[CentOS] C6 : AIDE experience

Wed Sep 17 22:36:12 UTC 2014
Kahlil Hodgson <kahlil.hodgson at dealmax.com.au>

checkout samhain (www.la-samhna.de/*samhain*/) if your feeling really

Kahlil (Kal) Hodgson                       GPG: C9A02289
Head of Technology                         (m) +61 (0) 4 2573 0382
DealMax Pty Ltd                            (w) +61 (0) 3 9008 5281

Suite 1415
401 Docklands Drive
Docklands VIC 3008 Australia

"All parts should go together without forcing.  You must remember that
the parts you are reassembling were disassembled by you.  Therefore,
if you can't get them together again, there must be a reason.  By all
means, do not use a hammer."  -- IBM maintenance manual, 1925

On Thu, Sep 18, 2014 at 1:42 AM, Mark Tinberg <mtinberg at wisc.edu> wrote:

> On Sep 17, 2014, at 10:26 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu>
> wrote:
> >
> > On Tue, September 16, 2014 9:40 pm, Always Learning wrote:
> >>
> >> On Tue, 2014-09-16 at 16:41 -0400, Bowie Bailey wrote:
> >>
> >>> Aide does not update it's database file.  Whenever you run an init or
> >>> update, it will create a new file.  You then have to manually rename
> >>> that file in order to start using the new database.
> >
> > I used aide for some time after tripwire went commercial, stayed without
> > support, and finally a bug (in e-mail...) was discovered. I moved away
> > from aide soon after. You may think of some intrusion detection
> > tool/system that:
> >
> > 1. doesn't keep reference database on the same box (I know, I know, they
> > are signed, etc...)
> >
> > 2. does not rely on binaries living on this same box (think about
> checking
> > these binaries on another, much more trusted box before using them…)
> That’s kind of an impossible requirement, any kind of userspace
> measurement of binaries, no matter how many hoops you jump through, have
> the same potential problems that a compromised system can hide from them
> using just the legitimate available APIs.  A user space integrity checker
> is only good against malware that isn’t specifically trying to hide itself
> from the checker, which does actually cover a lot of ground, the only way
> to reliably find malware that is trying to be stealthy is offline
> checking.  That still doesn’t cover other places where _really_ stealthy
> malware can hide, like in device firmware, that can survive a disk wipe.
> Although probably not relevant for CentOS 6 there are some interesting
> tools in the Linux Integrity Measurement Architecture that I have recently
> become aware of but haven’t tested.  Apparently with newer versions you can
> store _signed_ hashes of binaries as an xattr that the kernel will check
> itself on open(), since they are signed off-box and the public key is in
> the kernel keyring you get much of the same benefit as AIDE without the
> heavy cron jobs and without any delay in checking, every time the file is
> read it is checked.
>> Mark Tinberg
> mtinberg at wisc.edu
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos