Olaf Kirch <okir@suse.de> writes:
On Wed, Jul 17, 2002 at 11:24:33AM +0200, Matthias Riese wrote:
Does anybody know what makes my IDS (tripwire) go off at /etc each other day? No changes otherwise. Just the directory /etc being modified. I suppose something creates and removes again a file in /etc regularly, but can't figure out what it is.
Are you using dhcp to configure your network? Do you use any dynamic dialup tools like pppd? There's pretty much code rooting around in /etc, but it's hard to tell which application did it without knowing what you're doing :)
I don't think it's dhcpcd. It did it job 5 days ago: ls -l resolv.conf* -rw-r--r-- 1 root root 1029 Jul 12 10:00 resolv.conf -rw-r--r-- 1 root root 65 Aug 7 2001 resolv.conf.saved.by.dhcpcd /var/state/dhcp doesn't indicate there was a new lease in the meantime. Otherwise there are no dial-up script or similiar. Whatever it is, it's running EACH night between 22:00 and 23:00. I already digged through all tabs and scripts in /etc/cron* /etc/cron.*/* /var/spool/cron/tabs/* but couldn't find anything. I thought it's quite uncommon to mess around in /etc. However I think I can live with it because a real intrusion will probably change not only mtime and ctime of /etc. ;-) Best regards from Bremen, Mit freundlichen Grüßen aus Bremen, Matthias Riese