Thread: [Aide-devel] Signing configs with --enable-forced_configmd
Brought to you by:
hvhaugwitz,
rvdb
From: Richard v. d. B. <ri...@vd...> - 2006-03-31 14:02:44
|
I just tested config/database signing with aide for the first time. It all seems to work ok, except I have a question about signing aide.conf in combination with --enable-forced_configmd. Is the idea to sign the config with an executable without --enable-forced_configmd, and then use this config with executables that have --enable-forced_configmd enabled? The same question was asked in https://mailman.cs.tut.fi/pipermail/aide/2005-January/000069.html I'll try to add this to the documentation soon. Sincerely, Richard van den Berg |
From: Osmo P. <od...@cs...> - 2006-03-31 15:21:48
|
Hi! The idea behind signing configuration is (if my memory serves me correctly): to prevent someone modifying the configuration file to hide some changes. So you would sign the configuration file on another environment (not where you generate the database). For this to have any effect at all, the machine generating database must have --enable-forced-configmd. I think that the config can't be signed if the forced signing is used. Database signature is meant to do the reverse; to make it harder for the attacker to change aide binary at the remote host. Some time has passed since I worked with these options... Did this offer any clarification? On Fri, 2006-03-31 at 16:02 +0200, Richard van den Berg wrote: > I just tested config/database signing with aide for the first time. It > all seems to work ok, except I have a question about signing aide.conf > in combination with --enable-forced_configmd. Is the idea to sign the > config with an executable without --enable-forced_configmd, and then use > this config with executables that have --enable-forced_configmd enabled? > > The same question was asked in > https://mailman.cs.tut.fi/pipermail/aide/2005-January/000069.html > > I'll try to add this to the documentation soon. > > Sincerely, > > Richard van den Berg > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Aide-devel mailing list > Aid...@li... > https://lists.sourceforge.net/lists/listinfo/aide-devel |
From: Richard v. d. B. <ri...@vd...> - 2006-03-31 15:44:17
|
Osmo Paananen wrote: > Some time has passed since I worked with these options... Did this offer > any clarification? It confirmed my own thought on how it should work, thanks. I wrote a paragraph for the manual and man page. I'll commit them to CVS when the SF CVS servers are back online. Sincerely, Richard van den Berg |
From: Pablo V. <pa...@ip...> - 2006-04-03 07:46:17
|
On Fri, 31 Mar 2006, Osmo Paananen wrote: > Hi! > > The idea behind signing configuration is (if my memory serves me > correctly): to prevent someone modifying the configuration file to hide > some changes. If I remember correctly, this feature was requested by some company? (was there some money involved? If so, was there some issues about releasing the code? I think that the company owns the code for signing, but the we weren't allowed to mention the name of the company nor to document the feature. So I'm sorry that I cannot comment about usage or documentation of this feature.) Pablo Virolainen |