Re: Using aide for detection

To: debian-user@lists.debian.org
Subject: Re: Using aide for detection
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Sun, 7 Dec 2003 00:22:43 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1031207001100.21860A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20031207053420.GB3065@shorty.ca>


On Sun, 7 Dec 2003, ScruLoose wrote:

> On Fri, Dec 05, 2003 at 09:36:07AM -0800, Bill Moseley wrote:
> 
> > 1) For a machine that doesn't have a cdrom and/or is physically 
> > available to me, is there any other trick to make sure the database is 
> > secure?  The machine I'm thinking about doesn't have nfs mounts 
> > available to it, either.
> 
> Entirely secure? I don't think so.
> Unless you can make the database fit on a floppy, then flip the
> read-only tab on the floppy.

some sw and drives ignores the "read only tab" ...
	- dont use "off the shelf" stuff ... and your can still write
	the floppy

> > 2) From initial setup of aide, I'm getting daily reports about changes in 
> > log files.  Is there any reason to monitory the log files with aide 
> > since they are suppose to change?
> 
> I see no reason to have them monitored ... Of course that could just be
> my ignorance.

if you're looking in your logs for signs of a cracker or rootkit ..
	- a good rootkit will erase itself .. no signs ..
	and still leave a back door for itself
 
> > 3) What if an attacker that broke into the machine simply disables the
> > cron job for aide?  How would that be detected?  
>
> When you don't get the daily report, start worrying.

one the cracker gets in .. why tell the user, "hey buddy, i'm in your box"
( i would leave things alone till its ready to be used and rm -rf'd

use MachineA to check machineB and MachineC.. and vice versa
	- its less likely they would break into both/all boxes
	that is NOT on the same subnet

	and when it does do the checking... update your "i visited here
	at this time" log entries

	- lots of other ways to do system sanity checks too ...
	even w/o cron  on the cracked box

-- you really realy do NOT want to get daily/hourly status emails..
	--
	-- you do really want to kow if its dead or hacked
	--
	-- you do want to poke it, and see if it flaggs the simulated
	-- intruder  ( so you know cron and the ids is working )
	--	do that as often as time is floating around --
	--

> > Or, could a root kit manage to still report to aide that all files were
> > un-modified?

youp ...and for those crackers... forget it ... if they can modify
the binaries to give the same md5sum as the originals ... 
	- go find a security professional of the equivalent calibur to
	figure out why they are playing with your boxes instead of the
	bank and police and otehr fun targets

	- if its a script kiddie using the "perfect rootkit",
	than you'd still need the security pro to find out where it
	came from and who it was

- most all rootkits leave lots of little hints all over the place
  and better ones makes it harder to find those "signs"

>   Not to be too gloomy, but it seems like once someone gets
> > root that the machine is hosed, and worse, with a good root kit it could
> > be impossible to detect.
> 
> If you want that level of paranoia, put the aide binary on a CD, along
> with the checksum database.  Make sure the binary is statically
> compiled, (or put all libs it links to on the CD too) so there's no way
> to sneak anything in through linked libraries. Even root can't tamper
> with physically read-only media.

there's always a way to sneak things thru little holes here and there

- you're assuming you have "perfectly configured/defined read only media"
  which is not always the case ..

c ya
alvin

Reply to:

References:
- Re: Using aide for detection
  - From: ScruLoose <scruloose+debuser@eastlink.ca>

Prev by Date: Re: mousepad kernel 2.6.0-test9
Next by Date: could not eject CDROM as a normal user: [solved]
Previous by thread: Re: Using aide for detection
Next by thread: Howto get SCSI to work
Index(es):
- Date
- Thread