On Mon, Nov 17, 2025 at 10:42:02AM +0000, Stuart Henderson wrote:
> On 2025/11/17 09:52, Crystal Kolipe wrote:
> > From a technical and functional viewpoint the date is irrelevant, but surely
> > it's nice to know if a device file has been unexpectedly deleted and
> > re-created, (on a shared system), because it implies that somebody had root
> > access to do that.
> 
> Is that useful information or just noise though?

Well, it depends on the perceived threat I guess.

> If somebody wanted to
> cover their tracks they'd reset timestamps anyway.

Depends on the skill of the perpetrator :-).  I've seen cases where people
doing this forget the 'seconds' field, (or non-obvious fractional seconds
on filesystems that support it), and blow their cover...

> And what better way
> to hide a real subtle change than in amongst a bunch of noise?

True, but in this case the bunch of noise only appeared due to MAKEDEV being
run during an upgrade.  In normal operation a single deleted and re-created
device file would certainly stand out.