topic Re: How to audit chmod? in Operating System - HP-UX

How to audit chmod?

Olga_1 — Thu, 28 Oct 2010 13:40:29 GMT

We have a situation where something/somebody changes group on an oracle file. How to audit who/what does it? chmod does not change the timestamp of the file, so we cannot even know when it is done.
Any information would be great.

Re: How to audit chmod?

James R. Ferguson — Thu, 28 Oct 2010 13:49:34 GMT

Hi Olga:

You might look in the shell '.sh_history' file to see if you find any indication of interactive 'chmod' use.

You might also examine any script run as crontasks.

Changing the permissions or ownership or name of a file or directory will be reflected in the 'ctime' (change time) of the entity. That is, an:

# ls -lc

...will show the 'ctime'.

Be advised that this can be misleading, since many backup utilities will reset a file's last access timestamp ('atime' seen by 'ls -ul'). This change also toggles a change in the 'ctime'.

If the entity in question is a directory, any additions or deletions to the directory will change the directory's 'ctime'.

Regards!

...JRF...

Re: How to audit chmod?

Dennis Handly — Sat, 30 Oct 2010 00:09:09 GMT

If you want to catch it in the future, you can turn on auditing.

Note: some sysadmin or DBA changed the permission.

Re: How to audit chmod?

Olga_1 — Mon, 01 Nov 2010 15:11:43 GMT

We found that command crsctl that is part of the package shutdown changes the group of the executable.