Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo Aide File Intrusion System
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Fri Sep 30, 2016 5:49 pm    Post subject: Gentoo Aide File Intrusion System Reply with quote

How long before the aide software gets owned by hackers?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13493

PostPosted: Sat Oct 01, 2016 12:11 am    Post subject: Reply with quote

That depends on when someone convinces the authors to sign over their copyright, which might depend on what incentives are offered in exchange. If copyright assignment is not what you meant, please provide some context for your question.
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Sat Oct 01, 2016 7:45 am    Post subject: Reply with quote

i was pretty drunk when i posted the previous message, but there is something not clear to me about Aide, i hope someone can provide me a solution:

when storing the Aide databases offline, for example in a cloud, or usb drive, and the attacker gets hold on the root password, then the attacker can just make a new aide.db database, making the stored offline database invalid right?

how should one protect from this?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13493

PostPosted: Sat Oct 01, 2016 4:45 pm    Post subject: Reply with quote

As I understand it, the database records the expected contents of files. If the files are changed, the database can tell you which files have been changed, provided that you can still trust the contents of the database. If is stored somewhere that the attacker cannot have modified, then you can trust it. For example, if it was stored on a server which has no direct network connection, or which is known not to allow anyone to connect (for example, it does not permit any inbound connection from the compromised machines, even for "authorized" users), then you can reasonably trust that the attacker cannot modify that copy of the database. If the attacker can modify the database, then your only hope is that the attacker was too limited, too rushed or too unaware to do so. For example, if an attacker exploits a program that allows him to modify any file owned by Apache, but not run arbitrary code as any user or modify files owned by other users, and the database was owned by root, then the attacker was too limited to modify the database.
Back to top
View user's profile Send private message
farmer.ro
Apprentice
Apprentice


Joined: 20 Aug 2016
Posts: 179

PostPosted: Sun Oct 02, 2016 6:41 am    Post subject: Reply with quote

i am not really sure what modifying the aide.db database does, but i am particularly speaking, if root rights are gained on the machine, then the attacker can just create a new aide.db.

How does one protect from the option of creating a new aide.db, and not necessarily modifying the aide.db.
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Sun Oct 02, 2016 11:09 am    Post subject: Reply with quote

Put the database file on removable media - and remove the media from the covered machine.

Edit to add, the "offline" removable media database isn't rendered invalid if and when the attacker modifies the database on the covered machine. The altered database becomes the "invalid" one.

Your hypothetical attacker has root privileges, and can do anything with the machine being compromised.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum