrote:
Quoted text here. Click to load it

If I'm understanding what you are asking, I'm afraid that there is no
off-the-shelf database for what signatures should look be.

rpm has an option to check the signatures of files against the locally
stored rpm database but IIRC this apt / dpkg doesn't do this (remember
that the database itself may have been tampered with).

Typically you would generate your own database using your HIDS of
choice at a time when you trust the integrity of your system and
review before/after updates - but if you believe your system may have
been compromised then that's not really an option.

Quoted text here. Click to load it


If it were me, I'd consider it due dilligence to respond (copying in
the director of the company responsible for IT) in writing/email that
you feel you have not been given adequate time/resources to address
the problem. No need to be more specific.

Good luck,


Re: AIDE/OSSEC w/linux removable USB security configuration

Quoted text here. Click to load it

I apologize; I've been so rushed with the amount of projects that I've
been having at work lately that I've been garbling my messages a bit on
any media that I post.  I suppose the 2-3 pots of a coffee a day isn't
helping that situation very much.

Anyway, no, that's not quite what I was looking for.  More just help on
determining what 'aide --init' or 'aideinit' generated files I would
want to throw on my own USB key in order to keep a secure backup.
Diving into the NSA RHEL hardening and security guidelines has helped me
identify these things much better.

Quoted text here. Click to load it

Yeah, I've pretty much done that; now I'm just continuing to get
everything configured and working as best I can whenever I can find a
few minutes for it.  Which brings me to the issue that I'm having right

Aide seems to be massively different between Ubuntu 8.04 LTS and Ubuntu
8.10.  I've got a configuration file that I'm really happy with on our
Intrepid systems, but I can't for the life of me get aide to even parse
its configuration files correctly on the 8.04 LTS version.  Time to
start diving into google about that.  Seems weird that they'd have such
a configuration break between minor version changes.


Site Timeline