Re: [suse-security] IDS goes off at /etc
What exactly says /var/log/messages comes up e.g. at 22:05, charles ?
Jul 16 22:04:00 p15089763 /USR/SBIN/CRON[14405]: (mailman) CMD (/usr/bin/python -S /home/mailman/cron/qrunner) Jul 16 22:04:37 p15089763 popper[14406]: connect from 213.183.161.234 (213.183.161.234) Jul 16 22:05:00 p15089763 /USR/SBIN/CRON[14408]: (mailman) CMD (/usr/bin/python -S /home/mailman/cron/qrunner) Jul 16 22:06:00 p15089763 /USR/SBIN/CRON[14410]: (mailman) CMD (/usr/bin/python -S /home/mailman/cron/qrunner) It's definitily NOT qrunner, because mailman has no permission to change /etc
and it should not be popper. So offer a wider range of the log prior to 22:04, cauze - as roman wrote - e.g. a mount cmd ends up with such modified [c|m]times. And ... its not a good idea to present your ip without any emergency, in order to prevent social engineering. 213.183.161.234 is adsl1-234-1-nc.nordcom.net with password-protected-service at port 80 :O) and a dnsalias.org with your clearname ? Yours Michael
"GentooRulez" <paranoiac_user@freenet.de> writes:
and it should not be popper. So offer a wider range of the log prior to 22:04, cauze - as roman wrote - e.g. a mount cmd ends up with such modified [c|m]times.
The rest of the log around that time +-1 hour also just consists of qrunner and popper log entries, dropped packages from the firewall and: Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) There have been definitely NO mounts or umounts. At least not regularly each day. Except if any SuSE cron job mounts and umounts something regularly? Best regards from Bremen, Mit freundlichen Grüßen aus Bremen, Matthias Riese
and it should not be popper. So offer a wider range of the log prior to 22:04, cauze - as roman wrote - e.g. a mount cmd ends up with such modified [c|m]times.
The rest of the log around that time +-1 hour also just consists of qrunner and popper log entries, dropped packages from the firewall and:
Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
There have been definitely NO mounts or umounts. At least not regularly each day. Except if any SuSE cron job mounts and umounts something regularly?
Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could as well be some mail triggering this, depending on the sickness of some software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs from that time. Check if you have an automounter running. At last, use the tmpwatch package (temp-watch -d /etc) to check, it's more like winning a race if you want to see something, but still. (Hint for winning the race: Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets sluggish then, of course.) The tool isn't really that smart...
Best regards from Bremen, Mit freundlichen Grüßen aus Bremen, Matthias Riese
Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Roman Drahtmueller <draht@suse.de> writes:
and it should not be popper. So offer a wider range of the log prior to 22:04, cauze - as roman wrote - e.g. a mount cmd ends up with such modified [c|m]times.
The rest of the log around that time +-1 hour also just consists of qrunner and popper log entries, dropped packages from the firewall and:
Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
There have been definitely NO mounts or umounts. At least not regularly each day. Except if any SuSE cron job mounts and umounts something regularly?
Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could as well be some mail triggering this, depending on the sickness of some software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs from that time. Check if you have an automounter running. At last, use the tmpwatch package (temp-watch -d /etc) to check, it's more like winning a race if you want to see something, but still. (Hint for winning the race: Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets sluggish then, of course.) The tool isn't really that smart...
I niced temp-watch +15 because I couldn't afford the box to get sluggish. Nevertheless temp-watch found at least one guilty party (ntpd): /etc/ntp.drift.TEMP unlinked before we could stat... - ?--------- 0 root root 0 Jan 1 01:00 /etc/ntp.drift.TEMP As Olaf Kirch already pointed out: There are lots and lots of programs changing files in /etc. It turned out that by using temporary files to be failsafe they touch /etc too. For the protocol: It can be considered completely normal for /etc to change mtime/ctime regularly. However this doesn't harm the usefulness of an IDS in any way, because a reasonable configured IDS does not only watch /etc, but all critical files within /etc too. Thanks for all the help, Matthias Riese
participants (3)
-
GentooRulez -
Matthias Riese -
Roman Drahtmueller