On 08/02/2010 12:55, Lutz Schumann wrote:
Hello,
an idea popped into my mind while talking about security and intrusion
detection.
Host based ID may use Checksumming for file change tracking. It works like this:
Once installed and knowning the software is "OK", a baseline is created.
Then in every check - verify the current status of the data with the baseline
and report changes.
An example for this is AIDE.
The difficult part is the checksumming - this takes time.
My idea would be to use ZFS snapshots for this.
baseline creation = create snapshot
baseline verification = verify the checksums of the objects and report objects
diffent
This could work for non-zvol environments.
Is it possible to extract the checksums of ZFS objects with a command line tool
?
Only with the zdb(1M) tool but note that the checksums are NOT of files
but of the ZFS blocks.
--
Darren J Moffat
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
