I recently noticed that a direcory's inode changed "by itself"
At least, the inode changed.
I noticed it when I rsynced my files to another box.

I wish to find out exactly what changed.
Using ls -l, I can see when the change occurred.

I have tried looking for hidden files in the directory, and running
chkrootkit and rkhunter.
In summary,
how can I find out exactly what changed in the inode?

what find command can I use to locate recently changed files and directories?

John

File inodes change when file contents are modified (think "$EDITOR file open, edit, save", not "$>/file; echo hello > file") but a directory inode doesn't change when directory contents are modified or the directory inode itself is modified (ownership, access rights). Also if there's not much writing done a changed files inode number number may increment and be close to the previous one. If a root directory like "/sbin" is changed (rmdir, mkdir) then on a system that's been in use for a while the new directory inode number won't even be close to the old one. Before I go on I'd like to ask what exact directory name (full path please) was changed?

The directory that was changed was one which is a subdir of my Documents directory which is a subdir of my home directory.
It was not anything like /bin, /sbin, /etc, /usr etc.

There is probably a logical explanation.
I would like to find out what changed and why.
No new files were created and no file was accessed in the directory at the time of the inode change. I wasn't even using the laptop at the time of the change.

That may mean 0) you were logged on but you were not actively using the machine at that specific time, or it may mean 1) the machine was running but you were not logged in or it may mean 2) the machine was powered down. In the case of #0 and #1 the system might have run any automated tasks like custom tmpwatch or cron jobs or cleanup or backup and in the case of #0 a (any) user might be running any applications or scripts. In the case of #0 and #1 one should also consider the machine being connected to a network and or physically left unattended. As you can see what seems like a simple sentence may unfortunately be interpreted in different ways if you have an eye for it.


To find out you would have to take the time frame in which the change could have happened as scope, gather file system access and modification time stamps, log file contents, login database records and shell history. What you'll find from trying to put the pieces back in the puzzle so to speak is that Linux doesn't have verbose and all-encompassing logging enabled by default. Sure it can be made to but that's another chapter.