[Aide] Configure aide for /boot only verification on encrypted root system
service at remekmotorok.com
service at remekmotorok.com
Thu Feb 14 10:15:51 EET 2008
Richard van den Berg wrote:
> Sorry for the late response.
>
> service at remekmotorok.com wrote:
>
>> Greetings,
>>
>> For anyone interested, I located the problem within the configure file.
>>
>> The command
>> ./configure.modified --prefix=/ --sysconfdir=/ --with-config-file=aide.conf
>> should build aide to have all its file in ~/, but it does not.
>> From memory, the above example was producing the error: file://aide.db
>> not found or was looking for it in /etc.
>>
>>
>
> That error is correct. You set the sysconfigdir to / so aide.db is
> expected in /aide.db. If you want all files in ~/ you should use
> --prefix=/home/mydir and --sysconfigdir=/home/mydir/myetcdir
>
> Sincerely,
>
> Richard van den Berg
>
> _______________________________________________
> Aide mailing list
> Aide at cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
Richard,
Thank you for the reply.
I have saved your suggestions for the next time I compile aide, however
I think it will still give
the undesirable result of a /etc directory.
--sysconfigdir=/home/mydir/myetcdir
As I have it compiled now, it looks for all files in the same directory.
As these live on a USB drive, I can never be sure where they will mount.
/media/disk1 or disk2 or media/256mb and so on.
This gets a bit interesting as some systems the /boot is on the hard drive.
On other systems, /boot and the encryption key are on a removable USB drive.
I could of course force the mount location, but that kills the usability
of auto mount.
Because of the simple nature of my application, having a /etc
subdirectory just adds to the clutter and reduces the usability for me.
At the moment, I have it working well. By fooling it to think everything
is in / at compile time,
it will happily run from any directory it is in, find /boot and do it's
work.
The purpose of this is to check for any tampering with the exposed /boot
partition.
Key loggers or other malicious programs slipped into /boot are the issue.
From my feeble testing, aide looks like it picks up any change at all
to /boot.
But I am no expert in these matters.
So, if I may ask, is there any way to get malicious code into the /boot
area that aide would not find?
Is my use of aide giving any level of false security?
Many thanks and best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.cs.tut.fi/pipermail/aide/attachments/20080214/d981527a/attachment.html
More information about the Aide
mailing list