|
|
|
|
|
|
by dgoldstein0
3504 days ago
|
|
|
it's pretty hard to diff filesystems that aren't designed for it. Either you need to lock the whole filesystem somehow - e.g. by taking it offline - or you have to deal with the fact that other processes are reading/writing as you scan the filesystem, which is rather difficult to reason about. And it's not just about diffing your code with your repo - that only works if the attacker tried to attack your code. What about other running processes? New files on the system containing malicious code, outside of the paths you usually deploy code to? what about new, unexpected cron jobs? Overall, it could become a pretty complex job. A filesystem with some intrinsic snapshotting makes this a lot easier. |
|
|