Worried about AIDE results

[dman777]

5 days ago I tried an experiment. I currently run a music server called Subsonic that runs in a Java machine. My expirement was to make a chroot jail for it. So created a dir /subsonic and copied -a /lib64 and some /usr/bin/ and /bin files into it the chroot directory. The experiment failed so I deleted that chroot directory.

Since then I rested my passwords.

Today I ran AIDE check(I keep the aide bin and aide database on a seperate usb key for security) and what can be found on the attached file.


I what I am worried about most is /lib64 and /usr/bin. Have they been exploited? Why would the modification or ctime be modified just from copying them to another dir?

[phajdan.jr]

I think it's just rc (init) system's state and cache info, and periodically regenerated whatis database. It should be possible to adjust your AIDE configuration not to raise alarm for those files.
_________________
http://phajdan-jr.blogspot.com/

[dman777]

For learning purposes, can you please explain to me when/why the /lib64 and the files in the dir gets used to where the mtime and ctime are modified? Not talking about dureing a emerge update....seems to be a regular occurrence that the state of /lib64 changes but I am curious about the process that does this.

[Etal]

/lib64/rc/init.d is on a tmpfs filesystem, mounted at boot:

[dman777]

Wow, that helps alot....thanks! Question... in this case /lib64 resides in tmpfs. In a chroot filesystem is that same /lib64 shared in tmps or is there a piece of tmpfs partitioned off for for the chroot filesystem?

[Etal]

You don't boot a chroot, so the chroot is not going to start any system services (which is what /lib64/rc/ is for).

(Also, not sure if it's a typo, but /lib64 is not on tmpfs - only /lib64/rc/init.d is)
_________________
“And even in authoritarian countries, information networks are helping people discover new facts and making governments more accountable.”– Hillary Clinton, Jan. 21, 2010