[CLUE-Tech] stat(2) and ctime st_ctime changes?

Jim Ockers ockers at ockers.net
Tue Sep 16 16:52:21 MDT 2003 

Hi group,

I'd like to bounce this situation off you.  We have a server that
runs tripwire enterprise for IDS.  It recently generated several
thousand critical errors in a tripwire report, and I was assigned
to investigate.

In each case the file was exactly the same size and contents as 
the original file, and the owner/group/links/inode/mtime were all 
the same as well.  The only thing that changed was the "change time"
or ctime.

According to stat(2) these are the possible attributes of a file:

              struct stat {
                  dev_t         st_dev;      /* device */
                  ino_t         st_ino;      /* inode */
                  mode_t        st_mode;     /* protection */
                  nlink_t       st_nlink;    /* number of hard links */
                  uid_t         st_uid;      /* user ID of owner */
                  gid_t         st_gid;      /* group ID of owner */
                  dev_t         st_rdev;     /* device type (if inode device) */
                  off_t         st_size;     /* total size, in bytes */
                  blksize_t     st_blksize;  /* blocksize for filesystem I/O */
                  blkcnt_t      st_blocks;   /* number of blocks allocated */
                  time_t        st_atime;    /* time of last access */
                  time_t        st_mtime;    /* time of last modification */
                  time_t        st_ctime;    /* time of last change */
              };

The man page goes on to say:
	The field st_ctime is changed by writing or by setting inode 
	information (i.e., owner, group, link count, mode, etc.).

Since the ctime is changed but absolutely nothing else about the
file is changed (including the MD5 hash value), would it be correct
to say that one of the following was reset to its original value?

mode_t
nlink_t
uid_t
gid_t
st_ctime (reset to the new ctime of course, otherwise we would
	not have noticed the change)

The reason I ask is that "etc." there in the man page makes me
nervous.  What else might change that could cause a ctime change,
that's not listed in the struct stat?

We are not able to identify any unusual activity on the server
during this time, and it turns out that the ctime values that it
flagged are in sequential order a second a part as if something
walked the filesystem and touch(1) each file, or something.  I know
it wasn't touch(1) because that resets the mtime.

This is unusual and I'd appreciate any ideas you have as to
what might cause ctime to change for a bunch of files but nothing
else to change.

Thanks a lot,
Jim

PS I didn't actually review every file so it's possible that a
crafty attacker modified one file and changed ctime on a whole bunch
of other files in the hopes that we wouldn't notice the one that
actually changed in the huge tripwire report that would result.
However I did a thorough review and nothing else seems amiss on 
the system.

PPS We are also asking tripwire about this.

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/

More information about the clue-tech mailing list