Hide Forgot
Description of problem: Most, but not all, regular files in my home directory (but not subdirectories) are being accessed by some unknown process, but only when I do not have an audit on one specific regular file in that directory. (Most, but not all, of the home subdirectories' atimes are updated at the same time.) The journal shows no cron jobs running at the time of access, and gives no clue as to what is accessing the files. If I have an audit on the one specific regular file, then the atimes for regular files in my home directory are not updated (except for those which I have accessed). The peculiar access does not seem to happen at any specific time. My home directory is mounted with strictatime,lazytime. My intention is to use atime to archive files, and I have been making adjustments for processes that update atime, such as rsync, multi-file grep, etc. I have a read-only bind mount for the home directory. I'm running a Mate desktop, and am aware of the caja subprocess that routinely scans the home directory for new folders, and updates the atimes for the folders - but NOT for regular files. Version-Release number of selected component (if applicable): audit-2.6.7-1.fc24.x86_64 My system is kept current by a nightly dnf upgrade. How reproducible: It appears to happen every time the specified file in the directory has no audit on it - it has occurred 2 or 3 times so far. Steps to Reproduce: 1. Mount home directory with norelatime,strictatime,lazytime 2. Set atimes for regular files in the home directory (not sub directories) to some specific date/time (perhaps 2011-11-11 11:11). 3. Make adjustments, possibly with a read-only bind mount for home, such that there is no update for atimes for any known processes 4. Wait (maybe a couple of days), monitoring the atimes. 5. Assuming there is an update to atime for some (many/most) regular files, check the journal for any clues. 6. Assumming the source of the atime update is unknown, reset the atimes to some specific date/time, and place an audit on one regular file in home. 7. Wait maybe a couple of days, noting that there are no unexplained updates while the audit is in place. 8. Remove the audit. 9. Wait, monitoring atimes - presumably the atimes will be again updated by the unknown process. Actual results: I am unable to determine which process is accessing the home dir files. Expected results: The audit shows the process accessing the files. Additional info: My F24 is a clean install from the Live CD Mate Spin, not an upgrade from F23. I have never installed any software except from the standard, official, Fedora repositories. After the installation, I remove openssh, openssh-client, openssh-server, spice-vdagent, hyperv-daemons, and blueman, since I do not use them. If I leave the one file audit in place, I could proceed with plans to archive based upon atime.
what audit rule are you using in attempt to detect this?
The audit rule is: -w /home/[userid]/tmp.nZiiaGpzLT -p rwa -k nZiiaGpzLT The audit rule works fine, showing all expected accesses to tmp.nZiiaGpzLT.
The culprit is caja. This time the update to the atime of the tripwire file happened while I had the audit rule activated. The caja update occurs at irregular times. Mostly, it only updates (changes the atime for) directories - but at other times, it updates regular files also - most, but not all files. It's inconsistent behavior is confusing. It was a coincidence that no regular files were updated when the audit rule was active before. I had the audit rule active for a couple of days - I noticed the directories were being updated - so caja was doing its update - but, for whatever reason, it didn't touch the regular files. I will close this bug and file a new bug for caja.
caja, under Edit / Preferences / Preview, has various options for previewing files. If all options are set to NEVER, then caja does not preview, or access, files unexpectedly.