Do not update file access times
Brought to you by:
dogsbody
rkhunter should not update the access time of file that are scanned, i.e. use the '--preserve-date' option of 'file' (when supported).
A security scan that itself depends on a known state of the system should not make changes to the state of the system.
Updating the access times for example interferes with systemd-tmpfiles clean-ups.
RKH doesn't use the file command and doesn't modify access times. If something is modifying your access times, then it is not RKH.
Hi John,
I do think it is:
The ${FILE_CMD} is used in multiple places, one of which is the filesystem check.
The access times match the time when rkhunter was run (both when it's run from cron and when I run it manually).
When the FILE_CMD is defined to use file --preserve-date, the access times are not modified.
Best, Robbert
My 2 cents on this: preserving access time usually involves utime() which will change assocated files' ctime. Access time changes don't bother me, but ctime changes do, because that's an early indicator of certain nasty activities.
You are right, modifying ctime instead is not the solution.This feature request can be closed.