[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

integrity checks and inodes

Hi All

The various tools for integrity checks (aide, integrit, tripwire, etc) 
do check timestamp, uid/gui, permissions, checksum, inode etc. of the 
files on an system, compare them to the last know-good state and warn 
about changes.

I'm wondering why I should care about inodes when I have checksums.

Does anyone know an attack vector to modify a file and keep the checksum 
the same? (besides collisions/bugs in the checksum code). 
Would the inode change in such a case and couldn't this be avoided by an 
attacker as well?

Background is that I move vserver from host to host with rsync and don't 
like to get a report that all the inodes have changed.

cheers pascal 

Reply to: