Re: integrity checks and inodes

To: debian-security@lists.debian.org
Cc: lists@pascalweller.net
Subject: Re: integrity checks and inodes
From: Mike Mestnik <cheako911@gmail.com>
Date: Tue, 01 Feb 2011 13:06:10 -0600
Message-id: <[🔎] 4D4859A2.9060105@gmail.com>
In-reply-to: <20110121171307.GA1003@pascalweller.net>
References: <20110121171307.GA1003@pascalweller.net>

Pascal Weller wrote:

Hi All
The various tools for integrity checks (aide, integrit, tripwire, etc)do check timestamp, uid/gui, permissions, checksum, inode etc. of thefiles on an system, compare them to the last know-good state and warnabout changes.
I'm wondering why I should care about inodes when I have checksums.
Does anyone know an attack vector to modify a file and keep the checksumthe same? (besides collisions/bugs in the checksum code).Would the inode change in such a case and couldn't this be avoided by anattacker as well?
Background is that I move vserver from host to host with rsync and don'tlike to get a report that all the inodes have changed.

You 'could' use the --inplace option of rsync to avoid this... On theother hand rsync is doing something wrong if it's recreating files itdoes not xfer, check to make sure you are using the correct options fortime-stamp and meta-data(if any?) comparisons.

cheers pascal

Reply to:

Follow-Ups:
- Re: integrity checks and inodes
  - From: Goswin von Brederlow <goswin-v-b@web.de>

Next by Date: Re: [SECURITY] [DSA-2157-1] PostgreSQL security update
Next by thread: Re: integrity checks and inodes
Index(es):
- Date
- Thread