[Aide-devel] Support for remote database
Brought to you by:
hvhaugwitz,
rvdb
From: Jonathan B. <jbe...@ci...> - 2017-01-06 21:02:27
|
Hey guys, we're looking at the possibility of using AIDE in a commercial project. Lots of variables and uncertainties here, but I'm hopeful. I'm specifically wondering one thing about the code base. Is there support for running AIDE in a server/client deployment? What I have in mind is a situation where the database of hashes (and all the other data AIDE supports) is stored on a "control" machine. This machine would work as the server. On the client, the monitored machine, AIDE would collect data as normal, but instead of comparing that data against a local database, the hashes and the rest of the data would be sent over the network to the server machine. The server would then compare the received hashes to the known good values in the database. The advantage I see is that this arrangement would harden AIDE against a rootkit that is designed to subvert AIDE itself. If the binary hashes are not stored on the monitored machine at all, then it would be significantly more difficult for an attacker to spoof the correct hashes. In my limited research into the AIDE source, I haven't seen any discussion of this style of deployment, so I'm guessing it is not present in the code. If the project we're working on comes to fruition, my hope is that we can write the code needed for a server/client deployment, and push this feature into the upstream AIDE code. AKA, we get how the GPL is supposed to work. I wanted to touch base with you guys early, to get any feedback you have on the idea. --Jonathan Bennett Cipherdyne, Inc |