Date: Tue, 24 Jul 2001 19:06:07 +0100 From: Ben Smithurst <ben@FreeBSD.org> To: Peter Pentchev <roam@orbitel.bg> Cc: Jon Loeliger <jdl@jdl.com>, security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724190607.F20105@strontium.shef.vinosystems.com> In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg> References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Peter Pentchev wrote:
> ypchfn changed its inode number, and its link count. This means that
> somebody performed an unlink() (delete) on ypchfn, and then created
> a new ypchfn with the same size, timestamp, permissions and stuff,
> but still a new file - and that's where the hardlink count + inum
> tracking of /etc/security kicked in and alerted you.
hmm, so if an intruder replaced a file without changing it's link count,
size, or modification time, I wouldn't be alerted? Perhaps we should
change the security script to print the files ctime instead of mtime,
since the ctime can't be forged?
--
Ben Smithurst / ben@FreeBSD.org FreeBSD: The Power To Serve
http://www.FreeBSD.org/
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7XbkPbPzJ+yzvRCwRAkPYAKDIMXvUljV8w/cDAB55KEXxchrvjACfZfAH
pvJtofLsTwLr+Zsmpq3Nges=
=YIY0
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010724190607.F20105>