[Aide] Reporting log files
Pablo Virolainen
pablo at vapaa.fi
Thu Mar 29 12:52:17 EEST 2007
On Thu, 29 Mar 2007, Marc Haber wrote:
> On Thu, Mar 29, 2007 at 10:25:48AM +0300, Pablo Virolainen wrote:
> > Assuming you have break the system, and by breaking into the system, some
> > system binary has been changed. When they (the bad guys) get the
> > information (the hash value of the original binary) they can feed it back
> > so that AIDE won't see the change.
>
> They can feed it back into where? And what keeps them from building
> the checksums of the original binary before exchanging it?
The assumption was that breaking into machine changes the binary, so they
don't know the original binary (or whatever change AIDE is supposed to
notice).
ssh <machine_to_be_checked> aide_script.sh > aide_<current_time>.db
And they could make the aide_<current_time>.db to have data which suggest
that nothing has happened.
Pablo Virolainen
More information about the Aide
mailing list