On Thu, Sep 11, 2014 at 07:35:47PM +0200, Christer Solskogen wrote: > On Thu, Sep 11, 2014 at 7:21 PM, Ingo Schwarze <schwa...@usta.de> wrote: > > Hi Scott, > > > > Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700: > > > >> My daily insecurity email on one of my boxes says this: > >> > >> Block device changes: > >> brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b > >> brw-r----- 1 root operator 0, 1 Sep 8 18:43:56 2014 /dev/wd0b > >> > >> On all my other (openbsd) boxes, the swap partition has the same date as > >> all the other block devices. And all the other devices on *this* box > >> have the same timestamp of August 16. After this insecurity report, I > >> ran a script that eats up memory and started to use swap space and I > >> verified that at least in that case, the swap device timestamp didn't > >> change...so it would seem that using swap wouldn't lead to the timestamp > >> change in my daily insecurity report. > >> > >> Does anyone know why the date would change on a swap device like this? > > > > One obvious possibility would be that maybe somebody ran mknod(1) > > or touch(1) on the file /dev/wd0b. > > > > The script /dev/MAKEDEV was run, perhaps?
Understood. I'm the only user on this box and I did not run mknod, touch, or MAKEDEV. I'm wondering whether something nefarious is going on, or if there's some system process that's doing something normal.