Re: [Aide-devel] Signing configs with --enable-forced_configmd
Brought to you by:
hvhaugwitz,
rvdb
From: Osmo P. <od...@cs...> - 2006-03-31 15:21:48
|
Hi! The idea behind signing configuration is (if my memory serves me correctly): to prevent someone modifying the configuration file to hide some changes. So you would sign the configuration file on another environment (not where you generate the database). For this to have any effect at all, the machine generating database must have --enable-forced-configmd. I think that the config can't be signed if the forced signing is used. Database signature is meant to do the reverse; to make it harder for the attacker to change aide binary at the remote host. Some time has passed since I worked with these options... Did this offer any clarification? On Fri, 2006-03-31 at 16:02 +0200, Richard van den Berg wrote: > I just tested config/database signing with aide for the first time. It > all seems to work ok, except I have a question about signing aide.conf > in combination with --enable-forced_configmd. Is the idea to sign the > config with an executable without --enable-forced_configmd, and then use > this config with executables that have --enable-forced_configmd enabled? > > The same question was asked in > https://mailman.cs.tut.fi/pipermail/aide/2005-January/000069.html > > I'll try to add this to the documentation soon. > > Sincerely, > > Richard van den Berg > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Aide-devel mailing list > Aid...@li... > https://lists.sourceforge.net/lists/listinfo/aide-devel |