Quote:
Originally Posted by Tekth
I read, everywhere pretty much, that I need to have the binaries on a removable read only medium so that I can run Aide from there but not have anyone really know that it exists.
|
The idea behind it is that an intruder should have no clues as to what detection you run and that you will always have independent and known good means of verification.
Quote:
Originally Posted by Tekth
Is it possible to maintain the current installation of Aide while performing this mobilization of Aide's associated files to separate media?
|
If you're using a floppy or USB stick then the only things you need to do is to copy your aide binary, aide.conf and aide.db(.gz) to your preferred medium and edit aide.conf to point it to the database there but note that aide, if it was not compiled as a static binary depends on system libraries which may be or become subject to unexpected alteration. If you OTOH use some bootable medium then copying over those dependencies (and
busybox!) will safeguard them against alteration but you should also adjust the mount points to check in your aide.conf too as "/" will be the root of the Live file system.
Quote:
Originally Posted by Tekth
Once I have the files copied over onto a cd or something, can I just remove them from my computers file system? Do I need to tell the file system their location has changed?
|
(Looking at CDROM deterioration why not extract a Live CDROM image, adjust contents and make your USB stick boot it using GRUB?) Yes, you can remove the files from your computer but I'd keep the removable medium as backup, I wouldn't alter any system paths for it and only use it in case you have suspicions. Also note that if you have more than one computer that
Samhain provides a client-server setup where you can store hash databases on the server (provided it's properly secured and audited regularly) and request the clients database from there if you need to run checks. Another way could be to use
webjob which can download (even over SSL) a binary, database and control file to run onto a not or no longer trusted client (though note unexpected system alteration then may still thwart operations).