Solved How detect the source of change time in specific file?

wisdown

Active Member

Reaction score: 13
Messages: 131

Looking in my tripwire logs I got:

Code:
Modified:
"/etc/ssl/private"
"/etc/ssl/private/server.key"

And:


Code:
Modified object name:  /etc/ssl/private/server.key

  Property:            Expected                    Observed                   
  -------------        -----------                 -----------                 
  Object Type          Regular File                Regular File               
  Device Number        -612501196                  -612501196                 
  File Device Number   0                           0                           
  Inode Number         2204                        2204                       
  Mode                 -r--------                  -r--------                 
  Num Links            1                           1                           
  UID                  root (0)                    root (0)                   
  GID                  wheel (0)                   wheel (0)                   
  Size                 3272                        3272                       
  Modify Time          Mon Nov 11 16:01:14 2019    Mon Nov 11 16:01:14 2019   
* Change Time          Sat Jan  4 13:00:00 2020    Tue Jan  7 04:00:02 2020   
  Blocks               9                           9                           
  CRC32                A20AEL                      A20AEL                     
  MD5                  C8jWbeyZ9+qAmKi7C8kJP0      C8jWbeyZ9+qAmKi7C8kJP0

Change time include access time?
Because I do an restart on services by cron everytime I regenerate the DH params.

Other similar and wierd behaviour is about perl, mostly files in /usr/local/lib/perl5/5.30/perl/ get same issue (warning about change time) this is ok?

PS.: I have compile everything from source, the question is about the possibility of get an modified and compromissed port or fail in server setup and now probaly is already compromissed.

PS2.: If is not an espected behaviour, there's an way to see what is making the Modify Time occours?
 

VladiBG

Daemon

Reaction score: 553
Messages: 1,200

Code:
st_ctim          Time when file status was last changed (inode data
                      modification).  Changed implicitly by any syscall that
                      affects file metadata, including st_mtim, such as
                      chflags(2), chmod(2), chown(2), truncate(2), utimes(2),
                      and write(2).  Also, any syscall which modifies
                      directory content changes the st_ctim for the affected
                      directory.  For instance, creat(2), mkdir(2), rename(2),
                      link(2), and unlink(2).

Here is the stat(2) manual
 
Top