Short post to keep things simple, and i also have better things to do:
You had a great script doing skynet stuff on your server, but you noticed it stopped tracking the missile network sometime last week. Could someone have changed it? You know the last time you edited it, sometime around november 1976, so let’s check if someone else edited it since then.
Consider the file is named “track_me.sh”
if you do this:
you get something like this:
File: `track_me.sh' Size: 7 Blocks: 8 IO Block: 4096 regular file Device: fd00h/64768d Inode: 2656236 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 506/user) Gid: ( 506/user) Access: 2015-10-30 14:52:07.000000000 +0000 Modify: 2015-10-26 15:17:02.000000000 +0000 Change: 2015-10-28 05:12:03.000000000 +0000
So some bastard modified it on october 26th and changed it on the 28th. Who did it? Well, thats not as easy, but you can go dig through the bash history if you are inclined to it.
To make things clear:
last access: Time when file data last accessed. Changed by the mknod(2), utimes(2) and read(2) system calls.
last modified: Time when file data last modified. Changed by the mknod(2), utimes(2) and write(2) system calls.
last changed: Time when file status was last changed (inode data modification). Changed by the chmod(2), chown(2), link(2), mknod(2), rename(2), unlink(2), utimes(2) and write(2) system calls.
On a side note for the more distracted: doing a stat [file] does not change its access date stamp. “Access” means reading its contents.