Using aide for detection
A few questions about actually using the aide package:
I asked before about using the aide package. The default
installation places the database (and the binary for that matter) in a
place where they can be modified.
Someone recommended making the file immutable. From googling it seems
that it's not that hard for someone to remove the immutable flag from
the file. Also, I'm running the XFS file system, and immutable seems to
be an ext2 and ext3 feature.
1) For a machine that doesn't have a cdrom and/or is physically
available to me, is there any other trick to make sure the database is
secure? The machine I'm thinking about doesn't have nfs mounts
available to it, either.
2) From initial setup of aide, I'm getting daily reports about changes in
log files. Is there any reason to monitory the log files with aide
since they are suppose to change?
3) What if an attacker that broke into the machine simply disables the
cron job for aide? How would that be detected?
Or, could a root kit manage to still report to aide that all files were
un-modified? Not to be too gloomy, but it seems like once someone gets
root that the machine is hosed, and worse, with a good root kit it could
be impossible to detect.
--
Bill Moseley
moseley@hank.org
Reply to: