[Aide] /usr/sbin/aide changes on x86_64???
Richard van den Berg
richard at vdberg.org
Tue Nov 7 00:18:40 EET 2006
James Antill wrote:
> I don't see a security advantage of linking aide statically, either
> you reboot and run the entire thing from CDROM or you just have to
> trust a few different things (starting with kernel, shell/cron). At
> which point the addition of ld.so and a few libs seems minor, IMO.
Aide was written specifically for detecting changes on a system. If
someone replaces ld.so or libc.so and masks any access to a trojan
binary, aide will not be of much help if it is dynamically linked. Rogue
kernel modules is another issue (which aide cannot help with). Running a
statically linked aide with the aide.db on a read-only medium is really
the preferred usage from a security perspective. Many people rely on the
aide reports to tell them their system was compromised, I'd want those
reports to be as accurate as possible.
Sincerely,
Richard van den Berg
More information about the Aide
mailing list