Re: /boot partition changes when it should not

To: Robert Brockway <robert@timetraveller.org>
Cc: debian-user@lists.debian.org
Subject: Re: /boot partition changes when it should not
From: Clive McBarton <clivemcbarton@web.de>
Date: Thu, 11 Mar 2010 16:38:25 +0100
Message-id: <[🔎] 4B990E71.7040501@web.de>
In-reply-to: <[🔎] alpine.DEB.1.10.1003102347510.18309@castor.opentrend.net>
References: <[🔎] 4B9575F9.4040200@web.de> <[🔎] 4B958200.40204@gmail.com> <[🔎] 4B958D30.9000704@stammed.net> <[🔎] 4B959638.7040406@web.de> <[🔎] alpine.DEB.1.10.1003102347510.18309@castor.opentrend.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Brockway wrote:
> Are you concerned about corruption

Filesystem corruption? Not at all. It's a read-only partition. It cannot
go corrupt unless the disk breaks.

> or someone (with root) compromising your kernel image

Indeed.

> Also even if /boot was merely a directory on the rootfileeystem you
> could still md5sum all the files within it.  Indeed aide and tripwire do
> just that.

Yes. I want to notice the stuff that's not in files. Like files
temporarily created and deleted. Or unallocated blocks written to. No
HIDS I know is able to check that.

> So you're wondering what is changing the checksum?  The ext2/3 keeps
> metadata on mount times, number of mounts, etc.  Merely rebooting would
> be sufficient to update the mount count and therefore completely change
> the md5sum.

Yes, I'm pretty sure that's it. Which annoys me, since the partition is
read-only, and read-only mount is not supposed to change mount count and
mount time. And indeed it does not when done manually while the system
is running.

> If you want to confirm that no files are changing take md5sums of all
> files and compare back file by file.  As with any IDS keep your hash
> list off the system to avouf potential compromise.

...and keep the whole IDS off the system too, and the OS it runs on as
well... :( There's no end to this, unfortunately.

There's a reason I'm doing this offline. Nothing done online (no matter
where the list is kept) can be fully trustworthy.

>> I do NO write operation whatsoever on it. It is not allowed to change in
>> ANY way.
> 
> To the extent that you can assert this.

Indeed. Because something does write to it. What I assert is that write
operations are neither desired nor required. They just happen unwanted.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuZDnEACgkQ+VSRxYk4409t1ACfX3Z72y1Aq7zBmpd/pyVaTJYN
KTEAnjom1ThI1SlANZUOSMnc7aX+y1io
=ieKn
-----END PGP SIGNATURE-----

Reply to:

References:
- /boot partition changes when it should not
  - From: Clive McBarton <clivemcbarton@web.de>
- Re: /boot partition changes when it should not
  - From: Aioanei Rares <debian.dev.list@gmail.com>
- Re: /boot partition changes when it should not
  - From: thib <thib@stammed.net>
- Re: /boot partition changes when it should not
  - From: Clive McBarton <clivemcbarton@web.de>
- Re: /boot partition changes when it should not
  - From: Robert Brockway <robert@timetraveller.org>

Prev by Date: Re: Postscript, PDF Problems with Iceape and OpenOffice
Next by Date: Re: /boot partition changes when it should not
Previous by thread: Re: /boot partition changes when it should not
Next by thread: Re: /boot partition changes when it should not
Index(es):
- Date
- Thread