On Sat, Dec 31, 2016 at 05:28:14AM -0800, [email protected] wrote: > Hello everyone, > > I have been giving GuixSD some thought as the holiday's pass and I had a > question I wanted to ask. During a recent scare with a computer on my LAN > being > compromised (a Windows system), I've been giving thought to some issues with > securing desktops, and one of those is file integrity wrt > unsolicited/undesired > modification. Naturally (which may point out my general inexperience with this > kind of thing) I thought of things like AIDE and Tripwire, and gave some > thought > to how such system (which are hash-based, iirc) could possibly be useful to > help > recover a system from a break-in (given the hash records aren't available > locally), which brings us back to one of GuixSD's goals of deterministic > builds. > > I seem to recall that there was some goal to be able to check each > other's > builds by comparing hashes of builds via some currently unknown method (I > think > GNUnet was going to be the transport medium, but I'm not entirely sure if that > was a serious plan or what), and while that is certainly interesting for > checking to make sure a build completed properly or that a build is in fact > deterministic (and, by extension, that there isn't an obscure bug in someone's > CPU ala Pentium Floating Point bug from ages past), I had given some thought > about all of this in relation to IDSs. Has anyone given any thought to > possibly > compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire > (GPL as well) for use with GuixSD systems. While this certainly isn't a > complete > solution for an IDS (in fact, I havn't even looked yet to see how feasible > this > is with the aforementioned software; this is more a thought experiment than > anything), if feels like it might be something useful, which is why I'm > mentioning it here.
Yes, you can do a challenge build. Not all builds are fully deterministic yet, so you there will be conflicts. I use guix publish on a server, so I can compare the stores on two machines for comparison which ought to be identical. That is a pretty fast way to do it provided they are not both compromised ;) At the moment we don't store hashes in a database for the contents of a build tree. I think it is a good idea to have the option to create a tripwire-like database at build/install time, almost for free, provided the user moves that database off-site for later (fast) comparisons. It can actually speed up challenge builds. I used to run tripwire a lot, but somehow have become confident in my security setup (rightly or wrongly so). At least with Guix I know I can quickly rebuild a new system that behaves as the compromised one. That makes me happy. Pj. --
