[PLUG] Securing tripwire/aide databases
Keith Nasman
keith at ahapala.net
Wed Nov 17 17:39:47 UTC 2004
I've used tripwire in the past and am using aide at the moment. Both of
these programs recommend putting their databases on read-only media so
that it can't be tampered with. I am currently putting my aide database
on a floppy and leaving it mounted RO.
Two of my machines are remote and in doing updates to them I obviously
create changes which aide dutifully reports. Since the db's are stored
on the floppies I have to go on site to eject them, flip the tab, write
the new db, flip the tab and remount RO. I'd like to find a remote
solution where I can update the databases and still keep their integrity.
My first thought was to keep the databases on my server and then write a
wrapper script to retrieve the db via ssh. It wasn't very hard for me to
create a user on my server, exchange a pass phrase-less key and have the
script retrieve the db. However, there isn't anything to prevent the
uploading of a new db. I couldn't find that one can restrict an ssh key
to be read only. I guess the ideal would be to have one key read
only(without a passphrase) and another key that would require a typed
password that would have read write ability on my server to upload the
new db.
I suppose I could set up some sort of read-only ftp point on my server
and then use ssh to upload the new db when needed.
So, any thoughts, gurus?
Thanks,
Keith
More information about the PLUG
mailing list