Thoughts on GuixSD and IDS like AIDE and Tripwire

[dian_cecht]

Hello everyone,

     I have been giving GuixSD some thought as the holiday's pass and I had a
question I wanted to ask. During a recent scare with a computer on my LAN being
compromised (a Windows system), I've been giving thought to some issues with
securing desktops, and one of those is file integrity wrt unsolicited/undesired
modification. Naturally (which may point out my general inexperience with this
kind of thing) I thought of things like AIDE and Tripwire, and gave some thought
to how such system (which are hash-based, iirc) could possibly be useful to help
recover a system from a break-in (given the hash records aren't available
locally), which brings us back to one of GuixSD's goals of deterministic builds.

     I seem to recall that there was some goal to be able to check each other's
builds by comparing hashes of builds via some currently unknown method (I think
GNUnet was going to be the transport medium, but I'm not entirely sure if that
was a serious plan or what), and while that is certainly interesting for
checking to make sure a build completed properly or that a build is in fact
deterministic (and, by extension, that there isn't an obscure bug in someone's
CPU ala Pentium Floating Point bug from ages past), I had given some thought
about all of this in relation to IDSs. Has anyone given any thought to possibly
compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire
(GPL as well) for use with GuixSD systems. While this certainly isn't a complete
solution for an IDS (in fact, I havn't even looked yet to see how feasible this
is with the aforementioned software; this is more a thought experiment than
anything), if feels like it might be something useful, which is why I'm
mentioning it here.