Date: Thu, 19 Apr 2001 19:13:32 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Paul Halliday <dp@penix.org> Cc: hackers@freebsd.org Subject: Re: Dilemma. Message-ID: <20010419191332.E1527@ringworld.oblivion.bg> In-Reply-To: <3ADF04E8.55D0888E@penix.org>; from dp@penix.org on Thu, Apr 19, 2001 at 11:31:52AM -0400 References: <3ADF04E8.55D0888E@penix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 19, 2001 at 11:31:52AM -0400, Paul Halliday wrote: > Hi. > > I will try to make this quick. I am writting a little monitoring script > in bash and I have run into a little > stumbling block. Basically, one of the checks this program will perform > is to take a fingerprint of the entire filesystem. > For my needs this is only required every 24 hours as the other > procedures that use this as a template will do so in little chunks. Now, > I have a couple of concerns. > > 1) Is there a simpler and faster way to perform something equivalent to > "ls -aliTR /"? This portion of output will > be queried with checks on inode numbers, last modified, and sizes at > random intervals and subsequently updated if valid. "find / -ls" shall give you more relevant info, less redundant info, and less irrelevant info. > 2) The more I test the above, the more I realise that this is not > without loopholes. Even if my checks are every 5 minutes > there still exists the possibility and time for someone that has > compromised the system to modify date / inodes to match what was > existing. <- any input on this issue would be really great. ie: a field > that cannot be modified even by root. I have had some silly ideas such > as: changing kernel secure level and chflaging every file (probably not > even possible),or maybe using pgp in some way to sign the most important > files, /bin, /usr/bin, etc. No, I don't believe there is any aspect of the filesystem that cannot be modified/faked, given appropriate privileges :( I might be wrong, though. G'luck, Peter -- This inert sentence is my body, but my soul is alive, dancing in the sparks of your brain. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010419191332.E1527>