Hello! I'm a newcommer to AIDE, and having difficulties evaluating the configuration/database signing real-life benefits. I came up with these scenarios :
Scenario 1: The AIDE binary, configuration and database are on the local machine. They can be tampered with. An attacker possible vector of attack is to change the locally launched AIDE binary, allowing him to bypass any signing protection. Signing benefits = prevents database/configuration file hack but only if the AIDE binary isn't hacked itself Scenario 2: The AIDE binary, configuration and database are on a read-only NFS share. They can't be tampered with. An attacker only vector of attack is to change the locally launched AIDE binary, allowing him to bypass any signing protection. Signing benefits = none Scenario 3: Manual scanning using a read-only medium (AIDE binary, configuration and database on a CD-ROM or read-only NFS share). They can't be tampered with. An attacker possible vector of attack is subtle rooting of the kernel. Signing benefits = none Scenario 4: Offline scanning (live-DVD reboot or VM HDD clone and scan). AIDE binary, configuration and database can't be tampered with. No attacker vector of attack. Signing benefits = none Any input/advice would be welcomed ! Thanks !
_______________________________________________ Aide mailing list [email protected] https://www.ipi.fi/mailman/listinfo/aide
