LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-12-2008, 01:02 PM   #1
twk
Member
 
Registered: Feb 2002
Location: Canada
Distribution: Fedora/RHEL
Posts: 152

Rep: Reputation: 31
Question about AIDE or other file integrity checking software


Hello,

Recently I've been looking into HIDS/IPS software, a question pop up in my mind that I hope security pro can help me answer. If a hacker is able to modify binary on the system, wouldn't he/she be able to either
1. disable aide?
2. alter AIDE database?
3. disable warning notification?

thanks.
 
Old 05-12-2008, 01:33 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by twk View Post
Hello,

Recently I've been looking into HIDS/IPS software, a question pop up in my mind that I hope security pro can help me answer. If a hacker is able to modify binary on the system, wouldn't he/she be able to either
1. disable aide?
2. alter AIDE database?
3. disable warning notification?

thanks.
HIDS aren't designed to help you prevent #1 or #3 (they are, after all, only intrusion detection systems, not intrusion prevention ones). That said, #2 is typically dealt-with by the use of digital signatures (which allow you to know whether or not the database has been tampered with). Also, using read-only media for HIDS databases (whenever possible) is a really good idea.

Last edited by win32sux; 05-12-2008 at 01:48 PM.
 
Old 05-12-2008, 02:03 PM   #3
twk
Member
 
Registered: Feb 2002
Location: Canada
Distribution: Fedora/RHEL
Posts: 152

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by win32sux View Post
HIDS aren't designed to help you prevent #1 or #3 (they are, after all, only intrusion detection systems, not intrusion prevention ones). That said, #2 is typically dealt-with by the use of digital signatures (which allow you to know whether or not the database has been tampered with). Also, using read-only media for HIDS databases (whenever possible) is a really good idea.
I understand that it can't prevent any attack. However, for example, AIDE attempts to send a report when something under /sbin gets altered, but if this hacker is any good, wouldn't he/she do #1 or #3 first? Can we actually rely on AIDE if it can be disabled that easily? or AIDE we can say AIDE is only good at detecting non-root attacks? or change/configuration management?
 
Old 05-13-2008, 01:34 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by twk View Post
I understand that it can't prevent any attack. However, for example, AIDE attempts to send a report when something under /sbin gets altered, but if this hacker is any good, wouldn't he/she do #1 or #3 first? Can we actually rely on AIDE if it can be disabled that easily? or AIDE we can say AIDE is only good at detecting non-root attacks? or change/configuration management?
If he did #1 and/or #3 he might as well send us an "all your base are belong to us" email. But yes, HIDS have limitations, just like anything else. One should never rely solely on a HIDS for security. I would, however, say that HIDS can be extremely valuable when used as part of a systematic, layered-approach to security. You just need to make sure you take steps to protect your HIDS. An example of this sort of thing would be to make sure you use MAC for all your services, such that even if the cracker were able to execute code as root, he'd still be unable to mess with the HIDS (or any other part of the system which is off-limits to the service he exploited).

Last edited by win32sux; 05-13-2008 at 01:40 AM.
 
Old 05-13-2008, 05:10 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,830
Blog Entries: 54

Rep: Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993Reputation: 2993
Next to the valuable notes on MAC (I agree with in full) please note the difference between passive and active integrity checking software. Aide is of the passive variety, Samhain is active. Samhain can load an LKM to detect tampering, use a central server serving Samhain databases, checksum itself, GPG-encrypt its database, hide its database with stego etc, etc.
 
Old 05-13-2008, 08:21 PM   #6
twk
Member
 
Registered: Feb 2002
Location: Canada
Distribution: Fedora/RHEL
Posts: 152

Original Poster
Rep: Reputation: 31
thanks (win32sux & unspawn) for your explanation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can someone post a sample aide.conf file here? For AIDE IDS abefroman Linux - Security 9 04-12-2008 09:18 AM
Which are some really good file integrity checking programs? abefroman Linux - Security 13 04-03-2008 01:41 PM
file integrity checking software??? dsids Linux - Newbie 2 08-21-2006 08:49 AM
LXer: AIDE Integrity Checking LXer Syndicated Linux News 0 07-23-2006 02:21 PM
Software for Automatic Integrity Checking MoveZig Linux - Software 0 09-23-2005 10:14 AM


All times are GMT -5. The time now is 10:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration