Skip to content

DLPX-87293 Add AIDE to appliance #460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 5, 2024
Merged

DLPX-87293 Add AIDE to appliance #460

merged 3 commits into from
Apr 5, 2024

Conversation

rasantel
Copy link
Contributor

@rasantel rasantel commented Aug 11, 2023
edited by abhi2196
Loading

Problem

For general security hardening, and to comply with the ubuntu CIS benchmark, we should use AIDE (an open source Tripwire alternative) to monitor and report filesystem integrity violations.

Solution

Add the Debian/Ubuntu specific packages aide and aide-common. The former provides the basic aide utility, while the latter provides wrappers to use AIDE with sensible defaults as well as a curated list of AIDE rules for Debian/Ubuntu.

Notes:

  1. aide is required by aide-common, but we list aide explicitly as a dependency to make it clear that this is a full AIDE installation
  2. aide takes about 20 minutes to run a full filesystem scan, but installing it won't automatically initialize or run it, so this has no performance impact. Configuring AIDE runs will be left for future tasks.

Testing Done

Running appliance build that will have AIDE installed: http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/6558/

@rasantel rasantel force-pushed the dlpx/pr/rasantel/b46e023c-a6d9-4f5d-9d9c-22ad61395406 branch from 9e83f05 to 1216c3f Compare August 11, 2023 20:34
@rasantel rasantel requested review from sebroy and sdimitro August 11, 2023 20:45
@rasantel rasantel marked this pull request as ready for review August 11, 2023 20:45
sebroy
sebroy reviewed Aug 11, 2023
View reviewed changes
Copy link
Contributor

@sebroy sebroy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a broader design that reviewers can review? For example, have we determined how we might want to use this in the future, and determined that this usage would be appropriate for the Delphix use-case? What filesystems or files would we scan? Does that scanning incur a performance overhead? Is that performance overhead acceptable? etc. etc...

@rasantel
Copy link
Contributor Author

Is there a broader design that reviewers can review? For example, have we determined how we might want to use this in the future, and determined that this usage would be appropriate for the Delphix use-case? What filesystems or files would we scan? Does that scanning incur a performance overhead? Is that performance overhead acceptable? etc. etc...

@sebroy Good point. Here is a document: https://docs.google.com/document/d/1SfDRjePC_Ah6HW1VNbx0dNs2aVJbnEj45Wm0R2IuK5o/edit?usp=sharing

nealquigley
nealquigley approved these changes Aug 11, 2023
View reviewed changes
@abhi2196 abhi2196 force-pushed the dlpx/pr/rasantel/b46e023c-a6d9-4f5d-9d9c-22ad61395406 branch from d29a37e to c409696 Compare April 2, 2024 12:35
@abhi2196 abhi2196 merged commit dc39541 into develop Apr 5, 2024
@abhi2196 abhi2196 deleted the dlpx/pr/rasantel/b46e023c-a6d9-4f5d-9d9c-22ad61395406 branch April 5, 2024 05:28
@david-mendez1 david-mendez1 mentioned this pull request Apr 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhi2196 abhi2196 abhi2196 left review comments

@sebroy sebroy sebroy approved these changes

@nealquigley nealquigley nealquigley approved these changes

@sdimitro sdimitro Awaiting requested review from sdimitro

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rasantel @sebroy @abhi2196 @nealquigley