Thread: [Aide-devel] docs about extra configure options
Brought to you by:
hvhaugwitz,
rvdb
From: <tem...@ip...> - 2004-01-01 21:28:41
|
>Is there any documentation available on how to use the following ./configure options? >--with-confighmactype=TYPE >--with-confighmackey=KEY >--with-dbhmactype=TYPE >--with-dbhmackey=KEY >--enable-forced_configmd >--enable-forced_dbmd These are related to checking whether the configuration file and the database file are created by certain aide binary. Principle is simple. In configure you specify which hash function you wish to use for "signing" the (config or db) file. (--with-confighmactype and --with-dbhmactype) One example of supported mactype (and the only one I know) is md5. There is a seed value that is used by md5 algorithm. There is a default value (which I don't remember) that is normally used with md5sum. But that default can be changed. And in case of config/database checksums, you specify the key by using --with-dbhmackey and --with-confighmackey when running configure script. If I remember correctly, these keys are base64 encoded. This is a very usefull consept if you have a centralized environment to run aide. You have aide installed locally to your hosts. You connect to aide by using some mechanism and feed the configuration file. Aide checks the "signature" of the configuration file before continuing. (if attacker gets a way to connect to the aide, he cannot get a valid database out from it). When aide has finished running and the database has been moved to the central host the central host can check that the database is originating from a binary you have yourself compiled (--enable-forced_dbmd and aide --compare for generating the report) These keys will be hardwired to aide binary. Sure, it's possible to get the keys out of the binary and put them into a fake version of aide, which wouldn't report all changes in filesystem. Then there is the replay attack, you could always export the same db. This can be circumvented too. There is an option that you can use to include some specific string in config that will appear in the database too. After you have checked that the database checksum is ok, you can check whether the randomly insterted string appears in the database too. I don't remember the option for this feature. >-initial_errors_to=URL This I can't remember what it is. Maybe someone else does? >They seem rather interesting, but i'd like to know how to use/configure them. Here are the things I remember about this. -- Osmo Paananen |
From: Rami L. <Ram...@fi...> - 2004-01-07 09:26:23
|
tem...@ip... (Osmo Paananen) writes: > Then there is the replay attack, you could always export the same > db. This can be circumvented too. There is an option that you can use > to include some specific string in config that will appear in the > database too. After you have checked that the database checksum is > ok, you can check whether the randomly insterted string appears in the > database too. > > I don't remember the option for this feature. I don't either. Odie (AKA Osmo Paananen): Are you sure we implemented this one in aide or was it in your own scripts ? >>-initial_errors_to=URL > > This I can't remember what it is. Maybe someone else does? This tells aide where to put errors that are generated during the time when config is read and no output url is yet defined. Rami -- AIDE - Advanced Intrusion Detection Environment |
From: <tem...@ip...> - 2004-01-08 20:09:41
|
On Wed, Jan 07, 2004 at 11:29:12AM +0200, Rami Lehti wrote: > > Then there is the replay attack, you could always export the same > > db. This can be circumvented too. There is an option that you can use > > to include some specific string in config that will appear in the > > database too. After you have checked that the database checksum is > > ok, you can check whether the randomly insterted string appears in the > > database too. > > I don't remember the option for this feature. > I don't either. > Odie (AKA Osmo Paananen): Are you sure we implemented this one in aide or > was it in your own scripts ? Atleast I know that I didn't implement this. I have never tested this either so I'm not sure how it is implemented. It might be that we tought that date will be sufficent for this? |