[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: integrity checks and inodes

Pascal Weller wrote:
Hi All

The various tools for integrity checks (aide, integrit, tripwire, etc) do check timestamp, uid/gui, permissions, checksum, inode etc. of the files on an system, compare them to the last know-good state and warn about changes.

I'm wondering why I should care about inodes when I have checksums.

Does anyone know an attack vector to modify a file and keep the checksum the same? (besides collisions/bugs in the checksum code). Would the inode change in such a case and couldn't this be avoided by an attacker as well?

Background is that I move vserver from host to host with rsync and don't like to get a report that all the inodes have changed.

You 'could' use the --inplace option of rsync to avoid this... On the other hand rsync is doing something wrong if it's recreating files it does not xfer, check to make sure you are using the correct options for time-stamp and meta-data(if any?) comparisons.

cheers pascal

Reply to: