26 июня 2016 г. 21:27:28 CEST, James Carlson <carls...@workingcode.com> пишет: >On 6/24/2016 7:47 PM, Jerry Kemp wrote: >> Using the routeadm command as an example. >> >> /sbin 445 # ls -l /sbin/routeadm >> >> -r-xr-xr-x 1 root bin 45992 Dec 16 2010 /sbin/routeadm >> >> /sbin 446 # >> >> >> If I were to look at this file next week, and saw that it was >identical, >> aside from the fact that it now had a new time stamp of >> >> 24 June 2016 >> >> , is there any way using tools/applications within OpenIndiana to >know >> who or what or what process modified the files time stamp? Or >possibly >> tools external to OpenIndiana? > >Just to clarify: have you actually seen the mtime on /sbin/routeadm >change in an unexpected way, or is that just illustrative of one >possible file path you'd like to protect against unwanted change? > >In general, UNIX doesn't keep records of which process or user made a >change. There are records kept for a change from one UID to another >(login, su, sudo, pfexec, and the like), and in many cases those are >sufficient for locating a culprit, but the records don't include >individual changes made. > >But see also Solaris Auditing, which does in fact do the sorts of >things >you're describing: > >http://docs.oracle.com/cd/E19253-01/816-4557/auditov-1/index.html
Also I recently saw an LD_PRELOAD libsnoopy catch exec{ve}() calls and passing lines to logger. Did not test it yet under Solarish OSes, but it was easy to fire up under Debian. Jim -- Typos courtesy of K-9 Mail on my Samsung Android _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss