From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pjotr Prins Subject: Re: Thoughts on GuixSD and IDS like AIDE and Tripwire Date: Sun, 1 Jan 2017 06:56:09 +0000 Message-ID: <20170101065609.GA4651@mail.thebird.nl> References: <20161231132814.GA25102@khaalida> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41549) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cNa6b-00075m-Nv for guix-devel@gnu.org; Sun, 01 Jan 2017 01:58:58 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cNa6X-0001gW-Nk for guix-devel@gnu.org; Sun, 01 Jan 2017 01:58:57 -0500 Received: from mail.thebird.nl ([95.154.246.10]:45792) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cNa6X-0001d5-Ge for guix-devel@gnu.org; Sun, 01 Jan 2017 01:58:53 -0500 Content-Disposition: inline In-Reply-To: <20161231132814.GA25102@khaalida> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org On Sat, Dec 31, 2016 at 05:28:14AM -0800, dian_cecht@zoho.com wrote: > Hello everyone, > > I have been giving GuixSD some thought as the holiday's pass and I had a > question I wanted to ask. During a recent scare with a computer on my LAN being > compromised (a Windows system), I've been giving thought to some issues with > securing desktops, and one of those is file integrity wrt unsolicited/undesired > modification. Naturally (which may point out my general inexperience with this > kind of thing) I thought of things like AIDE and Tripwire, and gave some thought > to how such system (which are hash-based, iirc) could possibly be useful to help > recover a system from a break-in (given the hash records aren't available > locally), which brings us back to one of GuixSD's goals of deterministic builds. > > I seem to recall that there was some goal to be able to check each other's > builds by comparing hashes of builds via some currently unknown method (I think > GNUnet was going to be the transport medium, but I'm not entirely sure if that > was a serious plan or what), and while that is certainly interesting for > checking to make sure a build completed properly or that a build is in fact > deterministic (and, by extension, that there isn't an obscure bug in someone's > CPU ala Pentium Floating Point bug from ages past), I had given some thought > about all of this in relation to IDSs. Has anyone given any thought to possibly > compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire > (GPL as well) for use with GuixSD systems. While this certainly isn't a complete > solution for an IDS (in fact, I havn't even looked yet to see how feasible this > is with the aforementioned software; this is more a thought experiment than > anything), if feels like it might be something useful, which is why I'm > mentioning it here. Yes, you can do a challenge build. Not all builds are fully deterministic yet, so you there will be conflicts. I use guix publish on a server, so I can compare the stores on two machines for comparison which ought to be identical. That is a pretty fast way to do it provided they are not both compromised ;) At the moment we don't store hashes in a database for the contents of a build tree. I think it is a good idea to have the option to create a tripwire-like database at build/install time, almost for free, provided the user moves that database off-site for later (fast) comparisons. It can actually speed up challenge builds. I used to run tripwire a lot, but somehow have become confident in my security setup (rightly or wrongly so). At least with Guix I know I can quickly rebuild a new system that behaves as the compromised one. That makes me happy. Pj. --