Bugtraq mailing list archives

Re: FreeBSD VM gremlin

From: v13 () AETOS IT TEITHE GR (Harhalakis Stefanos)
Date: Sat, 19 Sep 1998 15:49:12 +0059


On Fri, 18 Sep 1998, Warner Losh wrote:

In message <199809181149.HAA21721 () lunacity ne mediaone net> "Charles
M. Hannum" writes:
:
: > You should have md5 checksums of files that you are concerned about,
: > as timestamps are useless in the face of a good attacker.
:
: Rubbish!  A checksum doesn't tell me that someone hadn't temporarily
: replaced the file and has now put the original back.

Ummm, you still can't tell that for a competant attacker.  A good
attacker can set the system time, frob the file, set it back let time
pass and then do the same thing to get the original back.  You'd never
know.


 Irix has a nice 'feature' named fam (at least irix 6.4).
fam==file alteration monitor and it will detect any file change
and even more. I don't know how this works, but it works. I don't
know if there is something similar to other OSs.

Warner

<<V13>>

Current thread:

Re: FreeBSD VM gremlin Charles M. Hannum (Sep 18)
- Re: FreeBSD VM gremlin Warner Losh (Sep 18)
  - Re: FreeBSD VM gremlin Harhalakis Stefanos (Sep 19)
- RedHat's RealServer. Jason Aras (Sep 18)
- <Possible follow-ups>
- Re: FreeBSD VM gremlin der Mouse (Sep 19)
- Re: FreeBSD VM gremlin James McParlane (Sep 20)