unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: dian_cecht@zoho.com
To: guix-devel@gnu.org
Subject: Thoughts on GuixSD and IDS like AIDE and Tripwire
Date: Sat, 31 Dec 2016 05:28:14 -0800	[thread overview]
Message-ID: <20161231132814.GA25102@khaalida> (raw)

Hello everyone,

     I have been giving GuixSD some thought as the holiday's pass and I had a
question I wanted to ask. During a recent scare with a computer on my LAN being
compromised (a Windows system), I've been giving thought to some issues with
securing desktops, and one of those is file integrity wrt unsolicited/undesired
modification. Naturally (which may point out my general inexperience with this
kind of thing) I thought of things like AIDE and Tripwire, and gave some thought
to how such system (which are hash-based, iirc) could possibly be useful to help
recover a system from a break-in (given the hash records aren't available
locally), which brings us back to one of GuixSD's goals of deterministic builds.

     I seem to recall that there was some goal to be able to check each other's
builds by comparing hashes of builds via some currently unknown method (I think
GNUnet was going to be the transport medium, but I'm not entirely sure if that
was a serious plan or what), and while that is certainly interesting for
checking to make sure a build completed properly or that a build is in fact
deterministic (and, by extension, that there isn't an obscure bug in someone's
CPU ala Pentium Floating Point bug from ages past), I had given some thought
about all of this in relation to IDSs. Has anyone given any thought to possibly
compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire
(GPL as well) for use with GuixSD systems. While this certainly isn't a complete
solution for an IDS (in fact, I havn't even looked yet to see how feasible this
is with the aforementioned software; this is more a thought experiment than
anything), if feels like it might be something useful, which is why I'm
mentioning it here.

             reply	other threads:[~2016-12-31 13:28 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-31 13:28 dian_cecht [this message]
2017-01-01  6:56 ` Thoughts on GuixSD and IDS like AIDE and Tripwire Pjotr Prins
2017-01-02 15:24   ` dian_cecht
2017-01-02 22:28     ` Ludovic Courtès
2017-01-03 16:36       ` dian_cecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161231132814.GA25102@khaalida \
    --to=dian_cecht@zoho.com \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).