Re: /boot partition changes when it should not
-----BEGIN PGP SIGNED MESSAGE-----
Robert Brockway wrote:
> Are you concerned about corruption
Filesystem corruption? Not at all. It's a read-only partition. It cannot
go corrupt unless the disk breaks.
> or someone (with root) compromising your kernel image
> Also even if /boot was merely a directory on the rootfileeystem you
> could still md5sum all the files within it. Indeed aide and tripwire do
> just that.
Yes. I want to notice the stuff that's not in files. Like files
temporarily created and deleted. Or unallocated blocks written to. No
HIDS I know is able to check that.
> So you're wondering what is changing the checksum? The ext2/3 keeps
> metadata on mount times, number of mounts, etc. Merely rebooting would
> be sufficient to update the mount count and therefore completely change
> the md5sum.
Yes, I'm pretty sure that's it. Which annoys me, since the partition is
read-only, and read-only mount is not supposed to change mount count and
mount time. And indeed it does not when done manually while the system
> If you want to confirm that no files are changing take md5sums of all
> files and compare back file by file. As with any IDS keep your hash
> list off the system to avouf potential compromise.
...and keep the whole IDS off the system too, and the OS it runs on as
well... :( There's no end to this, unfortunately.
There's a reason I'm doing this offline. Nothing done online (no matter
where the list is kept) can be fully trustworthy.
>> I do NO write operation whatsoever on it. It is not allowed to change in
>> ANY way.
> To the extent that you can assert this.
Indeed. Because something does write to it. What I assert is that write
operations are neither desired nor required. They just happen unwanted.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----