[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /boot partition changes when it should not

Hash: SHA1

Robert Brockway wrote:
> Are you concerned about corruption

Filesystem corruption? Not at all. It's a read-only partition. It cannot
go corrupt unless the disk breaks.

> or someone (with root) compromising your kernel image


> Also even if /boot was merely a directory on the rootfileeystem you
> could still md5sum all the files within it.  Indeed aide and tripwire do
> just that.

Yes. I want to notice the stuff that's not in files. Like files
temporarily created and deleted. Or unallocated blocks written to. No
HIDS I know is able to check that.

> So you're wondering what is changing the checksum?  The ext2/3 keeps
> metadata on mount times, number of mounts, etc.  Merely rebooting would
> be sufficient to update the mount count and therefore completely change
> the md5sum.

Yes, I'm pretty sure that's it. Which annoys me, since the partition is
read-only, and read-only mount is not supposed to change mount count and
mount time. And indeed it does not when done manually while the system
is running.

> If you want to confirm that no files are changing take md5sums of all
> files and compare back file by file.  As with any IDS keep your hash
> list off the system to avouf potential compromise.

...and keep the whole IDS off the system too, and the OS it runs on as
well... :( There's no end to this, unfortunately.

There's a reason I'm doing this offline. Nothing done online (no matter
where the list is kept) can be fully trustworthy.

>> I do NO write operation whatsoever on it. It is not allowed to change in
>> ANY way.
> To the extent that you can assert this.

Indeed. Because something does write to it. What I assert is that write
operations are neither desired nor required. They just happen unwanted.
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Reply to: