[Aide] Verifying mounted filesystem
Sloane, Brandon
bsloane at owlcyberdefense.com
Wed Feb 28 23:39:14 EET 2024
Hello,
I am trying to perform an aide check early in the boot process, prior to running pivot_root inside the initial ramdisk. The issue I am running into is that I do not see a way to have AIDE treat anything other than "/" as the root directory. The best solution I have found thus far is to use chroot. However, that executes the aide binary contained with the target filesystem; which is problematic as we have not yet verified that binary (or anything it links against) has not been tampered with. Ideally, I would be able to do something along the lines of:
aide --check --config /path/to/aide.conf --root /mnt/sysroot
and have it behave as if aide was called after doing 'chroot /mnt/sysroot'. However, I have been unable to find anything along the lines of the hypothetical root command.
For reference on my setup, the initial ramdisk is signed as part of secure boot, and the aide configuration and database are signed as well. This makes the integrity of the aide binary (and linked libraries) the weak link in the overall boot process.
Thanks,
Brandon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ipi.fi/pipermail/aide/attachments/20240228/f742e5e3/attachment.htm>
More information about the Aide
mailing list