Idea #6416: Report external file editing

-9

Written by Rioting_Pacifist the 5 Apr 08 at 03:01. Category: Security.
Related to: Nothing/Others. Status: New

Description

Report, via a non intrusive popup (libnotify style or something) when
a)Files have been edited when the system was shutdown.
b)Files in a users home directory have been edited more recently then the last time they logout

a simple message like
"files have been modified since the system was last successful shutdown/logout, click to see details"
would cover the fact that it will be triggered in the event of a crash. clicking for details could then trigger a more detailed analysis.

There are obviously security flaws with this, an attacker can spoof the file edit times, an attacker would be able to disable the reporting system, etc, but some security would be gained against simple attacks (like logging in at recovery mode, or using a live CD)

Tags: (none)

Attachments

No attachments.

Duplicates

[Report a duplicate and merge its votes to this idea]

Comments

Rioting_Pacifist wrote on the 5 Apr 08 at 14:48

why is it being voted down. for those that dont want it it could be disabled, but for the rest it will improve security

3wings wrote on the 23 Apr 08 at 22:08

Which files should be checked?

In any case, this adds unnecessary overhead (hashing files at logon, comparing to hash database, updating hash database at logoff).

bochecha wrote on the 19 May 08 at 22:22

-1 for two reasons:

* "Files have been edited when the system was shutdown."
Duh! How can a file be edited if the system is shut down? -_-'

* as sayd by 3wings, this would cause *a hell of a lot* of overhead.

If you want to be sure important files have not been edited during your absence, just save a hash of those files, then check them back.

Once you saw how much time it takes for some files, you'll understand why it can absolutely *not* be done at log in/out.

Post your comment