<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hello<span lang=FR>! I'm a newcommer to AIDE, and having difficulties evaluating the configuration/database signing real-life benefits. I came up with these scenarios :</span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>Scenario 1:<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>The AIDE binary, configuration and database are on the local machine. They can be tampered with. An attacker possible vector of attack is to change the locally launched AIDE binary, allowing him to bypass any signing protection.<o:p></o:p></span></p><p class=MsoNormal><span lang=FR>Signing benefits = prevents database/configuration file hack but only if the AIDE binary isn't hacked itself<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>Scenario 2:<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>The AIDE binary, configuration and database are on a read-only NFS share. They can't be tampered with. An attacker only vector of attack is to change the locally launched AIDE binary, allowing him to bypass any signing protection.<o:p></o:p></span></p><p class=MsoNormal><span lang=FR>Signing benefits = none<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>Scenario 3:<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>Manual scanning using a read-only medium (AIDE binary, configuration and database on a CD-ROM or read-only NFS share). They can't be tampered with. An attacker possible vector of attack is subtle rooting of the kernel.<o:p></o:p></span></p><p class=MsoNormal><span lang=FR>Signing benefits = none<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>Scenario 4:<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>Offline scanning (live-DVD reboot or VM HDD clone and scan). AIDE binary, configuration and database can't be tampered with. No attacker vector of attack.<o:p></o:p></span></p><p class=MsoNormal><span lang=FR>Signing benefits = none<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR>Any input/advice would be welcomed ! Thanks !<o:p></o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><span lang=FR><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>