Re: aide security?

[Jarno Niemelä <jarno.niemela () f-secure com>]

Pete Hunt wrote:

> At 07:26 25/08/2003 +0200, Janus N." Tøndering wrote:
>
> > Hi,
> >
> > I am in the process of preparing a new install of Debian for a machine.
> > Having installed aide it seems to me that it does not really help
> > anything. How am I going to the database trustable? Is there some way to
> > cryptographically sign it? Otherwise, an intruder could just as well
> > fiddle with the database, right?!
>
>
> You could save a copy of the database to a floppy / cd.  So long as 
> you updated the copy when you made large changes to the system, you'd 
> have a trusted database to check against if you suspected interference. 

Yup, thats the only way.
There is no way you can trust a database that is in writable media on 
the same system, what ever you do theres always some way to corrupt it.

So copy the AIDE database and the AIDE binary to floppy and run it from 
there. Rememer that also the binary must be protected, otherwise
attacker can replace the AIDE executable with a version that says 
'everything is fine' no matter what changes in the system.

Or if you don't want to play with floppies, use rysnc to other machine 
so that each sync creates a new copy, so attacker has to compromize both 
hosts.

Jarno.

> I haven't used aide, but this works with Tripwire (which does roughly 
> the same thing).  Tripwire signs the database as well.
>
> HTH
>
> Pete
>
>
> > Hope you can give me some pointers...
> >
> > Janus N. Tøndering
> >
> > --
> > Janus N. Tøndering <janus () bananus dk>
> >
> >
> > --------------------------------------------------------------------------- 
> >
> > Attend Black Hat Briefings & Training Federal, September 29-30 
> > (Training),
> > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> > technical IT security event.  Modeled after the famous Black Hat 
> > event in
> > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> > Symantec is the Diamond sponsor.  Early-bird registration ends 
> > September 6.Visit us: www.blackhat.com
> > ---------------------------------------------------------------------------- 
>
>
>
> --------------------------------------------------------------------------- 
>
> Attend Black Hat Briefings & Training Federal, September 29-30 
> (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's 
> premier technical IT security event.  Modeled after the famous Black 
> Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers 
> and sponsors.  Symantec is the Diamond sponsor.  Early-bird 
> registration ends September 6.Visit us: www.blackhat.com
> ---------------------------------------------------------------------------- 



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------