Date: Sat, 21 Nov 2015 15:32:52 +0300 From: Artem Kuchin <artem@artem.ru> To: kpneal@pobox.com, Valeri Galtsev <galtsev@kicp.uchicago.edu> Cc: freebsd-questions@freebsd.org Subject: Re: Forbid user set file mtime in the past Message-ID: <56506474.3040105@artem.ru> In-Reply-To: <20151120200502.GA33068@neutralgood.org> References: <564F51BD.4080103@artem.ru> <19577.128.135.52.6.1448041134.squirrel@cosmo.uchicago.edu> <20151120200502.GA33068@neutralgood.org>
next in thread | previous in thread | raw e-mail | index | archive | help
20.11.2015 23:05, kpneal@pobox.com пишет: > On Fri, Nov 20, 2015 at 11:38:54AM -0600, Valeri Galtsev wrote: >> On Fri, November 20, 2015 11:00 am, Artem Kuchin wrote: >>> Hello! >>> >>> >>> Is there any way to forbid users to set file modification time in the >>> past? >>> >>> I am asking because many php viruses somehow set modification time in >>> the past >>> and just checking what php files were created/modified for the last n >>> hours just does >>> not work at all. >>> >> I know, this is not an answer to you question. Still, relying on anything >> on compromised system for forensics is counter productive. Much better > What if the compromised system was a jail? > > Oh, and you can use the mtree command to get an inventory of a filesystem. > The mtree command can also do diffs of inventories run at different times. > Included in the inventory optionally are md5 and other hashes. So you can > run that to detect changed files. > > Of course, if the breech was bad enough then you won't be able to trust > anything on the system. Jails are your friend. Corect. IT IS in jail amd it is shared hosting where about 100 users access system. If someone gets PHP virus it is only limited to that user and in any case is constrained within that jail. It is USF on HDD (not SSD), so computing any checksum on 10s of millions files will be either very slow or will consume all HDD iops. As i understand there is not such user permission, so answer to my question is "no way to do it". I will look for other ways. Artem
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56506474.3040105>