[OpenIndiana-discuss] What changed my files timestamp?
Alan Coopersmith
alan.coopersmith at oracle.com
Tue Jun 28 17:17:09 UTC 2016
On 06/27/16 08:37 AM, Jim Klimov wrote:
> 26 июня 2016 г. 21:27:28 CEST, James Carlson <carlsonj at workingcode.com> пишет:
>> On 6/24/2016 7:47 PM, Jerry Kemp wrote:
>>> Using the routeadm command as an example.
>>>
>>> /sbin 445 # ls -l /sbin/routeadm
>>>
>>> -r-xr-xr-x 1 root bin 45992 Dec 16 2010 /sbin/routeadm
>>>
>>> /sbin 446 #
>>>
>>>
>>> If I were to look at this file next week, and saw that it was
>> identical,
>>> aside from the fact that it now had a new time stamp of
>>>
>>> 24 June 2016
>>>
>>> , is there any way using tools/applications within OpenIndiana to
>> know
>>> who or what or what process modified the files time stamp? Or
>> possibly
>>> tools external to OpenIndiana?
>>
>> Just to clarify: have you actually seen the mtime on /sbin/routeadm
>> change in an unexpected way, or is that just illustrative of one
>> possible file path you'd like to protect against unwanted change?
>>
>> In general, UNIX doesn't keep records of which process or user made a
>> change. There are records kept for a change from one UID to another
>> (login, su, sudo, pfexec, and the like), and in many cases those are
>> sufficient for locating a culprit, but the records don't include
>> individual changes made.
>>
>> But see also Solaris Auditing, which does in fact do the sorts of
>> things
>> you're describing:
>>
>> http://docs.oracle.com/cd/E19253-01/816-4557/auditov-1/index.html
>
> Also I recently saw an LD_PRELOAD libsnoopy catch exec{ve}() calls and passing lines to logger. Did not test it yet under Solarish OSes, but it was easy to fire up under Debian.
That seems useful for debugging, but not auditing, as LD_PRELOAD is ignored
by setuid programs, and can be unset in the environment by anyone.
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
More information about the openindiana-discuss
mailing list