----- Original Message ----- From: "Bill Moseley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 05, 2003 11:36 Subject: Using aide for detection
> A few questions about actually using the aide package: > > I asked before about using the aide package. The default > installation places the database (and the binary for that matter) in a > place where they can be modified. > > Someone recommended making the file immutable. From googling it seems > that it's not that hard for someone to remove the immutable flag from > the file. Also, I'm running the XFS file system, and immutable seems to > be an ext2 and ext3 feature. > > 1) For a machine that doesn't have a cdrom and/or is physically > available to me, is there any other trick to make sure the database is > secure? The machine I'm thinking about doesn't have nfs mounts > available to it, either. > > 2) From initial setup of aide, I'm getting daily reports about changes in > log files. Is there any reason to monitory the log files with aide > since they are suppose to change? > > 3) What if an attacker that broke into the machine simply disables the > cron job for aide? How would that be detected? > > Or, could a root kit manage to still report to aide that all files were > un-modified? Not to be too gloomy, but it seems like once someone gets > root that the machine is hosed, and worse, with a good root kit it could > be impossible to detect. > Not impossible but perhaps very difficult. Would you be curious if the aide reports stopped? How about if they were all the same after you removed the log files from being looked at, of course? I expect that it is possible for a smart cracker to design an attack that you would have to be extreemly lucky to detect. Hoyt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
