Ok, I saw the gpg checking stuff in the contribs for AIDE but I don't like them. Having an encrypted database is well enough, and important I think, but the problem is that using --batch with gpg you can't provide a passphrase, so it looks like you need to have an empty passphrase which, ultimately, offers no protection since the aide.db should be 0700 and owned by root, no one should be able to sneak a peek unless they're root and if they're root already, using gpg to cover their tracks and/or decrypt, modify, encrypt the db is trivial.
Although having encryption is good, I think more important is data *validation*; ie. to make sure the db you have is the db you think you have. For that, you don't need it to be encrypted, you just need to have a signature for it, something we can do with gpg too. Unlike encrypting, this way you can secure your key with a passphrase and verify the signature without needing the passphrase, so you can have a daily cron check. You just have to make sure you verify the sig before you run aide --check. I've written two scripts, the first is /etc/cron.daily/aide which runs a check every day. It verifies the signature first if one exists (note that with these scripts you can use them *without* using gpg if you really want). The second script updates the database. A few caveats are required for this... I have set both my database and database_out files to the same url, namely /var/lib/aide/aide.db. This causes a warning on a check, but doesn't hurt because in aideupdate I use -B to set the database file to the recently rotated/copied database (on each update, the current aide.db gets moved to aide-hostname-date.db and gets compressed after the update). The aideupdate script also can use gpg to create the detached signature and verifies it before doing the update. (This was where the issue I raised earlier about the warning on database vs. database_out came from) Salt to taste and feel free to include them in the contrib part of the aide package if you like. FWIW, I'm looking to replace tripwire with AIDE in my Linux distro Annvix (http://annvix.org) which is a secure Linux distro. That's a) why I'm spamming you and b) why I have so many questions (trying to build a decent default aide.conf file to ship in the package). Thanks very much for the work on AIDE, I'm really starting to like it although changing the output a bit to make it a little easier to read would be good (I have a patch for this, but for some reason it isn't doing what I want... not quite sure why). Anyways, these are the scripts that will be shipping in the Annvix aide package (they may evolve a bit yet as I keep fiddling, but I think they're basically complete for the most part right now). -- Annvix - Secure Linux Server: http://annvix.org/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4} Wasting time like it was free...
#!/bin/sh
hostname=`uname -n`
echo "AIDE integrity check for ${hostname} beginning (`date`)"
echo ""
if [ ! -e /var/lib/aide/aide.db ] ; then
echo "**** Error: AIDE database for ${hostname} not found."
echo "**** Run 'aide --init' and move the appropriate database file."
else
if [ -f /etc/aide.conf ]; then
if [ -f /var/lib/aide/aide.db.sig ]; then
pushd /var/lib/aide >/dev/null
echo "Verifying the GPG signature on the database..."
echo ""
gpg --verify aide.db.sig
echo ""
if [ "$?" == "1" ]; then
echo
"************************************************************"
echo "GPG signature FAILED! Your database has been
tampered with!"
echo
"************************************************************"
exit 1
fi
popd >/dev/null
fi
nice -20 /usr/sbin/aide --check 2>/dev/null
fi
fi
exit 0
#!/bin/sh
#
# script to update and rotate the AIDE database files and, optionally
# create a detached GPG signature to verify the database file
#
# written by Vincent Danen <vdanen-at-annvix.org> 01/21/2006
usegpg=0
if [ -f /root/.gnupg/secring.gpg ]; then
usegpg=1
fi
if [ ! -d /var/lib/aide ]; then
echo "The AIDE database directory /var/lib/aide does not exist!"
exit 1
fi
pushd /var/lib/aide >/dev/null
# copy the old database
if [ -f aide.db ]; then
newfile="aide-`hostname`-`date +%Y%m%d-%H%M%S`.db"
if [ "${usegpg}" == 1 -a -f aide.db.sig ]; then
# do an integrity check
gpg --verify aide.db.sig
if [ "$?" == "1" ]; then
echo "************************************************************"
echo "GPG signature FAILED! Your database has been tampered with!"
echo "************************************************************"
exit 1
fi
fi
cp -av aide.db ${newfile}
/usr/sbin/aide --update -B "database=file:/var/lib/aide/${newfile}"
if [ "${usegpg}" == "1" ]; then
# create the signature file
[[ -f aide.db.sig ]] && rm -f aide.db.sig
gpg --detach-sign aide.db
if [ "$?" == "1" ]; then
echo "FATAL: Error occurred when creating the signature file!"
exit 1
fi
fi
gzip -9f ${newfile}
else
echo "The AIDE database does not exist, can't update!"
exit 1
fi
popd >/dev/null
pgpIfoTJOipri.pgp
Description: PGP signature
_______________________________________________ Aide mailing list Aide@cs.tut.fi https://mailman.cs.tut.fi/mailman/listinfo/aide
