[Aide] Configure aide for /boot only verification on encrypted root system

service at remekmotorok.com service at remekmotorok.com
Thu Feb 14 10:15:51 EET 2008 

Richard van den Berg wrote:
> Sorry for the late response.
>
> service at remekmotorok.com wrote:
>   
>> Greetings,
>>
>> For anyone interested, I located the problem within the configure file.
>>
>> The command
>> ./configure.modified --prefix=/ --sysconfdir=/ --with-config-file=aide.conf
>>  should build aide to have all its file in ~/, but it does not.
>>  From memory, the above example was producing the error: file://aide.db 
>> not found or was looking for it in /etc.
>>   
>>     
>
> That error is correct. You set the sysconfigdir to / so aide.db is 
> expected in /aide.db. If you want all files in ~/ you should use 
> --prefix=/home/mydir and --sysconfigdir=/home/mydir/myetcdir
>
> Sincerely,
>
> Richard van den Berg
>
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>   
Richard,

Thank you for the reply.

I have saved your suggestions for the next time I compile aide, however 
I think it will still give
the undesirable result of a /etc directory.

--sysconfigdir=/home/mydir/myetcdir

As I have it compiled now, it looks for all files in the same directory.
As these live on a USB drive, I can never be sure where they will mount.
/media/disk1 or disk2 or media/256mb and so on.
This gets a bit interesting as some systems the /boot is on the hard drive.
On other systems, /boot and the encryption key are on a removable USB drive.
I could of course force the mount location, but that kills the usability 
of auto mount.
Because of the simple nature of my application, having a /etc 
subdirectory just adds to the clutter and reduces the usability for me.

At the moment, I have it working well. By fooling it to think everything 
is in / at compile time,
it will happily run from any directory it is in, find /boot and do it's 
work.

The purpose of this is to check for any tampering with the exposed /boot 
partition.
Key loggers or other malicious programs slipped into /boot are the issue.
 From my feeble testing, aide looks like it picks up any change at all 
to /boot.
But I am no expert in these matters.
So, if I may ask, is there any way to get malicious code into the /boot 
area that aide would not find?
Is my use of aide giving any level of false security?

Many thanks and best regards,










-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20080214/d981527a/attachment.html

More information about the Aide mailing list