AIDE db security
I was wondering if there is any way to make a virtual cdrom and mounting it in my linode for storing the AIDE database. I was reading this tutorial on AIDE:
Without having the AIDE db on read only media, it practically defeats the purpose of running AIDE at all.
Thanks for the tips and solutions.
4 Replies
# mount <isofile><directory>-o loop,ro</directory></isofile>
where
If you want something always mounted, you can create an fstab entry for it. I'd probably also make sure that permissions on the CD image file are tight enough to protect access.
Alternatively, a more Linode specific option is to use the Linode Manager to create a separate disk image to hold the contents of the CD, then set up your fstab to mount that disk image read-only once you've put the data on it. That would also eliminate the possibility of other processes on your system directly accessing the image file as opposed to having to go through the read-only mount.
– David
@TomRone:
Without having the AIDE db on read only media, it practically defeats the purpose of running AIDE at all.
Yes, but no.
But you can always email yourself periodic md5sums of both the aide binary and its db. That way you at least have an "independent" track record of changes and can easily verify both by shutting down your VM and mounting it in rescue mode.
Even if the primary linode is completely compromised, root and all, they can't mount the ISO as read/write since ultimately the primary linode is not the one putting the read-only restriction on it.
@Guspaz:
Even if the primary linode is completely compromised, root and all, they can't mount the ISO as read/write since ultimately the primary linode is not the one putting the read-only restriction on it.
True, but being compromised, the aide system on it will never tell something's amiss, the binary can be compromised regardless where the db resides. So better idea is the other way around, have a dedicated node that periodically scans other nodes, but then again who is to say that that node, which then becomes single point of failure is not compromised?
It's a mess, really. The only way to be sure is having periodic "Crazy Ivans" (shutdown node, mount rescue, scan). Otherwise just have faith aide itself is not compromised (and help it be so with rigorous protection), and if that's not enough, scan it in rescue mode from time to time.