Re: Thoughts on GuixSD and IDS like AIDE and Tripwire

[Pjotr Prins]

On Sat, Dec 31, 2016 at 05:28:14AM -0800, address@hidden wrote:
> Hello everyone,
> 
>      I have been giving GuixSD some thought as the holiday's pass and I had a
> question I wanted to ask. During a recent scare with a computer on my LAN 
> being
> compromised (a Windows system), I've been giving thought to some issues with
> securing desktops, and one of those is file integrity wrt 
> unsolicited/undesired
> modification. Naturally (which may point out my general inexperience with this
> kind of thing) I thought of things like AIDE and Tripwire, and gave some 
> thought
> to how such system (which are hash-based, iirc) could possibly be useful to 
> help
> recover a system from a break-in (given the hash records aren't available
> locally), which brings us back to one of GuixSD's goals of deterministic 
> builds.
> 
>      I seem to recall that there was some goal to be able to check each 
> other's
> builds by comparing hashes of builds via some currently unknown method (I 
> think
> GNUnet was going to be the transport medium, but I'm not entirely sure if that
> was a serious plan or what), and while that is certainly interesting for
> checking to make sure a build completed properly or that a build is in fact
> deterministic (and, by extension, that there isn't an obscure bug in someone's
> CPU ala Pentium Floating Point bug from ages past), I had given some thought
> about all of this in relation to IDSs. Has anyone given any thought to 
> possibly
> compiling and distributing a checksum list ala AIDE (GPLed, fwiw) or Tripwire
> (GPL as well) for use with GuixSD systems. While this certainly isn't a 
> complete
> solution for an IDS (in fact, I havn't even looked yet to see how feasible 
> this
> is with the aforementioned software; this is more a thought experiment than
> anything), if feels like it might be something useful, which is why I'm
> mentioning it here.

Yes, you can do a challenge build. Not all builds are fully
deterministic yet, so you there will be conflicts. I use guix publish
on a server, so I can compare the stores on two machines for
comparison which ought to be identical. That is a pretty fast way to
do it provided they are not both compromised ;)

At the moment we don't store hashes in a database for the contents of
a build tree. I think it is a good idea to have the option to create a
tripwire-like database at build/install time, almost for free,
provided the user moves that database off-site for later (fast)
comparisons. It can actually speed up challenge builds.

I used to run tripwire a lot, but somehow have become
confident in my security setup (rightly or wrongly so). At least with
Guix I know I can quickly rebuild a new system that behaves as the
compromised one. That makes me happy.

Pj.
--