LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   fcheck on linux 10, what happens at 03:00 in the morning? (https://www.linuxquestions.org/questions/linux-security-4/fcheck-on-linux-10-what-happens-at-03-00-in-the-morning-694843/)

martijnburger 01-04-2009 05:14 AM
fcheck on linux 10, what happens at 03:00 in the morning?
 
Hi everyone,

I'm currently installing a Fedora 10 webserver. It's currently connected through a router which has no ports activate in NAT/PAT. My only port allowed by IP tables is 22 (ssh). I'm pretty sure I secured ssh in a good way (no rootlogin, only protocol 2, etc.

I've installed fcheck last night do do a quarterly check of my systemdirectories. I checked it last night before I left it and the fcheck log was clean. Since 03:00 this morging (CET) I'm getting warnings from fcheck for almost every application in /bin and /sbin. The folling is typically happening:
* inodechange
* timechange to 03:00
* filesize grows by around 2 kb
* CRC change

For example:

WARNING: [localhost] /sbin/reboot
[Inodes: 2982696 - 2982714, Sizes: 47664 - 50284, Times: Jan 03 18:52 2009 - Jan 04 03:03 2009, CRCs: 02dec3da0f16de4c9a7d72dbae9606a2 - 0e0ab2a6ab8df617a294313362b1d05c]

Has anyone got an explanation what happend?

Regards,

Martijn

syg00 01-04-2009 05:21 AM
Check cron - updatedb probably.

martijnburger 01-04-2009 05:39 AM
Sorry,

don't think it's updatedb. I haven't even got updatedb installed. This is the relevant part of my /var/log/cron:

Jan 4 02:45:01 www CROND[6588]: (root) CMD (nice /usr/local/bin/fcheck_script > /dev/null)
Jan 4 03:00:01 www CROND[14939]: (root) CMD (nice /usr/local/bin/fcheck_script > /dev/null)
Jan 4 03:01:01 www CROND[22002]: (root) CMD (run-parts /etc/cron.hourly)
Jan 4 03:15:01 www CROND[23293]: (root) CMD (nice /usr/local/bin/fcheck_script > /dev/null)

Any other logs I can check?


Regards,

Martijn.

win32sux 01-04-2009 06:12 AM
Check whether you've got prelink running via cron.

martijnburger 01-04-2009 02:42 PM
The only thing I have running via cron is fcheck:

[root@www ~]# crontab -l
*/15 * * * * nice /usr/local/bin/fcheck_script > /dev/null
[root@www ~]#

win32sux 01-04-2009 04:12 PM
What's the output of:
Code:
ls -l /etc/cron.*

martijnburger 01-06-2009 01:45 AM
[root@www ~]# ls -l /etc/cron.*
-rw-r--r-- 1 root root 0 2008-12-23 10:04 /etc/cron.deny

/etc/cron.d:
total 0

/etc/cron.daily:
total 16
-rwxr-xr-x 1 root root 180 2003-07-09 21:36 logrotate
-rwxr-xr-x 1 root root 669 2008-09-16 14:05 makewhatis.cron
-rwxr-xr-x 1 root root 2181 2006-06-21 12:07 prelink
-rwxr-xr-x 1 root root 296 2008-12-01 13:10 rpm

/etc/cron.hourly:
total 0

/etc/cron.monthly:
total 0

/etc/cron.weekly:
total 4
-rwxr-xr-x 1 root root 663 2008-09-16 14:05 makewhatis.cron


That looks promissing. I have to read up on how cron works, I guess :)

win32sux 01-06-2009 09:27 AM
Well, you've got a prelink set there as a daily cronjob.

So maybe prevent it from executing to see if it changes your situation:
Code:
chmod 644 /etc/cron.daily/prelink
My guess is that if you check your system-wide crontab you'll see that the execution time for the daily jobs will match the changes you've been seeing. I don't know about Fedora, but on Ubuntu the file is /etc/crontab.

martijnburger 01-06-2009 12:45 PM
Okay. Found it out, it is prelink. Hate it when an OS installs stuff for you without asking. Thanks for the help, guys!


All times are GMT -5. The time now is 03:53 AM.