What actions/processes change the ctime of files?

asked 2014-01-31 14:20:09 -0600

gsauthof gravatar image

I am using DAR for backups - since I am on Fedora 19 DAR often warns me about ctime changes, e.g.

SECURITY WARNING! SUSPICIOUS FILE /etc/libaudit.conf: ctime changed since archive of reference was done, while no other inode information changed
SECURITY WARNING! SUSPICIOUS FILE /var/spool/anacron/cron.monthly: ctime changed since archive of reference was done, while no other inode information changed
SECURITY WARNING! SUSPICIOUS FILE /var/lib/yum/yumdb/p/233184a47540b0aa47efbd2a09a092dc9515f70f-python-sssdconfig-1.11.1-1.fc19-noarch/checksum_type: ctime changed since archive of reference was done, while no other inode information changed

Sometimes there are lot of warnings - sometimes just a few. Files in my home directory are also referenced, sometimes.

DAR has a FAQ entry on this warning:

[..] However, some rootkits and other nasty programs that tend to hide themselves from the system administrator use this trick and modify the mtime to become more difficult to detect. However the ctime keeps track of the date and time of their infamy. However, ctime may also change while neither mtime nor atime do, in several almost rare but normal situations. Thus, if you are faced to this message, you should first verify the following points before thinking your system has been infected by a rootkit:

  • have you added or removed a hardlink pointing to that file and this file's data has not been modified since last backup?
  • have you changed this file's extended attributs (including Linux ACL and MacOS file forks) while file's data has not been modified since last backup?
  • have you recently restored your data and are now performing a differential backup taking as reference the archive used to restore that same data? Or in other words, does that particular file has just been restored from a backup (was removed by accident for example)?
  • have you just moved from a dar version older than release 2.4.0 to dar version 2.4.0 or more recent?

[..]

Ok, I can exclude the last two items.

Regarding hardlinks: does yum create/change some hardlinks when changing its filesystem based database?

Regardings ACLs: I usually don't change ACLs on the files referenced in the warning messages - are there processes that yield ACL/SELinux-attribute changes?

How can I list file attributes (ACLs/SELinux) DAR seems to be unable to include in its check? Such that I can inverstigate the reason for a ctime change?

edit retag flag offensive close merge delete