Re: Using aide for detection

To: debian-user@lists.debian.org
Subject: Re: Using aide for detection
From: Bill Moseley <moseley@hank.org>
Date: Sat, 6 Dec 2003 22:47:40 -0800
Message-id: <[🔎] 20031207064740.GI647@hank.org>
In-reply-to: <[🔎] 20031207053420.GB3065@shorty.ca>
References: <[🔎] 20031205173607.GF557@hank.org> <[🔎] 20031207053420.GB3065@shorty.ca>

On Sun, Dec 07, 2003 at 12:34:20AM -0500, ScruLoose wrote:

> > 3) What if an attacker that broke into the machine simply disables the
> > cron job for aide?  How would that be detected?  
> 
> When you don't get the daily report, start worrying.

I guess.  I try to watch for them, but after 100 days of the same report 
every morning it's easy to glaze over them.  I much prefer to get mail 
only when there's a problem.  Unless, of course, the problem is that the 
mail isn't getting delivered.  I suppose the answer there is to have 
multiple machines checking on each other.

> And even a smart rootkit has to put itself somewhere.  If it then uses
> altered init or ps or ls or whatever to hide its own existence... well
> that's the whole *point* of aide, right? the altered ps (altered to not
> list the rootkit process, obviously) will not have the same MD5 checksum
> as the original. And so it goes.

I don't know the kernel -- but I wonder if a root kit could be smart 
enough to return the old ps or ls or init when reading (for calculating 
the md5) vs. running the program which would run the new version.  I 
suppose anything is possible once they have control of the machine.

Too much to worry about.

-- 
Bill Moseley
moseley@hank.org

Reply to:

References:
- Using aide for detection
  - From: Bill Moseley <moseley@hank.org>
- Re: Using aide for detection
  - From: ScruLoose <scruloose+debuser@eastlink.ca>

Prev by Date: Re: Playing "RealOne" clips
Next by Date: Re: Installing on a GRUB system?
Previous by thread: Re: Using aide for detection
Next by thread: Re: Using aide for detection
Index(es):
- Date
- Thread