> That is something that I hadn't considered. The cracker could potentially > unmount /var/lib/aide/ro (where I have the floppy containing the AIDE > checksums mounted) and place in that directory a newly-generated list of > checksums, which AIDE would read the next time it runs. When I got the > report in my inbox, it would look like everything is fine. IMHO, definitely > a hole that's there regardless of whether I use a RO floppy or a CD-R. >
Sometimes old fashioned solutions are the best. Print your log files on an old Dot-Matrix Printer. Costs very little, attacker can't screw with them after breaking in, and you can read them in the bath :) Dan
