Forbid user set file mtime in the past
Michael B. Eichorn
ike at michaeleichorn.com
Fri Nov 20 21:09:16 UTC 2015
On Fri, 2015-11-20 at 20:00 +0300, Artem Kuchin wrote:
> Is there any way to forbid users to set file modification time in the
> I am asking because many php viruses somehow set modification time
> the past
> and just checking what php files were created/modified for the last n
> hours just does
> not work at all.
No idea as to how to forbid it, but I bet you could rig something with
zfs and snapshots to detect it.
compare the snapshots for files that changed and then check if have an
mtime before the time snapshot 1 was created
If you wanted to go more in depth, since zfs internally keeps track of
when the blocks were born rather than the files were modified...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5729 bytes
Desc: not available
More information about the freebsd-questions