[Aide] Real-life benefits of AIDE configuration/database signing
Olivier Alabeatrix
oalabeatrix at gmail.com
Wed May 13 09:09:37 EEST 2020
Hello! I'm a newcommer to AIDE, and having difficulties evaluating the configuration/database signing real-life benefits. I came up with these scenarios :
Scenario 1:
The AIDE binary, configuration and database are on the local machine. They can be tampered with. An attacker possible vector of attack is to change the locally launched AIDE binary, allowing him to bypass any signing protection.
Signing benefits = prevents database/configuration file hack but only if the AIDE binary isn't hacked itself
Scenario 2:
The AIDE binary, configuration and database are on a read-only NFS share. They can't be tampered with. An attacker only vector of attack is to change the locally launched AIDE binary, allowing him to bypass any signing protection.
Signing benefits = none
Scenario 3:
Manual scanning using a read-only medium (AIDE binary, configuration and database on a CD-ROM or read-only NFS share). They can't be tampered with. An attacker possible vector of attack is subtle rooting of the kernel.
Signing benefits = none
Scenario 4:
Offline scanning (live-DVD reboot or VM HDD clone and scan). AIDE binary, configuration and database can't be tampered with. No attacker vector of attack.
Signing benefits = none
Any input/advice would be welcomed ! Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ipi.fi/pipermail/aide/attachments/20200513/4c3f6c3b/attachment.html>
More information about the Aide
mailing list