[OpenIndiana-discuss] What changed my files timestamp?
James Carlson
carlsonj at workingcode.com
Sun Jun 26 19:27:28 UTC 2016
On 6/24/2016 7:47 PM, Jerry Kemp wrote:
> Using the routeadm command as an example.
>
> /sbin 445 # ls -l /sbin/routeadm
>
> -r-xr-xr-x 1 root bin 45992 Dec 16 2010 /sbin/routeadm
>
> /sbin 446 #
>
>
> If I were to look at this file next week, and saw that it was identical,
> aside from the fact that it now had a new time stamp of
>
> 24 June 2016
>
> , is there any way using tools/applications within OpenIndiana to know
> who or what or what process modified the files time stamp? Or possibly
> tools external to OpenIndiana?
Just to clarify: have you actually seen the mtime on /sbin/routeadm
change in an unexpected way, or is that just illustrative of one
possible file path you'd like to protect against unwanted change?
In general, UNIX doesn't keep records of which process or user made a
change. There are records kept for a change from one UID to another
(login, su, sudo, pfexec, and the like), and in many cases those are
sufficient for locating a culprit, but the records don't include
individual changes made.
But see also Solaris Auditing, which does in fact do the sorts of things
you're describing:
http://docs.oracle.com/cd/E19253-01/816-4557/auditov-1/index.html
--
James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
More information about the openindiana-discuss
mailing list