
Roman Drahtmueller <draht@suse.de> writes:
and it should not be popper. So offer a wider range of the log prior to 22:04, cauze - as roman wrote - e.g. a mount cmd ends up with such modified [c|m]times.
The rest of the log around that time +-1 hour also just consists of qrunner and popper log entries, dropped packages from the firewall and:
Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
There have been definitely NO mounts or umounts. At least not regularly each day. Except if any SuSE cron job mounts and umounts something regularly?
Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could as well be some mail triggering this, depending on the sickness of some software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs from that time. Check if you have an automounter running. At last, use the tmpwatch package (temp-watch -d /etc) to check, it's more like winning a race if you want to see something, but still. (Hint for winning the race: Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets sluggish then, of course.) The tool isn't really that smart...
I niced temp-watch +15 because I couldn't afford the box to get sluggish. Nevertheless temp-watch found at least one guilty party (ntpd): /etc/ntp.drift.TEMP unlinked before we could stat... - ?--------- 0 root root 0 Jan 1 01:00 /etc/ntp.drift.TEMP As Olaf Kirch already pointed out: There are lots and lots of programs changing files in /etc. It turned out that by using temporary files to be failsafe they touch /etc too. For the protocol: It can be considered completely normal for /etc to change mtime/ctime regularly. However this doesn't harm the usefulness of an IDS in any way, because a reasonable configured IDS does not only watch /etc, but all critical files within /etc too. Thanks for all the help, Matthias Riese