Re: aide and tiger sending gpg crypted files

To: Thomas Schmid <t.schmid@gmx.net>
Cc: debian-security@lists.debian.org
Subject: Re: aide and tiger sending gpg crypted files
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Mon, 10 Jun 2002 14:56:30 +0200
Message-id: <[🔎] 20020610125630.GG14756@dat.etsit.upm.es>
In-reply-to: <[🔎] Pine.LNX.4.33.0206062023070.547-100000@laptop.deadline>
References: <[🔎] Pine.LNX.4.33.0206062023070.547-100000@laptop.deadline>

On Thu, Jun 06, 2002 at 08:28:24PM +0200, Thomas Schmid wrote:
> Hi,
> 
> So, I set up my server with aide and tiger to check it's integrity. The
> reports are mailed to root which one is redirected to an other localadress
> and to a second adresse on a other server. My question is now: is it
> possible to let the mails be pgp encrypted with gnupg so I can check if
> the mails realy are from my server and that no one intercepted and changed
> them? I neither could find something on the web nor on the mailinglist
> archive of aide.
> 
	Well I never thought of doing this in tiger, but as the answers
to this mail show you would need a private key available in the server
(and this private key could thus be compromised). If you are worried
about the messages being intercepted in transit I would suggest, as
also others have done:

1.- encrypting the mail. In tiger's case mails are sent by the
/usr/lib/tiger/tigercron change line 226:
    } | $MAILER $Tiger_Mail_RCPT
to
    } | gpg -e -a | $MAILER $Tiger_Mail_RCPT

I might add a new option to tiger so that you can select if you wish
this to be done in the config file... feel free to file a wishlist bug
against the package so I don't forget :)

2.- establish a VPN tunnel from the HIDS to the mailserver

	Signing the mail just would let you know that it was a valid
HIDS that sen't it and that the mail wasn't tampered with in transit,
which might, or might not, be enough for your purposes.

	I would suggest 2) if you are sending more stuff (syslog, 
aide, logcheck...) that might either send mails or contact the main
server since you do not have to change program by program in order 
to encrypt the data they send. However, this does not assure you that an
intruder is not sending forged mails.
(which would be easy to do if the passphrase is empty and you are using
1) since he could get to the private keypair if the server was compromised)

	Regards

	Javi


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- aide and tiger sending gpg crypted files
  - From: Thomas Schmid <t.schmid@gmx.net>

Prev by Date: OT: English and other languages
Next by Date: Re: Things to watch on my server
Previous by thread: Re: aide and tiger sending gpg crypted files
Next by thread: Snort getting data very slow from MySQL server
Index(es):
- Date
- Thread