# Gentoo Aide File Intrusion System

## farmer.ro

How long before the aide software gets owned by hackers?

----------

## Hu

That depends on when someone convinces the authors to sign over their copyright, which might depend on what incentives are offered in exchange.  If copyright assignment is not what you meant, please provide some context for your question.

----------

## farmer.ro

i was pretty drunk when i posted the previous message, but there is something not clear to me about Aide, i hope someone can provide me a solution:

when storing the Aide databases offline, for example in a cloud, or usb drive, and the attacker gets hold on the root password, then the attacker can just make a new aide.db database, making the stored offline database invalid right?

how should one protect from this?

----------

## Hu

As I understand it, the database records the expected contents of files.  If the files are changed, the database can tell you which files have been changed, provided that you can still trust the contents of the database.  If is stored somewhere that the attacker cannot have modified, then you can trust it.  For example, if it was stored on a server which has no direct network connection, or which is known not to allow anyone to connect (for example, it does not permit any inbound connection from the compromised machines, even for "authorized" users), then you can reasonably trust that the attacker cannot modify that copy of the database.  If the attacker can modify the database, then your only hope is that the attacker was too limited, too rushed or too unaware to do so.  For example, if an attacker exploits a program that allows him to modify any file owned by Apache, but not run arbitrary code as any user or modify files owned by other users, and the database was owned by root, then the attacker was too limited to modify the database.

----------

## farmer.ro

i am not really sure what modifying the aide.db database  does, but i am particularly speaking, if root rights are gained on the machine, then the attacker can just create a new aide.db.

How does one protect from the option of creating a new aide.db, and not necessarily modifying the aide.db.

----------

## cboldt

Put the database file on removable media - and remove the media from the covered machine.

Edit to add, the "offline" removable media database isn't rendered invalid if and when the attacker modifies the database on the covered machine.  The altered database becomes the "invalid" one.

Your hypothetical attacker has root privileges, and can do anything with the machine being compromised.

----------

