From mboxrd@z Thu Jan 1 00:00:00 1970 From: dian_cecht@zoho.com Subject: Thoughts on GuixSD and IDS like AIDE and Tripwire Date: Sat, 31 Dec 2016 05:28:14 -0800 Message-ID: <20161231132814.GA25102@khaalida> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43463) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cNJhx-0000H2-1J for guix-devel@gnu.org; Sat, 31 Dec 2016 08:28:25 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cNJht-00083z-Tq for guix-devel@gnu.org; Sat, 31 Dec 2016 08:28:25 -0500 Received: from sender-pp-092.zoho.com ([135.84.80.237]:25391) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cNJht-00083Y-NZ for guix-devel@gnu.org; Sat, 31 Dec 2016 08:28:21 -0500 Received: from localhost (khaalida [local]) by khaalida (OpenSMTPD) with ESMTPA id 0b4350ed for ; Sat, 31 Dec 2016 13:28:14 +0000 (UTC) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Hello everyone, I have been giving GuixSD some thought as the holiday's pass and I had a question I wanted to ask. During a recent scare with a computer on my LAN being compromised (a Windows system), I've been giving thought to some issues with securing desktops, and one of those is file integrity wrt unsolicited/undesired modification. Naturally (which may point out my general inexperience with this kind of thing) I thought of things like AIDE and Tripwire, and gave some thought to how such system (which are hash-based, iirc) could possibly be useful to help recover a system from a break-in (given the hash records aren't available locally), which brings us back to one of GuixSD's goals of deterministic builds. I seem to recall that there was some goal to be able to check each other's builds by comparing hashes of builds via some currently unknown method (I think GNUnet was going to be the transport medium, but I'm not entirely sure if that was a serious plan or what), and while that is certainly interesting for checking to make sure a build completed properly or that a build is in fact deterministic (and, by extension, that there isn't an obscure bug in someone's CPU ala Pentium Floating Point bug from ages past), I had given some thought about all of this in relation to IDSs. Has anyone given any thought to possibly compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire (GPL as well) for use with GuixSD systems. While this certainly isn't a complete solution for an IDS (in fact, I havn't even looked yet to see how feasible this is with the aforementioned software; this is more a thought experiment than anything), if feels like it might be something useful, which is why I'm mentioning it here.