> Ok with that said, how feasable is it for a cracker to install their > rootkit, and mimic the checksummed files to match the contents of the > floppy? Wouldn't he/she just have to unmount the exising floppy drive, > remount it to his/her pseudo check sums? > > I'm probably missing the howto detail where the alert is generated before > rootkit is installed.
That is something that I hadn't considered. The cracker could potentially unmount /var/lib/aide/ro (where I have the floppy containing the AIDE checksums mounted) and place in that directory a newly-generated list of checksums, which AIDE would read the next time it runs. When I got the report in my inbox, it would look like everything is fine. IMHO, definitely a hole that's there regardless of whether I use a RO floppy or a CD-R. I see two ways to get around this: one solution is for me to GPG-sign the AIDE checksum list when I create it. Then I could check the signature in my script that runs AIDE, and I would know that it was me who created it. This would be more like what Tripwire's latest release does. Another option would be to not store the AIDE configuration file anywhere that the cracker could see it. Without that configuration file, the cracker would have no way to generate a valid, substitute list of checksums. This is less workable, because that configuration file would have to be "unhidden" every time AIDE needed to run, making a cron-based schedule more difficult. KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me."
