On Friday 17 June 2005 22:06, Steve Langasek <[EMAIL PROTECTED]> wrote: > > But if someone can change the cache of data written by prelink then why > > couldn't they also change the program that does the md5 checks to make it > > always return a good result? > > They can, but I've never seen a rootkit with that level of sophistication;
There have been root-kits that hide files and show the original versions to programs that do checks. This is not really difficult to do with a kernel module. > and if there was one, there's still the option of booting from read-only > media to check (which is the only safe way to audit your system anyway). True. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
