[OpenIndiana-discuss] What changed my files timestamp?
Jim Klimov
jimklimov at cos.ru
Mon Jun 27 15:37:23 UTC 2016
26 июня 2016 г. 21:27:28 CEST, James Carlson <carlsonj at workingcode.com> пишет:
>On 6/24/2016 7:47 PM, Jerry Kemp wrote:
>> Using the routeadm command as an example.
>>
>> /sbin 445 # ls -l /sbin/routeadm
>>
>> -r-xr-xr-x 1 root bin 45992 Dec 16 2010 /sbin/routeadm
>>
>> /sbin 446 #
>>
>>
>> If I were to look at this file next week, and saw that it was
>identical,
>> aside from the fact that it now had a new time stamp of
>>
>> 24 June 2016
>>
>> , is there any way using tools/applications within OpenIndiana to
>know
>> who or what or what process modified the files time stamp? Or
>possibly
>> tools external to OpenIndiana?
>
>Just to clarify: have you actually seen the mtime on /sbin/routeadm
>change in an unexpected way, or is that just illustrative of one
>possible file path you'd like to protect against unwanted change?
>
>In general, UNIX doesn't keep records of which process or user made a
>change. There are records kept for a change from one UID to another
>(login, su, sudo, pfexec, and the like), and in many cases those are
>sufficient for locating a culprit, but the records don't include
>individual changes made.
>
>But see also Solaris Auditing, which does in fact do the sorts of
>things
>you're describing:
>
>http://docs.oracle.com/cd/E19253-01/816-4557/auditov-1/index.html
Also I recently saw an LD_PRELOAD libsnoopy catch exec{ve}() calls and passing lines to logger. Did not test it yet under Solarish OSes, but it was easy to fire up under Debian.
Jim
--
Typos courtesy of K-9 Mail on my Samsung Android
More information about the openindiana-discuss
mailing list