Hi All The various tools for integrity checks (aide, integrit, tripwire, etc) do check timestamp, uid/gui, permissions, checksum, inode etc. of the files on an system, compare them to the last know-good state and warn about changes.
I'm wondering why I should care about inodes when I have checksums. Does anyone know an attack vector to modify a file and keep the checksum the same? (besides collisions/bugs in the checksum code). Would the inode change in such a case and couldn't this be avoided by an attacker as well? Background is that I move vserver from host to host with rsync and don't like to get a report that all the inodes have changed. cheers pascal -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
