DOCUMENTATION: After a UNIX backup, inode status change times are updated to the current time
|Article:TECH16463|||||Created: 2007-01-13|||||Updated: 2013-10-27|||||Article URL http://www.symantec.com/docs/TECH16463|
DOCUMENTATION: After a UNIX backup, the status change time (st_ctime) of the inodes are updated to the current time. This may cause alerts in some security programs.
Veritas NetBackup (tm) 3.4 Troubleshooting Guide for UNIX
Veritas NetBackup (tm) 4.5 Troubleshooting Guide for UNIX
Veritas NetBackup (tm) 5.0 Troubleshooting Guide for UNIX and Windows
Veritas NetBackup (tm) 5.1 Troubleshooting Guide for UNIX and Windows
Modification Type: Addition
During a backup, NetBackup will read the contents of any files that are being backed up. This will cause the operating system to unavoidably update the last access time (atime) for those files.
By default, with UNIX backups, NetBackup will cache the atime before reading the file, backup the contents of the file, and then restore the atime by invoking the "utime" system call. The reason for this is because the backup would otherwise change the last accessed times of all the files on the server to the backup time and most site would prefer that it remain unchanged.
However, the "utime" call unavoidably changes the last file status change (st_ctime) for the inode.
Security programs that monitor intruder detection , such as Tripwire, Symantec Host IDS or Symantec Intruder Alert (ITA) perform checks on system integrity. These checks may include monitoring changes to the st_ctime which will then flag every single file as compromised, potentially causing unexpected alarms.
To suppress the st_ctime updates and prevent the alarms, append the following line to the /usr/openv/netbackup/bp.conf file on the client host.
Note: By suppressing the "utime" call, the atime on the files will remain changed to the time of the backup. If there is concern about atimes being changed for every backup, consider that the UNIX find command does this when executed. Any other program that reads a file will also cause a similar update to the atime. (Data is not much good if no programs are using it.)
WARNING: This solution should not be used if also running Storage Migrator on the client in question, as it can affect migration of files. See the NetBackup System Administrator's Guide for more details.
An additional document is available on this issue for Symantec Intruder Alerts (ITA):
Article URL http://www.symantec.com/docs/TECH16463