On Wed, Oct 21, 2009 at 12:00:23AM +0200, nodata wrote: > Am 2009-10-20 23:48, schrieb Till Maas: >> Having a hash list of well known files might also help in forensics >> analysis to find suspicious files. Also with determining the correct RPM >> NVR one could use the repo metadata to check wether there are known >> vulnerabilities for certain files or just to detect that the file is not >> from an uptodate RPM. > How is this check going to be done? The hash for each file on a filesystem is computed and then compared with the list. > Is the filesystem going to be mounted in a known clean environment? If > not, what's the point? Filesystems can also be accessed without actually mounting it. But a clean environment should off course be used. > If yes, how do you know the filesystem hasn't been returned to a clean > state? The process of forensics analysis is more complex than just running one single command. Nevertheless getting a list of suspicious files can lead to find the information one is interested in. And if all files match the hash of a well known file, then this information can also be used to decide to investigate using other methods. Regards Till
Attachment:
pgpGrceGUT0iq.pgp
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
