[OpenIndiana-discuss] What changed my files timestamp?

[Richard L. Hamilton]

> On Jun 26, 2016, at 15:27, James Carlson <carlsonj at workingcode.com> wrote:
> 
> On 6/24/2016 7:47 PM, Jerry Kemp wrote:
>> Using the routeadm command as an example.
>> 
>> /sbin 445 # ls -l /sbin/routeadm
>> 
>> -r-xr-xr-x   1 root     bin        45992 Dec 16  2010 /sbin/routeadm
>> 
>> /sbin 446 #
>> 
>> 
>> If I were to look at this file next week, and saw that it was identical,
>> aside from the fact that it now had a new time stamp of
>> 
>> 24 June 2016
>> 
>> , is there any way using tools/applications within OpenIndiana to know
>> who or what or what process modified the files time stamp?  Or possibly
>> tools external to OpenIndiana?
> 
> Just to clarify: have you actually seen the mtime on /sbin/routeadm
> change in an unexpected way, or is that just illustrative of one
> possible file path you'd like to protect against unwanted change?
> 
> In general, UNIX doesn't keep records of which process or user made a
> change.  There are records kept for a change from one UID to another
> (login, su, sudo, pfexec, and the like), and in many cases those are
> sufficient for locating a culprit, but the records don't include
> individual changes made.
> 
> But see also Solaris Auditing, which does in fact do the sorts of things
> you're describing:
> 
> http://docs.oracle.com/cd/E19253-01/816-4557/auditov-1/index.html
> 

To put to rest concerns as to whether a packaged file was tampered with, there are possibilities:
root at t5240ctl:~# pkg search /usr/sbin/routeadm
INDEX      ACTION VALUE             PACKAGE
path       file   usr/sbin/routeadm pkg:/system/network at 0.5.11-0.175.3.0.0.30.0
root at t5240ctl:~# pkg verify pkg:/system/network at 0.5.11-0.175.3.0.0.30.0
root at t5240ctl:~# echo $?
0

There's also "pkg history" to see when changes via the pkg mechanism have been made.

But to actually tell exactly what did it, yes, I don't think anything but auditing already set up, and collecting the applicable information, would do that.