On Tue, 10 Dec 2024, 09:10 Julian Gilbey, <j...@debian.org> wrote: > On Mon, Dec 09, 2024 at 10:45:40PM +0000, Richard Lewis wrote: > > On Mon, 9 Dec 2024, 12:42 Julian Gilbey, <j...@debian.org> wrote: > > chkrootkit updates the > > access times of all the files in /tmp
> > it to that time afterwards (presumably using utimes(2) or similar). > > > Something like this should work in a shell script: > > origtime=$(ls --full-time -u "$filename" | cut -d' ' -f6-8) > touch -a --date="$origtime" "$filename" > > (though it might need a bit more testing). > i suppose you could make this happen in /usr/lib/chkrootkit/check_php a thought --- would a better way be to make the daily run have a read-only filesystem? i think systemd can do that with hardening dirctives and it might avoid a lot of work. Otherwise you would need to make this work with the -p -r and -e options (and we will continue to pretend not to notice -x ), and provide tests
