On 06/27/16 08:37 AM, Jim Klimov wrote:
26 июня 2016 г. 21:27:28 CEST, James Carlson <carls...@workingcode.com> пишет:
On 6/24/2016 7:47 PM, Jerry Kemp wrote:
Using the routeadm command as an example.
/sbin 445 # ls -l /sbin/routeadm
-r-xr-xr-x 1 root bin 45992 Dec 16 2010 /sbin/routeadm
/sbin 446 #
If I were to look at this file next week, and saw that it was
identical,
aside from the fact that it now had a new time stamp of
24 June 2016
, is there any way using tools/applications within OpenIndiana to
know
who or what or what process modified the files time stamp? Or
possibly
tools external to OpenIndiana?
Just to clarify: have you actually seen the mtime on /sbin/routeadm
change in an unexpected way, or is that just illustrative of one
possible file path you'd like to protect against unwanted change?
In general, UNIX doesn't keep records of which process or user made a
change. There are records kept for a change from one UID to another
(login, su, sudo, pfexec, and the like), and in many cases those are
sufficient for locating a culprit, but the records don't include
individual changes made.
But see also Solaris Auditing, which does in fact do the sorts of
things
you're describing:
http://docs.oracle.com/cd/E19253-01/816-4557/auditov-1/index.html
Also I recently saw an LD_PRELOAD libsnoopy catch exec{ve}() calls and passing
lines to logger. Did not test it yet under Solarish OSes, but it was easy to
fire up under Debian.
That seems useful for debugging, but not auditing, as LD_PRELOAD is ignored
by setuid programs, and can be unset in the environment by anyone.
--
-Alan Coopersmith- alan.coopersm...@oracle.com
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
