From: Stuart Henderson Subject: Re: securtity(8): ignore date changes on devices To: Sebastien Marie , tech@openbsd.org Date: Mon, 17 Nov 2025 10:42:02 +0000 On 2025/11/17 07:10, Sebastien Marie wrote: > After running /dev/MAKEDEV (automatically done while upgrading), all > nodes in /dev are updated, and it makes security(8) to report block > devices changes due to date changes. > > With support for extra partitions in disklabel, the list is really huge > and it makes the security(8) reports unreadable (too many > false-positive changes in the list to be checked). Suppressing date changes doesn't reduce noise for the recent block device changes; the device minor changed too so they'll be listed anyway. > I would like to avoid reporting device changes for dates fields. This > way, if the device is recreated the same (major, minor, mode, owner, > group, …) but at different dates, it will not be reported by security(8). > > I assume the date is unrevelant for device (and only for device) as the > inode doesn't carry content. I do generally agree that reporting on date changes for devices is not really useful. And doing so for every update makes it harder to see when something did actually have a substantial change (like these device node changes). Anyway, this made me think of something: we probably need something (either docs or checks, perhaps in sysupgrade or sysmerge) to get the device nodes changed for people who have devices not normally handled by MAKEDEV (e.g. sd10 etc). On 2025/11/17 09:52, Crystal Kolipe wrote: > From a technical and functional viewpoint the date is irrelevant, but surely > it's nice to know if a device file has been unexpectedly deleted and > re-created, (on a shared system), because it implies that somebody had root > access to do that. Is that useful information or just noise though? If somebody wanted to cover their tracks they'd reset timestamps anyway. And what better way to hide a real subtle change than in amongst a bunch of noise?