-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert Brockway wrote: > Are you concerned about corruption
Filesystem corruption? Not at all. It's a read-only partition. It cannot go corrupt unless the disk breaks. > or someone (with root) compromising your kernel image Indeed. > Also even if /boot was merely a directory on the rootfileeystem you > could still md5sum all the files within it. Indeed aide and tripwire do > just that. Yes. I want to notice the stuff that's not in files. Like files temporarily created and deleted. Or unallocated blocks written to. No HIDS I know is able to check that. > So you're wondering what is changing the checksum? The ext2/3 keeps > metadata on mount times, number of mounts, etc. Merely rebooting would > be sufficient to update the mount count and therefore completely change > the md5sum. Yes, I'm pretty sure that's it. Which annoys me, since the partition is read-only, and read-only mount is not supposed to change mount count and mount time. And indeed it does not when done manually while the system is running. > If you want to confirm that no files are changing take md5sums of all > files and compare back file by file. As with any IDS keep your hash > list off the system to avouf potential compromise. ...and keep the whole IDS off the system too, and the OS it runs on as well... :( There's no end to this, unfortunately. There's a reason I'm doing this offline. Nothing done online (no matter where the list is kept) can be fully trustworthy. >> I do NO write operation whatsoever on it. It is not allowed to change in >> ANY way. > > To the extent that you can assert this. Indeed. Because something does write to it. What I assert is that write operations are neither desired nor required. They just happen unwanted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkuZDnEACgkQ+VSRxYk4409t1ACfX3Z72y1Aq7zBmpd/pyVaTJYN KTEAnjom1ThI1SlANZUOSMnc7aX+y1io =ieKn -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b990e71.7040...@web.de
