File Access dates changed unexpectedly. Metadata crawler?

Is it usual for file access dates (read dates) to change without human interaction? Which applies for all files under /home/myusername/ if I see that correctly but not for system files. My personal files get a recent file access date that looks like the result of a batch processing, so multiple files at the same minute, although I didn't access them and I also didn't copy them at the file access date.

I noticed the behavior when I wanted to attach a file to an email and sorted by "Used recently" in the dialogue to choose a file more quickly. There are files listed that I didn't use at the specific date and time. This behavior wasn't present on my system from the beginning, it was freshly installed (no upgrade) approx. 2 years ago. The problem started a few weeks ago.

Does Ubuntu 20.04 LTS have some meta data crawler or daemon that processes files in batch mode and changes the read date of every file it accesses? Or do I have to worry that my system was compromised?

The file change dates remain untouched.

I'm sorry if this question is trivial but I didn't find anything specific on askubuntu or on the web concerning this problem (but I found much stuff on how to change file dates etc.)

It's not normal for personal files to change access date/time unless they are accessed somehow ... Although browsing a directory with some applications e.g. email client attach dialog might indeed change access date/time which is especially known for file-types like images and videos that are previewed as thumbnails.

However, who or what had accessed a certain file is not per se logged by default ... There might be traces in some specific applications' logs generally for system files and not personal files and that's it.

Bottom line is that unless you have auditing service on and active for a certain file/directory, there is no way for knowing who or what accessed the file.

You can setup auditing like so:

sudo apt install auditd

Then, start monitoring a file like so:

sudo auditctl -w /path/to/file

Or a directory(be careful with auditing directories as the logfile size might grow extremely large especially for Home) like so:

sudo auditctl -w /path/to/directory/

You can list currently audited files/directories entries like so:

sudo auditctl -l

and delete those entries like so:

sudo auditctl -W file/directory

The audit information will be written to the file:

/var/log/audit/audit.log

That you can view and search with e.g.:

grep "something" /var/log/audit/audit.log

or with e.g.:

ausearch --file "file-name"

and get reports with e.g.:

aureport

References:

• man auditd - The Linux Audit daemon.
• man auditctl - a utility to assist controlling the kernel's audit system.
• man ausearch - a tool to query audit daemon logs.
• man aureport - a tool that produces summary reports of audit daemon logs.