Using aide for detection

To: debian-user@lists.debian.org
Subject: Using aide for detection
From: Bill Moseley <moseley@hank.org>
Date: Fri, 5 Dec 2003 09:36:07 -0800
Message-id: <[🔎] 20031205173607.GF557@hank.org>

A few questions about actually using the aide package:

I asked before about using the aide package.  The default
installation places the database (and the binary for that matter) in a
place where they can be modified.

Someone recommended making the file immutable.  From googling it seems 
that it's not that hard for someone to remove the immutable flag from 
the file.  Also, I'm running the XFS file system, and immutable seems to 
be an ext2 and ext3 feature.

1) For a machine that doesn't have a cdrom and/or is physically 
available to me, is there any other trick to make sure the database is 
secure?  The machine I'm thinking about doesn't have nfs mounts 
available to it, either.

2) From initial setup of aide, I'm getting daily reports about changes in 
log files.  Is there any reason to monitory the log files with aide 
since they are suppose to change?

3) What if an attacker that broke into the machine simply disables the
cron job for aide?  How would that be detected?  

Or, could a root kit manage to still report to aide that all files were
un-modified?  Not to be too gloomy, but it seems like once someone gets
root that the machine is hosed, and worse, with a good root kit it could
be impossible to detect.


-- 
Bill Moseley
moseley@hank.org

Reply to:

Follow-Ups:
- Re: Using aide for detection
  - From: "Hoyt Bailey" <hoyt13@wiredok.com>
- Re: Using aide for detection
  - From: ScruLoose <scruloose+debuser@eastlink.ca>

Prev by Date: Re: Galeon troubles
Next by Date: Re: Java, mplayer
Previous by thread: Re: Java, mplayer
Next by thread: Re: Using aide for detection
Index(es):
- Date
- Thread