RE: MD5 sums of individual files?
> Ok with that said, how feasable is it for a cracker to install their
> rootkit, and mimic the checksummed files to match the contents of the
> floppy? Wouldn't he/she just have to unmount the exising floppy drive,
> remount it to his/her pseudo check sums?
>
> I'm probably missing the howto detail where the alert is generated before
> rootkit is installed.
That is something that I hadn't considered. The cracker could potentially
unmount /var/lib/aide/ro (where I have the floppy containing the AIDE
checksums mounted) and place in that directory a newly-generated list of
checksums, which AIDE would read the next time it runs. When I got the
report in my inbox, it would look like everything is fine. IMHO, definitely
a hole that's there regardless of whether I use a RO floppy or a CD-R.
I see two ways to get around this: one solution is for me to GPG-sign the AIDE
checksum list when I create it. Then I could check the signature in my script
that runs AIDE, and I would know that it was me who created it. This would be
more like what Tripwire's latest release does.
Another option would be to not store the AIDE configuration file anywhere that
the cracker could see it. Without that configuration file, the cracker would
have no way to generate a valid, substitute list of checksums. This is less
workable, because that configuration file would have to be "unhidden" every
time AIDE needed to run, making a cron-based schedule more difficult.
KEN
--
Kenneth J. Pronovici <pronovic@ieee.org>
Personal Homepage: http://www.skyjammer.com/~pronovic/
"The phrase, 'Happy as a clam' has never really held much meaning for me."
Reply to: