I remember reading about a kernel-based rootkit which enabled the miscreant to redirect
exec(2) requests to another file, while
read(2) got the original, so you can checksum until you are blue in the face to no avail. Besides, the checksumming idea is fine for detecting changed files, but doesn't help with new files (say, for starting stuff via
cron(8), or ...), and it is a big hassle whenever you (legitimately) change some file.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds