On Thu, Sep 11, 2014 at 04:25:04PM -0400, System Administrator wrote: > On 11 Sep 2014 at 12:23, Scott Bonds wrote: > > > On Thu, Sep 11, 2014 at 07:35:47PM +0200, Christer Solskogen wrote: > > > On Thu, Sep 11, 2014 at 7:21 PM, Ingo Schwarze <schwa...@usta.de> wrote: > > > > Hi Scott, > > > > > > > > Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700: > > > > > > > >> My daily insecurity email on one of my boxes says this: > > > >> > > > >> Block device changes: > > > >> brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b > > > >> brw-r----- 1 root operator 0, 1 Sep 8 18:43:56 2014 /dev/wd0b > > > >> > > > >> On all my other (openbsd) boxes, the swap partition has the same date > > > >> as > > > >> all the other block devices. And all the other devices on *this* box > > > >> have the same timestamp of August 16. After this insecurity report, I > > > >> ran a script that eats up memory and started to use swap space and I > > > >> verified that at least in that case, the swap device timestamp didn't > > > >> change...so it would seem that using swap wouldn't lead to the > > > >> timestamp > > > >> change in my daily insecurity report. > > > >> > > > >> Does anyone know why the date would change on a swap device like this? > > > > > > > > One obvious possibility would be that maybe somebody ran mknod(1) > > > > or touch(1) on the file /dev/wd0b. > > > > > > > > > > The script /dev/MAKEDEV was run, perhaps? > > > > Understood. I'm the only user on this box and I did not run mknod, > > touch, or MAKEDEV. I'm wondering whether something nefarious is going > > on, or if there's some system process that's doing something normal. > > > > > > Does anyone know whether system crash dump (which goes to the swap > device) updates the timestampt? And did the system crash with a dump?
I think you've got it. There's a core dump in /var/crashes with the same time stamp. Thanks!
