On Thu, Mar 29, 2001 at 01:04:47PM -0600, Kenneth Pronovici wrote: > Another option would be to not store the AIDE configuration file anywhere > that the cracker could see it. Without that configuration file, the > cracker would have no way to generate a valid, substitute list of > checksums. This is less workable, because that configuration file would > have to be "unhidden" every time AIDE needed to run, making a cron-based > schedule more difficult.
Well, if the cracker is really good, you can't trust anything less than a boot from physically secure media (and one that doesn't trust anything on the system that's not physically secured) to run the scan anyway. :-( As you say, the scan's config has to be visible to him, so even if you ship the results off to another box for comparison with the "known good" signatures, all he has to do is install a fake scan program. This answers against nearly all checks less intrusive than a secure boot. Luckily, most crackers aren't capable of such subtlety... and so keeping the checklist on write-protected media is a reasonable approach. But security is a process, not a cron job. ;-)
