Date: Tue, 24 Jul 2001 11:11:17 -0700 (PDT) From: alex wetmore <alex@phred.org> To: Ben Smithurst <ben@FreeBSD.org> Cc: Peter Pentchev <roam@orbitel.bg>, Jon Loeliger <jdl@jdl.com>, <security@freebsd.org> Subject: Re: Security Check Diffs Question Message-ID: <20010724110942.L32042-100000@phred.org> In-Reply-To: <20010724190607.F20105@strontium.shef.vinosystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 24 Jul 2001, Ben Smithurst wrote: > Peter Pentchev wrote: > > ypchfn changed its inode number, and its link count. This means that > > somebody performed an unlink() (delete) on ypchfn, and then created > > a new ypchfn with the same size, timestamp, permissions and stuff, > > but still a new file - and that's where the hardlink count + inum > > tracking of /etc/security kicked in and alerted you. > > hmm, so if an intruder replaced a file without changing it's link count, > size, or modification time, I wouldn't be alerted? Perhaps we should > change the security script to print the files ctime instead of mtime, > since the ctime can't be forged? Or keep md5 signatures around... Jon: Did you patch the telnet hole? alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010724110942.L32042-100000>