Re: integrity checks and inodes
Mike Mestnik <email@example.com> writes:
> Pascal Weller wrote:
>> Hi All
>> The various tools for integrity checks (aide, integrit, tripwire,
>> etc) do check timestamp, uid/gui, permissions, checksum, inode
>> etc. of the files on an system, compare them to the last know-good
>> state and warn about changes.
>> I'm wondering why I should care about inodes when I have checksums.
>> Does anyone know an attack vector to modify a file and keep the
>> checksum the same? (besides collisions/bugs in the checksum
>> code). Would the inode change in such a case and couldn't this be
>> avoided by an attacker as well?
>> Background is that I move vserver from host to host with rsync and
>> don't like to get a report that all the inodes have changed.
> You 'could' use the --inplace option of rsync to avoid this... On the
> other hand rsync is doing something wrong if it's recreating files it
> does not xfer, check to make sure you are using the correct options
> for time-stamp and meta-data(if any?) comparisons.
>> cheers pascal
I think he means he copies a vserver from host A to host B including the
intrusion detection database. On host B the inode numbers will difer
from host A.