On Fri, Nov 28, 2003 at 12:18:43PM -0800, Bill Moseley wrote: > I'm a bit confused about using AID and where the checksum file is > located -- and how it's actually used in Debian systems. > > The debian installation of AIDE (Advanced intrusion detection > environment) places the checksum file in /var/lib/aide/. Is there any > use in running AIDE if the checksum file is writable? Seems like it > should be on a non-writable media. > > Second, what media do people normally use? I have machines that only > have a CD ROM. Do I need to burn a CDR with the database and always > keep it mounted? > > The docs say that the aide binary and config file should also be on > non-writable media. Is that common practice, too? And if so, then I > suppose the cron.daily/aide file would need to be updated to point to > the /cdrom for the config file. > > Or do people use AIDE with the standard install (database in > /var/lib/aide/) and hope for the best? Assuming AIDE is the same general idea as integrit: One solution is, indeed, to burn the md5 checksum file to a CDR and make sure you leave it in and mounted overnight (or whenever the AIDE cron job runs). Or, if you have NFS or samba, and a LAN... and another machine on the LAN under your control... you could put the checksum file in a read-only share on another machine. Another solution is to set the file "immutable" which means it can't be edited except by rebooting into single-user mode. You might also want to set the AIDE binary immutable, too... for even better paranoia. And for even _more_ paranoia, make sure it's statically compiled so it can't be compromised by an attacker screwing with libs... Cheers! -- ,-------------------------------------------------------------------------. > -ScruLoose- | I don't want to start any blasphemous rumours < > Please | but I think that God's got a sick sense of humour < > do not Cc me. | - Depeche Mode < `-------------------------------------------------------------------------'
Attachment:
pgpiWyCO__tY6.pgp
Description: PGP signature