integrity checks and inodes
Hi All
The various tools for integrity checks (aide, integrit, tripwire, etc)
do check timestamp, uid/gui, permissions, checksum, inode etc. of the
files on an system, compare them to the last know-good state and warn
about changes.
I'm wondering why I should care about inodes when I have checksums.
Does anyone know an attack vector to modify a file and keep the checksum
the same? (besides collisions/bugs in the checksum code).
Would the inode change in such a case and couldn't this be avoided by an
attacker as well?
Background is that I move vserver from host to host with rsync and don't
like to get a report that all the inodes have changed.
cheers pascal
Reply to: