Eternal 'good file hashes' list
Till Maas
opensource at till.name
Tue Oct 20 22:49:12 UTC 2009
On Wed, Oct 21, 2009 at 12:00:23AM +0200, nodata wrote:
> Am 2009-10-20 23:48, schrieb Till Maas:
>> Having a hash list of well known files might also help in forensics
>> analysis to find suspicious files. Also with determining the correct RPM
>> NVR one could use the repo metadata to check wether there are known
>> vulnerabilities for certain files or just to detect that the file is not
>> from an uptodate RPM.
> How is this check going to be done?
The hash for each file on a filesystem is computed and then compared
with the list.
> Is the filesystem going to be mounted in a known clean environment? If
> not, what's the point?
Filesystems can also be accessed without actually mounting it. But a
clean environment should off course be used.
> If yes, how do you know the filesystem hasn't been returned to a clean
> state?
The process of forensics analysis is more complex than just running one
single command. Nevertheless getting a list of suspicious files can lead
to find the information one is interested in. And if all files match the
hash of a well known file, then this information can also be used to
decide to investigate using other methods.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091021/264fba34/attachment.sig>
More information about the fedora-devel-list
mailing list