Hi,
Does anybody know what makes my IDS (tripwire) go off at /etc each other day? No changes otherwise. Just the directory /etc being modified. I suppose something creates and removes again a file in /etc regularly, but can't figure out what it is.
The daily maintainance and security cron jobs.
Those shouldn't create any files directly in /etc (more in /var). What you have seen is most likely a result of a mount command creating a temporary file named /etc/mtabXXX (XXXX is arbitrary) when /etc/mtab is changed. This changes the mtime of the directory inode.
Charles
Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -