Re: Using aide for detection
On Sun, 7 Dec 2003, ScruLoose wrote:
> On Fri, Dec 05, 2003 at 09:36:07AM -0800, Bill Moseley wrote:
>
> > 1) For a machine that doesn't have a cdrom and/or is physically
> > available to me, is there any other trick to make sure the database is
> > secure? The machine I'm thinking about doesn't have nfs mounts
> > available to it, either.
>
> Entirely secure? I don't think so.
> Unless you can make the database fit on a floppy, then flip the
> read-only tab on the floppy.
some sw and drives ignores the "read only tab" ...
- dont use "off the shelf" stuff ... and your can still write
the floppy
> > 2) From initial setup of aide, I'm getting daily reports about changes in
> > log files. Is there any reason to monitory the log files with aide
> > since they are suppose to change?
>
> I see no reason to have them monitored ... Of course that could just be
> my ignorance.
if you're looking in your logs for signs of a cracker or rootkit ..
- a good rootkit will erase itself .. no signs ..
and still leave a back door for itself
> > 3) What if an attacker that broke into the machine simply disables the
> > cron job for aide? How would that be detected?
>
> When you don't get the daily report, start worrying.
one the cracker gets in .. why tell the user, "hey buddy, i'm in your box"
( i would leave things alone till its ready to be used and rm -rf'd
use MachineA to check machineB and MachineC.. and vice versa
- its less likely they would break into both/all boxes
that is NOT on the same subnet
and when it does do the checking... update your "i visited here
at this time" log entries
- lots of other ways to do system sanity checks too ...
even w/o cron on the cracked box
-- you really realy do NOT want to get daily/hourly status emails..
--
-- you do really want to kow if its dead or hacked
--
-- you do want to poke it, and see if it flaggs the simulated
-- intruder ( so you know cron and the ids is working )
-- do that as often as time is floating around --
--
> > Or, could a root kit manage to still report to aide that all files were
> > un-modified?
youp ...and for those crackers... forget it ... if they can modify
the binaries to give the same md5sum as the originals ...
- go find a security professional of the equivalent calibur to
figure out why they are playing with your boxes instead of the
bank and police and otehr fun targets
- if its a script kiddie using the "perfect rootkit",
than you'd still need the security pro to find out where it
came from and who it was
- most all rootkits leave lots of little hints all over the place
and better ones makes it harder to find those "signs"
> Not to be too gloomy, but it seems like once someone gets
> > root that the machine is hosed, and worse, with a good root kit it could
> > be impossible to detect.
>
> If you want that level of paranoia, put the aide binary on a CD, along
> with the checksum database. Make sure the binary is statically
> compiled, (or put all libs it links to on the CD too) so there's no way
> to sneak anything in through linked libraries. Even root can't tamper
> with physically read-only media.
there's always a way to sneak things thru little holes here and there
- you're assuming you have "perfectly configured/defined read only media"
which is not always the case ..
c ya
alvin
Reply to: