|
Kali Linux Revealed
Pdf ko'rish
|
| bet | 100/174 | | Sana | 15.01.2024 | | Hajmi | 11,68 Mb. | | #137314 |
Bog'liq Kali-Linux-Revealed-2021-editionProtecting the Database
Since AIDE uses a local database to compare the states of the files, the validity of
its results is directly linked to the validity of the database. If an attacker gets root
permissions on a compromised system, they will be able to replace the database and
cover their tracks. One way to prevent this subversion is to store the reference data
on read-only storage media.
You can use options in
/etc/default/aide
to tweak the behavior of the aide package. The
AIDE configuration proper is stored in
/etc/aide/aide.conf
and
/etc/aide/aide.conf.d/
(ac-
tually, these files are only used by
update-aide.conf
to generate
/var/lib/aide/aide.conf.
autogenerated
). The configuration indicates which properties of which files need to be checked.
For instance, the contents of log files changes routinely, and such changes can be ignored as long
as the permissions of these files stay the same, but both contents and permissions of executable
programs must be constant. Although not very complex, the configuration syntax is not fully
intuitive and we recommend reading the
aide.conf(5)
manual page for more details.
A new version of the database is generated daily in
/var/lib/aide/aide.db.new
; if all recorded
changes were legitimate, it can be used to replace the reference database.
Tripwire is very similar to AIDE; even the configuration file syntax is almost the same. The main
addition provided by tripwire is a mechanism to sign the configuration file so that an attacker
cannot make it point at a different version of the reference database.
Samhain also offers similar features as well as some functions to help detect rootkits (see “
The
checksecurity and chkrootkit/rkhunter packages
” [page 171] below). It can also be deployed globally
on a network and record its traces on a central server (with a signature).
170
Kali Linux Revealed
|
| |
