On Fri, Nov 28, 2003 at 12:18:43PM -0800, Bill Moseley wrote: > I'm a bit confused about using AID and where the checksum file is > located -- and how it's actually used in Debian systems. > > The debian installation of AIDE (Advanced intrusion detection > environment) places the checksum file in /var/lib/aide/. Is there any > use in running AIDE if the checksum file is writable? Seems like it > should be on a non-writable media. > > Second, what media do people normally use? I have machines that only > have a CD ROM. Do I need to burn a CDR with the database and always > keep it mounted? > > The docs say that the aide binary and config file should also be on > non-writable media. Is that common practice, too? And if so, then I > suppose the cron.daily/aide file would need to be updated to point to > the /cdrom for the config file. > > Or do people use AIDE with the standard install (database in > /var/lib/aide/) and hope for the best?
Assuming AIDE is the same general idea as integrit:
One solution is, indeed, to burn the md5 checksum file to a CDR and make
sure you leave it in and mounted overnight (or whenever the AIDE cron
job runs).
Or, if you have NFS or samba, and a LAN... and another machine on the
LAN under your control... you could put the checksum file in a read-only
share on another machine.
Another solution is to set the file "immutable" which means it can't be
edited except by rebooting into single-user mode. You might also want to
set the AIDE binary immutable, too... for even better paranoia. And for
even _more_ paranoia, make sure it's statically compiled so it can't be
compromised by an attacker screwing with libs...
Cheers!
--
,-------------------------------------------------------------------------.
> -ScruLoose- | I don't want to start any blasphemous rumours <
> Please | but I think that God's got a sick sense of humour <
> do not Cc me. | - Depeche Mode <
`-------------------------------------------------------------------------'
pgp00000.pgp
Description: PGP signature
