howto find what caused directory metadata to change
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
howto find what caused directory metadata to change
I recently noticed that a direcory's inode changed "by itself"
At least, the inode changed.
I noticed it when I rsynced my files to another box.
I wish to find out exactly what changed.
Using ls -l, I can see when the change occurred.
I have tried looking for hidden files in the directory, and running
chkrootkit and rkhunter.
In summary,
how can I find out exactly what changed in the inode?
what find command can I use to locate recently changed files and directories?
File inodes change when file contents are modified (think "$EDITOR file open, edit, save", not "$>/file; echo hello > file") but a directory inode doesn't change when directory contents are modified or the directory inode itself is modified (ownership, access rights). Also if there's not much writing done a changed files inode number number may increment and be close to the previous one. If a root directory like "/sbin" is changed (rmdir, mkdir) then on a system that's been in use for a while the new directory inode number won't even be close to the old one. Before I go on I'd like to ask what exact directory name (full path please) was changed?
The directory that was changed was one which is a subdir of my Documents directory which is a subdir of my home directory.
It was not anything like /bin, /sbin, /etc, /usr etc.
There is probably a logical explanation.
I would like to find out what changed and why.
No new files were created and no file was accessed in the directory at the time of the inode change. I wasn't even using the laptop at the time of the change.
I wasn't even using the laptop at the time of the change.
That may mean 0) you were logged on but you were not actively using the machine at that specific time, or it may mean 1) the machine was running but you were not logged in or it may mean 2) the machine was powered down. In the case of #0 and #1 the system might have run any automated tasks like custom tmpwatch or cron jobs or cleanup or backup and in the case of #0 a (any) user might be running any applications or scripts. In the case of #0 and #1 one should also consider the machine being connected to a network and or physically left unattended. As you can see what seems like a simple sentence may unfortunately be interpreted in different ways if you have an eye for it.
Quote:
Originally Posted by bolaoi
I would like to find out what changed and why. No new files were created and no file was accessed in the directory at the time of the inode change.
To find out you would have to take the time frame in which the change could have happened as scope, gather file system access and modification time stamps, log file contents, login database records and shell history. What you'll find from trying to put the pieces back in the puzzle so to speak is that Linux doesn't have verbose and all-encompassing logging enabled by default. Sure it can be made to but that's another chapter.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.