[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /boot partition changes when it should not

On Tue, 9 Mar 2010, Clive McBarton wrote:


Yes, of course. I mean "md5sum /dev/sda1".
Hi Clive. If you don't mind me asking, why are you doing this? Are you concerned about corruption or someone (with root) compromising your kernel image, or perhaps something else?
Also even if /boot was merely a directory on the rootfileeystem you could still md5sum all the files within it. Indeed aide and tripwire do just that. 


It's mounted read-only (actually also "noatime", although that is
implied by "ro"). The access times cannot change. Nor the other
metadata. And in fact they don't: "ls -Rl", "ls -Rlc", "ls -Rlu" report
no changes in the metadata.
So you're wondering what is changing the checksum? The ext2/3 keeps metadata on mount times, number of mounts, etc. Merely rebooting would be sufficient to update the mount count and therefore completely change the md5sum.
If you want to confirm that no files are changing take md5sums of all files and compare back file by file. As with any IDS keep your hash list off the system to avouf potential compromise. 


I do NO write operation whatsoever on it. It is not allowed to change in
ANY way.


To the extent that you can assert this.

Cheers,

Rob

--
Email: robert@timetraveller.org
IRC: Solver
Web: http://www.practicalsysadmin.com
Open Source: The revolution that silently changed the world
Reply to: