[Aide] Real-life benefits of AIDE configuration/database signing

Axel Rau Axel.Rau at Chaos1.DE
Wed May 13 11:29:48 EEST 2020 

Hi Olivier,

Scenario 5

aide executable, database, config and history scan results is on a protected management host behind a firewall.
A script transfers (by cert authenticated ssh) executable, db and config to the target host(s), runs aide there, collects the results and the new db and deletes everything on the target.
Such a script does the job here fine since 2016 (in the current Python 3 version, earlier as Perl script).

Axel

> Am 13.05.2020 um 08:09 schrieb Olivier Alabeatrix <oalabeatrix at gmail.com>:
> 
> Hello! I'm a newcommer to AIDE, and having difficulties evaluating the configuration/database signing real-life benefits. I came up with these scenarios :
> 
> Scenario 1:
> 
> The AIDE binary, configuration and database are on the local machine. They can be tampered with. An attacker possible vector of attack is to change the locally launched AIDE binary, allowing him to bypass any signing protection.
> Signing benefits = prevents database/configuration file hack but only if the AIDE binary isn't hacked itself
> 
> 
> Scenario 2:
> 
> The AIDE binary, configuration and database are on a read-only NFS share. They can't be tampered with. An attacker only vector of attack is to change the locally launched AIDE binary, allowing him to bypass any signing protection.
> Signing benefits = none
> 
> 
> Scenario 3:
> 
> Manual scanning using a read-only medium (AIDE binary, configuration and database on a CD-ROM or read-only NFS share). They can't be tampered with. An attacker possible vector of attack is subtle rooting of the kernel.
> Signing benefits = none
> 
> Scenario 4:
> 
> Offline scanning (live-DVD reboot or VM HDD clone and scan). AIDE binary, configuration and database can't be tampered with. No attacker vector of attack.
> Signing benefits = none
> 
> 
> Any input/advice would be welcomed ! Thanks !
> 
> 
> 
> 
> _______________________________________________
> Aide mailing list
> Aide at ipi.fi <mailto:Aide at ipi.fi>
> https://www.ipi.fi/mailman/listinfo/aide <https://www.ipi.fi/mailman/listinfo/aide>
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ipi.fi/pipermail/aide/attachments/20200513/e7d732cb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: Message signed with OpenPGP
URL: <http://www.ipi.fi/pipermail/aide/attachments/20200513/e7d732cb/attachment.sig>

More information about the Aide mailing list