Re: /usr/bin/login patch question

From: Peter L. Ashford (ashford@SDSC.EDU)
Date: 12/31/01 

Date: Mon, 31 Dec 2001 10:58:38 -0800
From: "Peter L. Ashford" <ashford@SDSC.EDU>
To: SecLists <lists@secure.stargate.net>

Shawn,

On Thu, 27 Dec 2001, SecLists wrote:

> We installed the /usr/bin/login patch yesterday on a Solaris 7 box. This
> box is also running Tripwire... Well, this morning Tripwire tells me the
> following has changed on the system:
>
> changed: drwxrwxr-x root 1024 Aug 24 18:35:51 2000 /usr
> changed: -r-sr-sr-x root 29144 Dec 13 15:07:22 2001 /usr/bin/login
>
> The /usr directory changed from 0755 to 0775, dated Aug 24, 2000, and of
> course the /usr/bin/login changed December 13th.
> Now I can understand that since the patches for this were released on or
> around the 13th, that the login mtime may simply be a result of the patch
> keeping its own timestamp for that binary... ultimately, the mtime should
> be Dec 26th, but I am willing to accept the 13th because that is when the
> patch may have been made.... but the thing I am confused on is the /usr
> permission changes and the timestamp being Aug 24th...
> Tripwire runs everyday so I know that the perms changing on /usr had to
> happen yesterday... yes, the Tripwire DB is on secure media and the check
> runs automatically, and is only updated when I do it manually... so it was
> modified yesterday but the mtime is showing Aug of last year...
> I am assuming that this is a result of the patch we installed but I want
> to make sure and so I know to expect this type of behavior on other
> boxes...

The 'chmod' command does not change the modification time of the inode.
This is also true for other, similar, commands ('chown', 'chgrp', etc.).
That time is only changed when a write to the file is performed. There is
a field in the inode ('ic_ctime') that should be updated when a 'chmod'
command is executed. This information can be accessed with the '-c'
option of 'ls'. I don't know how you could change Tripwire to do this,
but it seems to me that it would be useful.

Good luck.
                                Peter Ashford

Relevant Pages

  • /usr/bin/login patch question
    ... We installed the /usr/bin/login patch yesterday on a Solaris 7 box. ... this morning Tripwire tells me the ... that the login mtime may simply be a result of the patch ... permission changes and the timestamp being Aug 24th... ...
    (Focus-SUN)
  • Re: Rooted
    ... >> And for that you do not need more than tripwire or aide. ... > you cannot use md5sum on a directory to see what was added. ... > As for tripwire, now your talking about a system monitoring itself. ... Echo _every_ command to a secure loghost. ...
    (comp.os.linux.security)
  • Re: Monitoring the change of password in Unix
    ... You may want to monitor the /etc/passwd file, ... "command" passwd... ... Use tripwire, or something like it. ...
    (Security-Basics)
  • Re: Monitoring the change of password in Unix
    ... "command" passwd... ... Use tripwire, or something like it. ... Gustavo Castro Puig. ...
    (Security-Basics)
  • Re: Cron & Tripwire
    ... When I run tripwire as a cron it gives me a blank output ... When I run in at the command line it works. ... How different is your crontab entry from the command that you run ...
    (Fedora)