[7983] in bugtraq
Re: FreeBSD VM gremlin
daemon@ATHENA.MIT.EDU (Harhalakis Stefanos)
Sat Sep 19 19:13:08 1998
Date: Sat, 19 Sep 1998 15:49:12 +0059
Reply-To: Harhalakis Stefanos <v13@AETOS.IT.TEITHE.GR>
From: Harhalakis Stefanos <v13@AETOS.IT.TEITHE.GR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199809181929.NAA28156@harmony.village.org>
On Fri, 18 Sep 1998, Warner Losh wrote:
> In message <199809181149.HAA21721@lunacity.ne.mediaone.net> "Charles
> M. Hannum" writes:
> :
> : > You should have md5 checksums of files that you are concerned about,
> : > as timestamps are useless in the face of a good attacker.
> :
> : Rubbish! A checksum doesn't tell me that someone hadn't temporarily
> : replaced the file and has now put the original back.
>
> Ummm, you still can't tell that for a competant attacker. A good
> attacker can set the system time, frob the file, set it back let time
> pass and then do the same thing to get the original back. You'd never
> know.
Irix has a nice 'feature' named fam (at least irix 6.4).
fam==file alteration monitor and it will detect any file change
and even more. I don't know how this works, but it works. I don't
know if there is something similar to other OSs.
> Warner
<<V13>>
