Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 01:04:47PM -0600, Kenneth Pronovici wrote:
> Another option would be to not store the AIDE configuration file anywhere
> that the cracker could see it. Without that configuration file, the
> cracker would have no way to generate a valid, substitute list of
> checksums. This is less workable, because that configuration file would
> have to be "unhidden" every time AIDE needed to run, making a cron-based
> schedule more difficult.
Well, if the cracker is really good, you can't trust anything less than a
boot from physically secure media (and one that doesn't trust anything on
the system that's not physically secured) to run the scan anyway. :-(
As you say, the scan's config has to be visible to him, so even if you ship
the results off to another box for comparison with the "known good"
signatures, all he has to do is install a fake scan program. This answers
against nearly all checks less intrusive than a secure boot. Luckily, most
crackers aren't capable of such subtlety... and so keeping the checklist on
write-protected media is a reasonable approach. But security is a process,
not a cron job. ;-)