[PLUG] Securing tripwire/aide databases

Keith Nasman keith at ahapala.net
Wed Nov 17 17:39:47 UTC 2004


I've used tripwire in the past and am using aide at the moment. Both of 
these programs recommend putting their databases on read-only media so 
that it can't be tampered with. I am currently putting my aide database 
on a floppy and leaving it mounted RO.

Two of my machines are remote and in doing updates to them I obviously 
create changes which aide dutifully reports. Since the db's are stored 
on the floppies I have to go on site to eject them, flip the tab, write 
the new db, flip the tab and remount RO. I'd like to find a remote 
solution where I can update the databases and still keep their integrity.

My first thought was to keep the databases on my server and then write a 
wrapper script to retrieve the db via ssh. It wasn't very hard for me to 
create a user on my server, exchange a pass phrase-less key and have the 
script retrieve the db. However, there isn't anything to prevent the 
uploading of a new db. I couldn't find that one can restrict an ssh key 
to be read only. I guess the ideal would be to have one key read 
only(without a passphrase) and another key that would require a typed 
password that would have read write ability on my server to upload the 
new db.

I suppose I could set up some sort of read-only ftp point on my server 
and then use ssh to upload the new db when needed.

So, any thoughts, gurus?

Thanks,
Keith



More information about the PLUG mailing list