Ctime of binary files have changed
Issue
-
The
ctime
of seemingly random binary files changes on a regular basis. If third-party security monitoring software such as tripwire is used to monitor binary files, it will report files operated on by theprelink
command as having been changed, thus requiring follow-up auditing to determine the cause. -
Examples:
[root@server ~]# ls -l /sbin/mount.vmhgfs
-r-xr-xr-x 1 root root 57736 Jun 6 19:02 /sbin/mount.vmhgfs
[root@server ~]# ls -lc /sbin/mount.vmhgfs
-r-xr-xr-x 1 root root 57736 Jun 13 03:29 /sbin/mount.vmhgfs
or
[root@rhel01 ~]# stat /usr/bin/pr
File: `/usr/bin/pr'
Size: 64304 Blocks: 128 IO Block: 4096 regular file
Device: 801h/2049d Inode: 663739 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-06-17 13:18:02.000000000 -0400
Modify: 2014-03-05 07:21:43.000000000 -0500
Change: 2014-06-17 13:18:02.145999944 -0400
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- prelink package
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.