[Aide] 0.11rc2 observations

Sat Jan 21 04:06:00 EET 2006

* Vincent Danen <vdanen at linsec.ca> [2006-01-20 18:48:37 -0700]:

> Another question I had, and this is more of a design question than
> anything.  Why does aide make comparisons against the life filesystem?
> Or, rather, why does it update from the live filesystem.  It looks to me
> like --init is functionally equivalent to --update except for the report
> of differences at the end.
> 
> The problem I have with this model is that it takes aide some time to
> run, and there is a small window of opportunity between when you do,
> say, a check and then an update.
> 
> For instance, if I run a cronjob at 4am to do a check, then run an
> update at 10am to update my database.  Obviously it's not using my 4am
> check to merge the differences to the database, right?
> 
> So the check just reports on the differences, but what I don't get is,
> if I don't run another check immediately before my update, how will I
> know what changed?  Something could have changed in those 6hrs and I'd
> be completely unaware of it, run the update, and I've just merged that
> "unauthorized" change into my database (assume a trojaned ls or
> something).  I'm not going to see that in any report because it's using
> the current filesystem to do the update, not the 4am snapshot.
> 
> Or am I missing something?  Am I too used to how tripwire works?  =)  I
> guess some testing would let me know, but am I correct in assuming that
> --check is nothing more than a report of the current time the check is
> run and shouldn't be considered even remotely accurate when I try to run
> an update later?

Ok, responding to myself here.  I see that aide spits out changed files
at the end of update (did a small test) so you can see what has changed
from the last report.  So that's good.  I just want to make sure that
there is no window of opportunity for something to sneak in; ie. with
tripwire I know there isn't any because it's merging one report from the
last check to the database, so if anything changed even during the
check that may have gotten missed, it can't sneak in because tripwire
never users the live filesystem as a reference point (except the initial
init).

I suppose with aide the same thing would be true... if file X was added
to the db and then 2s later changed, it would show up in the next
check/update and not actually make it into the new db.

Maybe I'm just overly paranoid.  =)  Sorry for the noise, just trying
work out the differences here between the two and I've been using
tripwire for quite a few years.

-- 
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C  A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : https://mailman.cs.tut.fi/pipermail/aide/attachments/20060120/6ee14735/attachment.bin