My primary purpose was to address the following question: when you reboot
your system, how can you be sure that its filesystem is in the state it was
when you last shutdown? ie. How can you be sure that someone hasn't booted
DOS and used some disk editing software to modify the data on the disk?
[this comes under the "system integrety" and "trusted recovery" parts of the
Orange Book
http://parc.power.net/morgan/Orange-Linux/index.html
]
Tripwire does this sort of thing, but is not so simple to maintain as this
on-the-fly approach.
Gaining root access on a running system remains the problem that it always
has been. But even CFS is vulnerable to root, who can simply replace the
cfs-binaries with versions that log everyone's cfs-keys to a printer as they
are entered.
This sort or vulnerability would require a more severe overhauling of the
kernel. That may indeed be warranted, but is not likely to happen "over
night". Digitally signing inodes is something that seems modular, it does
not suffer from "encryption-problems" either so it could be safely included
in the kernel source.
> If you really want to write such a thing, you should definitely ask
> Stephen Tweedie. I am sure he has thought this through a lot more
> thoroughly than I have.
Yes.
Best wishes
Andrew
--
Linux-PAM: http://parc.power.net/morgan/Linux-PAM/index.html
libpwdb: http://parc.power.net/morgan/libpwdb/index.html
[ For those that prefer FTP --- ftp://ftp.lalug.org/morgan ]