On 11 Sep 2014 at 12:23, Scott Bonds wrote: > On Thu, Sep 11, 2014 at 07:35:47PM +0200, Christer Solskogen wrote: > > On Thu, Sep 11, 2014 at 7:21 PM, Ingo Schwarze <[email protected]> wrote: > > > Hi Scott, > > > > > > Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700: > > > > > >> My daily insecurity email on one of my boxes says this: > > >> > > >> Block device changes: > > >> brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b > > >> brw-r----- 1 root operator 0, 1 Sep 8 18:43:56 2014 /dev/wd0b > > >> > > >> On all my other (openbsd) boxes, the swap partition has the same date as > > >> all the other block devices. And all the other devices on *this* box > > >> have the same timestamp of August 16. After this insecurity report, I > > >> ran a script that eats up memory and started to use swap space and I > > >> verified that at least in that case, the swap device timestamp didn't > > >> change...so it would seem that using swap wouldn't lead to the timestamp > > >> change in my daily insecurity report. > > >> > > >> Does anyone know why the date would change on a swap device like this? > > > > > > One obvious possibility would be that maybe somebody ran mknod(1) > > > or touch(1) on the file /dev/wd0b. > > > > > > > The script /dev/MAKEDEV was run, perhaps? > > Understood. I'm the only user on this box and I did not run mknod, > touch, or MAKEDEV. I'm wondering whether something nefarious is going > on, or if there's some system process that's doing something normal. > >
Does anyone know whether system crash dump (which goes to the swap device) updates the timestampt? And did the system crash with a dump?
