lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 17 Dec 2009 02:06:15 -0500
From:	Bryan Donlan <bdonlan@...il.com>
To:	Daniel Poelzleithner <poelzi@...lzi.org>
Cc:	linux-kernel@...r.kernel.org, Simon Horman <horms@...ge.net.au>,
	Jeffrey Hundstad <jeffrey.hundstad@...u.edu>
Subject: Re: Suggestion: xtime as new inode attribute

On Wed, Dec 16, 2009 at 1:57 PM, Daniel Poelzleithner <poelzi@...lzi.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I would like to suggest a new attribute for inodes in linux filesystems
> to record the last execution time of files.
>
> The problem:
>
> If a linux installation gets older and older, more and more programs get
> installed over time. Mostly to just test them for a particular problem
> and often the deinstallation is forgotten. To find out which packages
> are not used for a long time is currently quite impossible. The user may
> use program X which will run but not depend on program Y as a subprocess
> for example.
>
> The solution:
>
> I suggest a new inode attribute called xtime, which is like atime, but
> will only be updated when a file is executed. This would allow tracking
> of unused binaries and could be used with some clever algorithms in the
> cleanup program to find unused packages for removal or other cleanup
> purposes.
> It would also add an additional information in forensic analysis of
> hacked systems btw.

Why isn't atime sufficient? atime is updated when programs are
executed, and it's uncommon for executable files to be accessed
without being executed; for the purposes of determining whether a
program is needed, it ought to be good enough.

Note that many modern distros use relatime to reduce the (significant)
overhead of atime; this may account for why you may not be seeing
atime update for executables; try mounting with -o strictatime if you
want to see it at work, but beware, as this will bring with it a major
performance hit - which your proposal would as well :)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ