On Tue, Dec 10, 2024 at 01:10:16PM +0000, Richard Lewis wrote: > On Tue, 10 Dec 2024, 09:10 Julian Gilbey, <j...@debian.org> wrote: > > On Mon, Dec 09, 2024 at 10:45:40PM +0000, Richard Lewis wrote: > > On Mon, 9 Dec 2024, 12:42 Julian Gilbey, <j...@debian.org> wrote: > > chkrootkit updates the > > access times of all the files in /tmp > > > it to that time afterwards (presumably using utimes(2) or similar). > > Something like this should work in a shell script: > > origtime=$(ls --full-time -u "$filename" | cut -d' ' -f6-8) > touch -a --date="$origtime" "$filename" > > (though it might need a bit more testing). > > i suppose you could make this happen in /usr/lib/chkrootkit/check_php > a thought --- would a better way be to make the daily run have a read-only > filesystem? i think systemd can do that with hardening dirctives and it might > avoid a lot of work.
That's an interesting possibility I wasn't aware of. If that can be done, it would be perfect. > Otherwise you would need to make this work with the -p -r and -e options (and > we > will continue to pretend not to notice -x ), and provide tests (I'm not sure whether this means that I (Julian) would need to make it work, or whether it means that someone would have to make it work. I don't have the capacity to work on this myself, I'm afraid.) Best wishes, Julian
