Menu

#51 Do not update file access times

main
open
nobody
None
5
2022-02-10
2022-01-29
Robbert Eggermont
No

rkhunter should not update the access time of file that are scanned, i.e. use the '--preserve-date' option of 'file' (when supported).

A security scan that itself depends on a known state of the system should not make changes to the state of the system.

Updating the access times for example interferes with systemd-tmpfiles clean-ups.

Discussion

  • John Horne

    John Horne - 2022-01-29

    RKH doesn't use the file command and doesn't modify access times. If something is modifying your access times, then it is not RKH.

     

  • Robbert Eggermont

    Robbert Eggermont - 2022-01-30

    Hi John,

    I do think it is:

    CMDLIST="basename diff dirname file find ifconfig ip ipcs ldd lsattr lsmod lsof mktemp netstat numfmt perl pgrep ps pwd readlink stat strings"

    The ${FILE_CMD} is used in multiple places, one of which is the filesystem check.

    The access times match the time when rkhunter was run (both when it's run from cron and when I run it manually).

    When the FILE_CMD is defined to use file --preserve-date, the access times are not modified.

    Best, Robbert

     

  • Ric Anderson

    Ric Anderson - 2022-02-10

    My 2 cents on this: preserving access time usually involves utime() which will change assocated files' ctime. Access time changes don't bother me, but ctime changes do, because that's an early indicator of certain nasty activities.

     

  • Robbert Eggermont

    Robbert Eggermont - 2022-02-10

    You are right, modifying ctime instead is not the solution.This feature request can be closed.

     

Log in to post a comment.