[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Thoughts on GuixSD and IDS like AIDE and Tripwire
From: |
Pjotr Prins |
Subject: |
Re: Thoughts on GuixSD and IDS like AIDE and Tripwire |
Date: |
Sun, 1 Jan 2017 06:56:09 +0000 |
User-agent: |
Mutt/1.6.2 (2016-07-01) |
On Sat, Dec 31, 2016 at 05:28:14AM -0800, address@hidden wrote:
> Hello everyone,
>
> I have been giving GuixSD some thought as the holiday's pass and I had a
> question I wanted to ask. During a recent scare with a computer on my LAN
> being
> compromised (a Windows system), I've been giving thought to some issues with
> securing desktops, and one of those is file integrity wrt
> unsolicited/undesired
> modification. Naturally (which may point out my general inexperience with this
> kind of thing) I thought of things like AIDE and Tripwire, and gave some
> thought
> to how such system (which are hash-based, iirc) could possibly be useful to
> help
> recover a system from a break-in (given the hash records aren't available
> locally), which brings us back to one of GuixSD's goals of deterministic
> builds.
>
> I seem to recall that there was some goal to be able to check each
> other's
> builds by comparing hashes of builds via some currently unknown method (I
> think
> GNUnet was going to be the transport medium, but I'm not entirely sure if that
> was a serious plan or what), and while that is certainly interesting for
> checking to make sure a build completed properly or that a build is in fact
> deterministic (and, by extension, that there isn't an obscure bug in someone's
> CPU ala Pentium Floating Point bug from ages past), I had given some thought
> about all of this in relation to IDSs. Has anyone given any thought to
> possibly
> compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire
> (GPL as well) for use with GuixSD systems. While this certainly isn't a
> complete
> solution for an IDS (in fact, I havn't even looked yet to see how feasible
> this
> is with the aforementioned software; this is more a thought experiment than
> anything), if feels like it might be something useful, which is why I'm
> mentioning it here.
Yes, you can do a challenge build. Not all builds are fully
deterministic yet, so you there will be conflicts. I use guix publish
on a server, so I can compare the stores on two machines for
comparison which ought to be identical. That is a pretty fast way to
do it provided they are not both compromised ;)
At the moment we don't store hashes in a database for the contents of
a build tree. I think it is a good idea to have the option to create a
tripwire-like database at build/install time, almost for free,
provided the user moves that database off-site for later (fast)
comparisons. It can actually speed up challenge builds.
I used to run tripwire a lot, but somehow have become
confident in my security setup (rightly or wrongly so). At least with
Guix I know I can quickly rebuild a new system that behaves as the
compromised one. That makes me happy.
Pj.
--
- Re: Thoughts on GuixSD and IDS like AIDE and Tripwire,
Pjotr Prins <=