[Aide] Non-hash and "growing log" Integrity Checking

gentuxx gentuxx at gmail.com
Sat Sep 2 10:51:28 EEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I tried subscribing to this (dev) list, but didn't realize it was
moderated for non-members.  I really only have a "general" question, but
one which could require a rather detailed answer and some follow-on
questions.  So I don't know that subscribing is really required, but may
make things more convenient.

That being said, I find myself in one of those situations where I am
*forced* to re-invent the wheel.  AIDE is exactly what I need, but the
target host is a Windows system, and I can't install Cygwin.  So, much
to my own chagrin, I'm attempting to write a file integrity verification
 "tool" in perl to monitor this hi-profile system.  (Perl is about the
extent of my programming ability - although I tend to do quite well with
 it. ;-) )

I've managed to get a working version that will run MD5 hashes for all
of the files specified in a given directory and/or list (using a "file
list" input file).  However, I'm running into issues with files that are
updated frequently and/or are constantly growing (Windows Event Logs).

Naturally, as events are added to the Windows Event log, the MD5 hash
will change (so would SHA1 or any other one-way hash AFAIK).  Aside from
the obvious, I have reasons for wanting to verify the integrity of these
files.

I know that AIDE handles these sorts of things, and I was wondering if
any of the development team might be willing/able to talk (from a
logical perspective) about how AIDE is able to verify the integrity of a
file in these types of situations.

I've found a perl module that will read the binary *.evt file, but would
rather stay away from extra perl modules if possible.  One possibility
to that end is extracting text from the binary event log file, hashing
it, and comparing the hash with the previously "known good" hash.  Text
up to the point of the last "check" should have the same hash, and would
therefore indicate that the file had not been tampered with.

However, I've used AIDE on *nix systems for some time, and I know that
it runs (or is capable of running) a number of checks, in terms of file
size (shrinkage is "bad") and other parameters.  I'm hoping to apply the
same logic to this system/tool, but I thought I would try to get some
insight as to how AIDE is able to accomplish the task on *nix systems
first, then apply that same logic to this application.

Any insight would be greatly appreciated.

TIA

(Sorry for the long and cross post, but I'm at a sort of stoppage point
that I need to get past, and I'm hoping that if the devs don't see this
post on the dev list, they'll see it on the user list.  Feel free to
contact me off (either) list at the address above/below.)

Thanks.

- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE+TgATPA54hjTSp4RAipuAJ0V1XVFsRx4PcEDS6swFOXrutX8EQCeInfG
3Pq5hcN62HaIMy67r6V3uKw=
=y5uM
-----END PGP SIGNATURE-----


More information about the Aide mailing list