> On Jun 26, 2016, at 15:27, James Carlson <[email protected]> wrote: > > On 6/24/2016 7:47 PM, Jerry Kemp wrote: >> Using the routeadm command as an example. >> >> /sbin 445 # ls -l /sbin/routeadm >> >> -r-xr-xr-x 1 root bin 45992 Dec 16 2010 /sbin/routeadm >> >> /sbin 446 # >> >> >> If I were to look at this file next week, and saw that it was identical, >> aside from the fact that it now had a new time stamp of >> >> 24 June 2016 >> >> , is there any way using tools/applications within OpenIndiana to know >> who or what or what process modified the files time stamp? Or possibly >> tools external to OpenIndiana? > > Just to clarify: have you actually seen the mtime on /sbin/routeadm > change in an unexpected way, or is that just illustrative of one > possible file path you'd like to protect against unwanted change? > > In general, UNIX doesn't keep records of which process or user made a > change. There are records kept for a change from one UID to another > (login, su, sudo, pfexec, and the like), and in many cases those are > sufficient for locating a culprit, but the records don't include > individual changes made. > > But see also Solaris Auditing, which does in fact do the sorts of things > you're describing: > > http://docs.oracle.com/cd/E19253-01/816-4557/auditov-1/index.html >
To put to rest concerns as to whether a packaged file was tampered with, there are possibilities: root@t5240ctl:~# pkg search /usr/sbin/routeadm INDEX ACTION VALUE PACKAGE path file usr/sbin/routeadm pkg:/system/[email protected] root@t5240ctl:~# pkg verify pkg:/system/[email protected] root@t5240ctl:~# echo $? 0 There's also "pkg history" to see when changes via the pkg mechanism have been made. But to actually tell exactly what did it, yes, I don't think anything but auditing already set up, and collecting the applicable information, would do that. _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
