[Aide] Reading AIDE database from a URL?

Osmo Paananen odie at cs.tut.fi
Tue Mar 28 08:44:58 EEST 2006 

Hi!

As others are sharing how they have been running aide, here is one more
version.

1) configuration and db's are stored at central server (piped via ssh)
2) master connects using ssh which uses public key authentication
3) public key mandates that only command which can be run is sudo aide --init
4) master server compares the new and the old db
5) aide database & config signing are used to make it harder 
for potential intruder to modify aide binary on client machines 
to ignore attacker specified files
6) aide binary is not copied from the master server, because if 
the master server were compromised it would enable the attacker 
to execute code of his choice on the clients 
7) there is a web interface from which you can see the reports and modify
configuration files and create new accounts for the web (etc)
8) old databases are stored as patches to the original 
(newest is stored also in non-patch format)


I have been thinking of releasing this code in gpl. The framework is far from
perfect so I don't know whether a total rewrite would be easier.

Releasing the code in gpl is hard because I have no idea whose
permission I would need from my organization.

Perhaps someone has already done something similar which is released to
public.

On Wed, 2006-03-22 at 06:55 -0600, David Theilen wrote:
> I approach this a little differently.  I start with a master system
> controling the activity, I assume I can't trust the remote servers.
> 
> I store a conf and database for each remote server.
> The master does an scp to get the aide  conf, database file
> and also the aide binary to the remote. 
> Then I use ssh to initiate aide on the remote.
> 
> The master has an init script that stores the conf and database
> specific for a remote whenever a new init is needed for a remote.
> 
> 
> Alex Greg wrote:
> 
> >I've been looking at AIDE over the past few days, with a view to
> >rolling it out on over 60 Linux servers. So far, it's looking much
> >better than Tripwire, from both an installation and performance point
> >of view.
> >
> >The only problem I have with AIDE is that the database is stored in
> >plain-text, which means if an attacker gains root access on one of the
> >boxes, they can simply change the database. I can't feasibly store the
> >database on read-only media such as floppies/CD's for obvious reasons
> >(60+ floppies/CD's in 60+ servers...?)
> >
> >I noticed that AIDE supports reading the database from a remote server
> >using PostgreSQL, which is useful. However, what would really be ideal
> >for us would be to store the database for each machine on an internal
> >HTTP server, and configure AIDE to validate against that.
> >
> >Is HTTP support for reading the database planned, or does anyone know
> >of a patch? Also, if there are any other suggestions, please let me
> >know!
> >
> >
> >Thanks,
> >
> >
> >-- Alex
> >_______________________________________________
> >Aide mailing list
> >Aide at cs.tut.fi
> >https://mailman.cs.tut.fi/mailman/listinfo/aide
> >  
> >
> 
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide

More information about the Aide mailing list