Default Filesystem Integrity checker

Registered by Kees Cook on 2009-04-28

This is to discuss the possibility of selecting and using a default file system integrity checker to help identify potential break-ins, or bad software. Examine things like tripwire, aide, samhain.

Blueprint information

Status:
Complete
Approver:
Rick Clark
Priority:
Undefined
Drafter:
Marc Deslauriers
Direction:
Needs approval
Assignee:
None
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Marc Deslauriers on 2009-08-04
Completed by
Marc Deslauriers on 2009-08-04

Related branches

Sprints

Whiteboard

* Current Status:

* Samhain:
 * In universe (dapper 2.0.10a, hardy+ 2.2.3)
 * Upstream is at 2.5.5 (active development), 2.2.3 is from 31 july 2006
 * Checks POSIX ACLs and SELinux attributes
 * Centralized policy support not compiled in by default (network information needs to be compiled in)
 * Can check kernel modifications/rootkits, but not compiled in by default (needs /dev/kmem, so probably no longer works)
 * Can log to prelude ids
 * Supports pgp-signed config files, but not compiled in by default (key needs to be specified at compile time)
 * Notifications: email, syslog, console, logfile, log server, external, sqldb, prelude
 * Web-based console (proprietary)

* Tripwire:
 * In universe (dapper to karmic have 2.3.1.2.0)
 * Upstream is at 2.4.1.2 (released 18 april 2007)
 * Doesn't seem to have any active development
 * Forked from proprietary product in 1999, separate development now

* Aide:
 * In main (dapper has 0.10, hardy+ have 0.13.1)
 * Upstream is at 0.13.1 (released 15 dec 2006)
 * Doesn't seem to have any active development
 * Supports database and config file signing (but not enabled by default, key needs to be specified at compile time)

* Problems
 * not much upstream development (excepting samhain)
 * All have few CVEs, and are rather old (in general)
 * difficult to maintain due to frequency of security updates. people turn it off
 * (aide) can't easily incrementally update files

* Questions:
 * Should Aide stay in main? YES (no clear advantage to switch)
 * Should samhain be promoted to main? NO (no clear advantage to make change)
 * Is distributing Samhain as a binary useless?

* What features are we looking for?
 * IMORTANT: Gracefully handling OS package/security updates
 * Usable binaries? (ie: no compile-time options)
 * network database (stores hashes and can report)
 * network reporting (when clients have problems, report it)
 * could just check hashes, like debsums

* Package integration
 * Possible implementation for upgrades
  # detect changed files before the update
  # upgrade
  # rebuild database
  # report the changed files from before the upgrade and the files after the upgrade (ie, have a short list and a long list)
  # prompt to upgrade database (or give option to ignore the security ones)
 * must be opt-in
 * drawbacks
   * window between detection of changed and upgrade
   * other issues should be the same as for a default installation (eg, read-write database, not centrally managed, binary could be modified, etc, etc)
   * can lose data if the binary that changed is overwritten by the upgrade
 * to work around this, can simply abort an upgrade if there are uncommitted changes. perhaps an option?

* Documentation
 * using aide
 * concepts on fully protecting (ie read-only media, static binary, etc, etc)

(?)

Work Items