Ctime of binary files have changed
Issue
-
The
ctimeof seemingly random binary files changes on a regular basis. If third-party security monitoring software such as tripwire is used to monitor binary files, it will report files operated on by theprelinkcommand as having been changed, thus requiring follow-up auditing to determine the cause. -
Examples:
[root@server ~]# ls -l /sbin/mount.vmhgfs
-r-xr-xr-x 1 root root 57736 Jun 6 19:02 /sbin/mount.vmhgfs
[root@server ~]# ls -lc /sbin/mount.vmhgfs
-r-xr-xr-x 1 root root 57736 Jun 13 03:29 /sbin/mount.vmhgfs
or
[root@rhel01 ~]# stat /usr/bin/pr
File: `/usr/bin/pr'
Size: 64304 Blocks: 128 IO Block: 4096 regular file
Device: 801h/2049d Inode: 663739 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-06-17 13:18:02.000000000 -0400
Modify: 2014-03-05 07:21:43.000000000 -0500
Change: 2014-06-17 13:18:02.145999944 -0400
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 5
- prelink package
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
