hi all,
I have a little doubt about how FreeBSD sets the atime/mtime of some files and directories right after boot.
I have 2 FreeBSD 8.2-RELEASE systems: my desktop at home and a virtual machine at work, and both behave in the same manner and have the same configurations.
I am a little paranoid, so I have installed security/aide on both systems, and I have a cron job that performs the check every day.
Some times ago I noticed that sometimes aide reports several warnings like this:
[cmd=]/var mtime in future[/cmd]
At first I tought that I could have a problem in my date/time settings, but it's all ok: CMOS time is set to local time, /etc/wall_cmos_clock exists, /etc/localtime is right and I keep the clock updated with ntp. So, my time settings are correct - or at least i think they are correct.
But investigating I found that after the system starts, some files and directories have the atime and/or mtime set in the future - like aide said:
/entropy and /dev/ have the atime forward by 2 hours, and other files under /etc, /dev and /var have the same time.
It seems that everything "touched" during the system startup will get these times in the future.
So, if I don't want to see these warnings, I must make sure that by the time the aide cron job starts, the system was started at least 2 hours before.
It's not a real problem, but I am just curious.
Anyone have an idea?
I have a little doubt about how FreeBSD sets the atime/mtime of some files and directories right after boot.
I have 2 FreeBSD 8.2-RELEASE systems: my desktop at home and a virtual machine at work, and both behave in the same manner and have the same configurations.
I am a little paranoid, so I have installed security/aide on both systems, and I have a cron job that performs the check every day.
Some times ago I noticed that sometimes aide reports several warnings like this:
[cmd=]/var mtime in future[/cmd]
At first I tought that I could have a problem in my date/time settings, but it's all ok: CMOS time is set to local time, /etc/wall_cmos_clock exists, /etc/localtime is right and I keep the clock updated with ntp. So, my time settings are correct - or at least i think they are correct.
But investigating I found that after the system starts, some files and directories have the atime and/or mtime set in the future - like aide said:
Code:
# date
Fri Sep 16 15:31:06 CEST 2011
# last | head -2 | grep reboot
reboot ~ Fri Sep 16 15:29
# ls -ltu /
total 323
-rw------- 1 root wheel 4096 Sep 16 17:29 entropy
dr-xr-xr-x 5 root wheel 512 Sep 16 17:28 dev/
drwxr-xr-x 4 root wheel 512 Sep 16 15:31 mnt/
<cut>
/entropy and /dev/ have the atime forward by 2 hours, and other files under /etc, /dev and /var have the same time.
It seems that everything "touched" during the system startup will get these times in the future.
So, if I don't want to see these warnings, I must make sure that by the time the aide cron job starts, the system was started at least 2 hours before.
It's not a real problem, but I am just curious.
Anyone have an idea?