Re: Using aide for detection

To: debian-user@lists.debian.org
Subject: Re: Using aide for detection
From: ScruLoose <scruloose+debuser@eastlink.ca>
Date: Sun, 7 Dec 2003 00:34:20 -0500
Message-id: <[🔎] 20031207053420.GB3065@shorty.ca>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20031205173607.GF557@hank.org>
References: <[🔎] 20031205173607.GF557@hank.org>

On Fri, Dec 05, 2003 at 09:36:07AM -0800, Bill Moseley wrote:

> 1) For a machine that doesn't have a cdrom and/or is physically 
> available to me, is there any other trick to make sure the database is 
> secure?  The machine I'm thinking about doesn't have nfs mounts 
> available to it, either.

Entirely secure? I don't think so.
Unless you can make the database fit on a floppy, then flip the
read-only tab on the floppy.

> 2) From initial setup of aide, I'm getting daily reports about changes in 
> log files.  Is there any reason to monitory the log files with aide 
> since they are suppose to change?

I see no reason to have them monitored ... Of course that could just be
my ignorance.

> 3) What if an attacker that broke into the machine simply disables the
> cron job for aide?  How would that be detected?  

When you don't get the daily report, start worrying.

> Or, could a root kit manage to still report to aide that all files were
> un-modified?  Not to be too gloomy, but it seems like once someone gets
> root that the machine is hosed, and worse, with a good root kit it could
> be impossible to detect.

If you want that level of paranoia, put the aide binary on a CD, along
with the checksum database.  Make sure the binary is statically
compiled, (or put all libs it links to on the CD too) so there's no way
to sneak anything in through linked libraries. Even root can't tamper
with physically read-only media.

And even a smart rootkit has to put itself somewhere.  If it then uses
altered init or ps or ls or whatever to hide its own existence... well
that's the whole *point* of aide, right? the altered ps (altered to not
list the rootkit process, obviously) will not have the same MD5 checksum
as the original. And so it goes.

Configure it to give you a report even if nothing has changed, and then
if the attacker kills off the cron-job, you'll notice the lack of a
report and run aide manually.

	Cheers!
-- 
-------------------------------<<ScruLoose>>-------------------------------
      If we do not believe in freedom of speech for those we despise
      we do not believe in it at all.
      - Noam Chomsky
--------------------------<<Please do not CC me>>--------------------------

Attachment: pgpfqAHqtRfGV.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Using aide for detection
  - From: Bill Moseley <moseley@hank.org>
- Re: Using aide for detection
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

References:
- Using aide for detection
  - From: Bill Moseley <moseley@hank.org>

Prev by Date: Re: is symlink "linu" necessary while compiling new kernel?
Next by Date: Re: is symlink "linu" necessary while compiling new kernel?
Previous by thread: Re: Using aide for detection
Next by thread: Re: Using aide for detection
Index(es):
- Date
- Thread