Re: [suse-security] IDS goes off at /etc
and it should not be popper. So offer a wider range of the log prior to 22:04, cauze - as roman wrote - e.g. a mount cmd ends up with such modified [c|m]times.
The rest of the log around that time +-1 hour also just consists of qrunner and popper log entries, dropped packages from the firewall and:
Jul 16 21:59:00 p15089763 /USR/SBIN/CRON[14347]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly) Jul 16 22:59:00 p15089763 /USR/SBIN/CRON[14612]: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
There have been definitely NO mounts or umounts. At least not regularly each day. Except if any SuSE cron job mounts and umounts something regularly?
Turn on "fascist" logging, eg allmessages (line in syslog.conf). It could as well be some mail triggering this, depending on the sickness of some software (that wouldn't work with ro-mounted /etc). Check _all_ syslogs from that time. Check if you have an automounter running. At last, use the tmpwatch package (temp-watch -d /etc) to check, it's more like winning a race if you want to see something, but still. (Hint for winning the race: Do "renice -15 $$" as root and _then_ run the temp-watch program. Box gets sluggish then, of course.) The tool isn't really that smart...
Matthias Riese
Roman.
Maybe that will be your final solution: I did following: google: file hook linux and got that: http://www.sysinternals.com/linux/utilities/filemon.shtml Let me now wether it meet your needs. Huhu, they wrote that stuff using kylix, so i'll be able to patch it down to console if it necessary. Michael
Maybe that will be your final solution:
I did following:
google: file hook linux
and got that:
http://www.sysinternals.com/linux/utilities/filemon.shtml
Let me now wether it meet your needs.
Huhu, they wrote that stuff using kylix, so i'll be able to patch it down to console if it necessary.
I don't think so. It has a few problems: 1) the license 2) the availiability of the source code 3) the fact that it comes along with a kernel module that sets function pointers to its own functions to intercept the system calls. This kernel module can't run reliably. We wouldn't ship it, no chance.
Michael
Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
participants (2)
-
GentooRulez
-
Roman Drahtmueller