AIDE db security

Hi Fellow Linoders,

I was wondering if there is any way to make a virtual cdrom and mounting it in my linode for storing the AIDE database. I was reading this tutorial on AIDE:

http://www.debuntu.org/intrusion-detection-with-aide

Without having the AIDE db on read only media, it practically defeats the purpose of running AIDE at all.

Thanks for the tips and solutions. :)

4 Replies

You can mount any ISO image using the loopback driver, so just make an image of your CD, then mount it read-only, and you should have what you want. For example:

# mount <isofile><directory>-o loop,ro</directory></isofile> 

where can be any directory you like. A normal CD filesystem should be autodetected, but you can add "-t iso9660" if needed.

If you want something always mounted, you can create an fstab entry for it. I'd probably also make sure that permissions on the CD image file are tight enough to protect access.

Alternatively, a more Linode specific option is to use the Linode Manager to create a separate disk image to hold the contents of the CD, then set up your fstab to mount that disk image read-only once you've put the data on it. That would also eliminate the possibility of other processes on your system directly accessing the image file as opposed to having to go through the read-only mount.

– David

@TomRone:

Without having the AIDE db on read only media, it practically defeats the purpose of running AIDE at all.

Yes, but no. :) Aide and its db are accessible by root only. If an attacker manages to become root, even your "write only" media can be compromised.

But you can always email yourself periodic md5sums of both the aide binary and its db. That way you at least have an "independent" track record of changes and can easily verify both by shutting down your VM and mounting it in rescue mode.

If you don't mind using a second Linode, you can put the ISO on a second Linode, set that linode up to allow read-only access over some network protocol (SMB, NFS, etc). Have that linode completely inaccessible to the outside world except from your IP address. Then mount the ISO over SMB/NFS/etc.

Even if the primary linode is completely compromised, root and all, they can't mount the ISO as read/write since ultimately the primary linode is not the one putting the read-only restriction on it.

@Guspaz:

Even if the primary linode is completely compromised, root and all, they can't mount the ISO as read/write since ultimately the primary linode is not the one putting the read-only restriction on it.

True, but being compromised, the aide system on it will never tell something's amiss, the binary can be compromised regardless where the db resides. So better idea is the other way around, have a dedicated node that periodically scans other nodes, but then again who is to say that that node, which then becomes single point of failure is not compromised?

It's a mess, really. The only way to be sure is having periodic "Crazy Ivans" (shutdown node, mount rescue, scan). Otherwise just have faith aide itself is not compromised (and help it be so with rigorous protection), and if that's not enough, scan it in rescue mode from time to time. :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct