Re: /boot partition changes when it should not
On Tue, 9 Mar 2010, Clive McBarton wrote:
Yes, of course. I mean "md5sum /dev/sda1".
Hi Clive. If you don't mind me asking, why are you doing this? Are you
concerned about corruption or someone (with root) compromising your kernel
image, or perhaps something else?
Also even if /boot was merely a directory on the rootfileeystem you could
still md5sum all the files within it. Indeed aide and tripwire do just
that.
It's mounted read-only (actually also "noatime", although that is
implied by "ro"). The access times cannot change. Nor the other
metadata. And in fact they don't: "ls -Rl", "ls -Rlc", "ls -Rlu" report
no changes in the metadata.
So you're wondering what is changing the checksum? The ext2/3 keeps
metadata on mount times, number of mounts, etc. Merely rebooting would be
sufficient to update the mount count and therefore completely change the
md5sum.
If you want to confirm that no files are changing take md5sums of all
files and compare back file by file. As with any IDS keep your hash list
off the system to avouf potential compromise.
I do NO write operation whatsoever on it. It is not allowed to change in
ANY way.
To the extent that you can assert this.
Cheers,
Rob
--
Email: robert@timetraveller.org
IRC: Solver
Web: http://www.practicalsysadmin.com
Open Source: The revolution that silently changed the world
Reply to: