rawiriblundell
commented
1 year ago Considerations:
- Performance. If a file is above a certain size, it becomes painful to calculate its hash. Perhaps a size-based fall-back from
sha256->md5->cksumcould mitigate this. To be benchmarked. - Where to store the output. We don't want to litter the filesystem, so perhaps something like
/var/tmp/haschanged/filename - This introduces an obvious security hole: an attacker wanting to defeat a lo-fi FIM like this can just simply update the cache object to match what they want. We can put in a lot of effort to try and mitigate this, but we'll just be reinventing perfectly good wheels that already exist, such as
auditdand off-system FIM/SIEMs. The reality is that if an attacker is on a system such that they can tweak cache objects like this, then you have far bigger issues
As described here:
https://blog.steve.fi/the_traffic_is_waiting_outside.html