Ctime of binary files have changed

Solution Verified - Updated -

Issue

  • The ctime of seemingly random binary files changes on a regular basis. If third-party security monitoring software such as tripwire is used to monitor binary files, it will report files operated on by the prelink command as having been changed, thus requiring follow-up auditing to determine the cause.

  • Examples:

[root@server ~]# ls -l /sbin/mount.vmhgfs
-r-xr-xr-x 1 root root 57736 Jun  6 19:02 /sbin/mount.vmhgfs
[root@server ~]# ls -lc /sbin/mount.vmhgfs
-r-xr-xr-x 1 root root 57736 Jun 13 03:29 /sbin/mount.vmhgfs

or

[root@rhel01 ~]# stat /usr/bin/pr
  File: `/usr/bin/pr'
  Size: 64304       Blocks: 128        IO Block: 4096   regular file
Device: 801h/2049d  Inode: 663739      Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-06-17 13:18:02.000000000 -0400
Modify: 2014-03-05 07:21:43.000000000 -0500
Change: 2014-06-17 13:18:02.145999944 -0400

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • prelink package

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content