[CentOS] C6 : AIDE experience

Wed Sep 17 15:42:38 UTC 2014
Mark Tinberg <mtinberg at wisc.edu>

On Sep 17, 2014, at 10:26 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:

> 
> On Tue, September 16, 2014 9:40 pm, Always Learning wrote:
>> 
>> On Tue, 2014-09-16 at 16:41 -0400, Bowie Bailey wrote:
>> 
>>> Aide does not update it's database file.  Whenever you run an init or
>>> update, it will create a new file.  You then have to manually rename
>>> that file in order to start using the new database.
> 
> I used aide for some time after tripwire went commercial, stayed without
> support, and finally a bug (in e-mail...) was discovered. I moved away
> from aide soon after. You may think of some intrusion detection
> tool/system that:
> 
> 1. doesn't keep reference database on the same box (I know, I know, they
> are signed, etc...)
> 
> 2. does not rely on binaries living on this same box (think about checking
> these binaries on another, much more trusted box before using them…)

That’s kind of an impossible requirement, any kind of userspace measurement of binaries, no matter how many hoops you jump through, have the same potential problems that a compromised system can hide from them using just the legitimate available APIs.  A user space integrity checker is only good against malware that isn’t specifically trying to hide itself from the checker, which does actually cover a lot of ground, the only way to reliably find malware that is trying to be stealthy is offline checking.  That still doesn’t cover other places where _really_ stealthy malware can hide, like in device firmware, that can survive a disk wipe.

Although probably not relevant for CentOS 6 there are some interesting tools in the Linux Integrity Measurement Architecture that I have recently become aware of but haven’t tested.  Apparently with newer versions you can store _signed_ hashes of binaries as an xattr that the kernel will check itself on open(), since they are signed off-box and the public key is in the kernel keyring you get much of the same benefit as AIDE without the heavy cron jobs and without any delay in checking, every time the file is read it is checked.

— 
Mark Tinberg
mtinberg at wisc.edu