Mailinglist Archive: opensuse-security (520 mails)
| < Previous | Next > |
Re: [suse-security] IDS goes off at /etc
- From: Matthias Riese <matthias.riese@xxxxxxxxxxxxx>
- Date: 26 Jul 2002 09:59:51 +0200
- Message-id: <m2n0se6hs8.fsf@xxxxxxxxx>
Roman Drahtmueller <draht@xxxxxxx> writes:
> > > and it should not be popper. So offer a wider range of the log prior to
> > > 22:04, cauze - as roman wrote - e.g.
> > > a mount cmd ends up with such modified [c|m]times.
> >
> > The rest of the log around that time +-1 hour also just consists of
> > qrunner and popper log entries, dropped packages from the firewall
> > and:
> >
> > Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
> > Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
> >
> > There have been definitely NO mounts or umounts. At least not
> > regularly each day. Except if any SuSE cron job mounts and umounts
> > something regularly?
>
>
> Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could
> as well be some mail triggering this, depending on the sickness of some
> software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs
> from that time. Check if you have an automounter running. At last, use the
> tmpwatch package (temp-watch -d /etc) to check, it's more like winning a
> race if you want to see something, but still. (Hint for winning the race:
> Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets
> sluggish then, of course.) The tool isn't really that smart...
I niced temp-watch +15 because I couldn't afford the box to get
sluggish. Nevertheless temp-watch found at least one guilty party (ntpd):
/etc/ntp.drift.TEMP unlinked before we could stat...
- ?--------- 0 root root 0 Jan 1 01:00 /etc/ntp.drift.TEMP
As Olaf Kirch already pointed out: There are lots and lots of programs
changing files in /etc. It turned out that by using temporary files to
be failsafe they touch /etc too.
For the protocol:
It can be considered completely normal for /etc to change mtime/ctime
regularly. However this doesn't harm the usefulness of an IDS in any
way, because a reasonable configured IDS does not only watch /etc, but
all critical files within /etc too.
Thanks for all the help, Matthias Riese
> > > and it should not be popper. So offer a wider range of the log prior to
> > > 22:04, cauze - as roman wrote - e.g.
> > > a mount cmd ends up with such modified [c|m]times.
> >
> > The rest of the log around that time +-1 hour also just consists of
> > qrunner and popper log entries, dropped packages from the firewall
> > and:
> >
> > Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
> > Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
> >
> > There have been definitely NO mounts or umounts. At least not
> > regularly each day. Except if any SuSE cron job mounts and umounts
> > something regularly?
>
>
> Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could
> as well be some mail triggering this, depending on the sickness of some
> software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs
> from that time. Check if you have an automounter running. At last, use the
> tmpwatch package (temp-watch -d /etc) to check, it's more like winning a
> race if you want to see something, but still. (Hint for winning the race:
> Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets
> sluggish then, of course.) The tool isn't really that smart...
I niced temp-watch +15 because I couldn't afford the box to get
sluggish. Nevertheless temp-watch found at least one guilty party (ntpd):
/etc/ntp.drift.TEMP unlinked before we could stat...
- ?--------- 0 root root 0 Jan 1 01:00 /etc/ntp.drift.TEMP
As Olaf Kirch already pointed out: There are lots and lots of programs
changing files in /etc. It turned out that by using temporary files to
be failsafe they touch /etc too.
For the protocol:
It can be considered completely normal for /etc to change mtime/ctime
regularly. However this doesn't harm the usefulness of an IDS in any
way, because a reasonable configured IDS does not only watch /etc, but
all critical files within /etc too.
Thanks for all the help, Matthias Riese
| < Previous | Next > |