Date: Tue, 24 Jul 2001 19:06:07 +0100 From: Ben Smithurst <ben@FreeBSD.org> To: Peter Pentchev <roam@orbitel.bg> Cc: Jon Loeliger <jdl@jdl.com>, security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20010724190607.F20105@strontium.shef.vinosystems.com> In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg> References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
--SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Peter Pentchev wrote: > ypchfn changed its inode number, and its link count. This means that > somebody performed an unlink() (delete) on ypchfn, and then created > a new ypchfn with the same size, timestamp, permissions and stuff, > but still a new file - and that's where the hardlink count + inum > tracking of /etc/security kicked in and alerted you. hmm, so if an intruder replaced a file without changing it's link count, size, or modification time, I wouldn't be alerted? Perhaps we should change the security script to print the files ctime instead of mtime, since the ctime can't be forged? --=20 Ben Smithurst / ben@FreeBSD.org FreeBSD: The Power To Serve http://www.FreeBSD.org/ --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7XbkPbPzJ+yzvRCwRAkPYAKDIMXvUljV8w/cDAB55KEXxchrvjACfZfAH pvJtofLsTwLr+Zsmpq3Nges= =YIY0 -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010724190607.F20105>