Mailinglist Archive: opensuse-security (520 mails)
| < Previous | Next > |
Re: [suse-security] IDS goes off at /etc
- From: "GentooRulez" <paranoiac_user@xxxxxxxxxx>
- Date: Thu, 18 Jul 2002 10:35:15 +0200
- Message-id: <000701c22e36$4a384ab0$2064a8c0@pc10032>
>> > and it should not be popper. So offer a wider range of the log prior to
>> > 22:04, cauze - as roman wrote - e.g.
>> > a mount cmd ends up with such modified [c|m]times.
>>
>> The rest of the log around that time +-1 hour also just consists of
>> qrunner and popper log entries, dropped packages from the firewall
>> and:
>>
>> Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly)
>> Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly)
>>
>> There have been definitely NO mounts or umounts. At least not
>> regularly each day. Except if any SuSE cron job mounts and umounts
>> something regularly?
>
>
>Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could
>as well be some mail triggering this, depending on the sickness of some
>software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs
>from that time. Check if you have an automounter running. At last, use the
>tmpwatch package (temp-watch -d /etc) to check, it's more like winning a
>race if you want to see something, but still. (Hint for winning the race:
>Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets
>sluggish then, of course.) The tool isn't really that smart...
>
>> Matthias Riese
>
>Roman.
Maybe that will be your final solution:
I did following:
google: file hook linux
and got that:
http://www.sysinternals.com/linux/utilities/filemon.shtml
Let me now wether it meet your needs.
Huhu, they wrote that stuff using kylix, so i'll be able to patch it
down to console if it necessary.
Michael
>> > 22:04, cauze - as roman wrote - e.g.
>> > a mount cmd ends up with such modified [c|m]times.
>>
>> The rest of the log around that time +-1 hour also just consists of
>> qrunner and popper log entries, dropped packages from the firewall
>> and:
>>
>> Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly)
>> Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f
/var/spool/cron/lastrun/cron.hourly)
>>
>> There have been definitely NO mounts or umounts. At least not
>> regularly each day. Except if any SuSE cron job mounts and umounts
>> something regularly?
>
>
>Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could
>as well be some mail triggering this, depending on the sickness of some
>software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs
>from that time. Check if you have an automounter running. At last, use the
>tmpwatch package (temp-watch -d /etc) to check, it's more like winning a
>race if you want to see something, but still. (Hint for winning the race:
>Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets
>sluggish then, of course.) The tool isn't really that smart...
>
>> Matthias Riese
>
>Roman.
Maybe that will be your final solution:
I did following:
google: file hook linux
and got that:
http://www.sysinternals.com/linux/utilities/filemon.shtml
Let me now wether it meet your needs.
Huhu, they wrote that stuff using kylix, so i'll be able to patch it
down to console if it necessary.
Michael
| < Previous | Next > |