| View previous topic :: View next topic |
| Author |
Message |
farmer.ro
Apprentice
Joined: 20 Aug 2016
Posts: 179
|
 Posted: Fri Sep 30, 2016 5:49 pm Post subject: Gentoo Aide File Intrusion System |
 |
|
| How long before the aide software gets owned by hackers? |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23093
|
| Posted: Sat Oct 01, 2016 12:11 am Post subject: |
|
|
| That depends on when someone convinces the authors to sign over their copyright, which might depend on what incentives are offered in exchange. If copyright assignment is not what you meant, please provide some context for your question. |
|
| Back to top |
|
|
farmer.ro
Apprentice
Joined: 20 Aug 2016
Posts: 179
|
| Posted: Sat Oct 01, 2016 7:45 am Post subject: |
|
|
i was pretty drunk when i posted the previous message, but there is something not clear to me about Aide, i hope someone can provide me a solution:
when storing the Aide databases offline, for example in a cloud, or usb drive, and the attacker gets hold on the root password, then the attacker can just make a new aide.db database, making the stored offline database invalid right?
how should one protect from this? |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23093
|
| Posted: Sat Oct 01, 2016 4:45 pm Post subject: |
|
|
| As I understand it, the database records the expected contents of files. If the files are changed, the database can tell you which files have been changed, provided that you can still trust the contents of the database. If is stored somewhere that the attacker cannot have modified, then you can trust it. For example, if it was stored on a server which has no direct network connection, or which is known not to allow anyone to connect (for example, it does not permit any inbound connection from the compromised machines, even for "authorized" users), then you can reasonably trust that the attacker cannot modify that copy of the database. If the attacker can modify the database, then your only hope is that the attacker was too limited, too rushed or too unaware to do so. For example, if an attacker exploits a program that allows him to modify any file owned by Apache, but not run arbitrary code as any user or modify files owned by other users, and the database was owned by root, then the attacker was too limited to modify the database. |
|
| Back to top |
|
|
farmer.ro
Apprentice
Joined: 20 Aug 2016
Posts: 179
|
| Posted: Sun Oct 02, 2016 6:41 am Post subject: |
|
|
i am not really sure what modifying the aide.db database does, but i am particularly speaking, if root rights are gained on the machine, then the attacker can just create a new aide.db.
How does one protect from the option of creating a new aide.db, and not necessarily modifying the aide.db. |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Sun Oct 02, 2016 11:09 am Post subject: |
|
|
Put the database file on removable media - and remove the media from the covered machine.
Edit to add, the "offline" removable media database isn't rendered invalid if and when the attacker modifies the database on the covered machine. The altered database becomes the "invalid" one.
Your hypothetical attacker has root privileges, and can do anything with the machine being compromised. |
|
| Back to top |
|
|
|
Networking & Security
