Dean Wilson@UnixDaemon: ... It's not even close to relevant.

Mon, 26 Jun 2006

AIDE Agony
When it comes to host-based intrusion detection I'm most familiar with the Tripwire OpenSource Edition, while shopping around for a HIDS to deploy on a play box I decided to try AIDE. And got stopped at one of the first hurdles.

Tripwire has an interactive update mechanism, it runs a scan (based on your config file) and then prompts you to except, reject or mark changes as pending - within one operation. Unless I'm missing something, AIDE takes a generate signatures, user checks the output, generate signatures approach, which leaves a huge race condition open. Any files created / edited between the check and second generate steps will slip through the net.

Am I missing something or is this really how it works?

Like this post? - Digg Me! | Add to del.icio.us! | reddit this!

Posted: 2006/06/26 18:15 | /security | Permanent link to this entry | This entry + same date

September 2008	4
August 2008	12
July 2008	9
April 2008	4
March 2008	1
February 2008	1
January 2008	15
August 2007	2
June 2007	9
May 2007	6
April 2007	8
March 2007	31
February 2007	3
January 2007	21
December 2006	1
November 2006	4
October 2006	6
September 2006	32
August 2006	17
July 2006	14
June 2006	9
May 2006	13
March 2006	11
February 2006	16
January 2006	11
December 2005	1
November 2005	6
October 2005	19
September 2005	25
August 2005	16
July 2005	16
June 2005	13
May 2005	2
April 2005	19
March 2005	31
February 2005	20
January 2005	31
December 2004	21
November 2004	30
October 2004	32
September 2004	18
August 2004	7
July 2004	14
June 2004	5