fcheck on linux 10, what happens at 03:00 in the morning?

martijnburger · 01-04-2009, 05:14 AM

Hi everyone,

I'm currently installing a Fedora 10 webserver. It's currently connected through a router which has no ports activate in NAT/PAT. My only port allowed by IP tables is 22 (ssh). I'm pretty sure I secured ssh in a good way (no rootlogin, only protocol 2, etc.

I've installed fcheck last night do do a quarterly check of my systemdirectories. I checked it last night before I left it and the fcheck log was clean. Since 03:00 this morging (CET) I'm getting warnings from fcheck for almost every application in /bin and /sbin. The folling is typically happening:
* inodechange
* timechange to 03:00
* filesize grows by around 2 kb
* CRC change

For example:

WARNING: [localhost] /sbin/reboot
[Inodes: 2982696 - 2982714, Sizes: 47664 - 50284, Times: Jan 03 18:52 2009 - Jan 04 03:03 2009, CRCs: 02dec3da0f16de4c9a7d72dbae9606a2 - 0e0ab2a6ab8df617a294313362b1d05c]

Has anyone got an explanation what happend?

Regards,

Martijn

syg00 · 01-04-2009, 05:21 AM

Check cron - updatedb probably.

martijnburger · 01-04-2009, 05:39 AM

Sorry,

don't think it's updatedb. I haven't even got updatedb installed. This is the relevant part of my /var/log/cron:

Jan 4 02:45:01 www CROND[6588]: (root) CMD (nice /usr/local/bin/fcheck_script > /dev/null)
Jan 4 03:00:01 www CROND[14939]: (root) CMD (nice /usr/local/bin/fcheck_script > /dev/null)
Jan 4 03:01:01 www CROND[22002]: (root) CMD (run-parts /etc/cron.hourly)
Jan 4 03:15:01 www CROND[23293]: (root) CMD (nice /usr/local/bin/fcheck_script > /dev/null)

Any other logs I can check?

Regards,

Martijn.

win32sux · 01-04-2009, 06:12 AM

Check whether you've got prelink running via cron.

martijnburger · 01-04-2009, 02:42 PM

The only thing I have running via cron is fcheck:

[root@www ~]# crontab -l
*/15 * * * * nice /usr/local/bin/fcheck_script > /dev/null
[root@www ~]#

win32sux · 01-04-2009, 04:12 PM

What's the output of:

Code:

ls -l /etc/cron.*

martijnburger · 01-06-2009, 01:45 AM

[root@www ~]# ls -l /etc/cron.*
-rw-r--r-- 1 root root 0 2008-12-23 10:04 /etc/cron.deny

/etc/cron.d:
total 0

/etc/cron.daily:
total 16
-rwxr-xr-x 1 root root 180 2003-07-09 21:36 logrotate
-rwxr-xr-x 1 root root 669 2008-09-16 14:05 makewhatis.cron
-rwxr-xr-x 1 root root 2181 2006-06-21 12:07 prelink
-rwxr-xr-x 1 root root 296 2008-12-01 13:10 rpm

/etc/cron.hourly:
total 0

/etc/cron.monthly:
total 0

/etc/cron.weekly:
total 4
-rwxr-xr-x 1 root root 663 2008-09-16 14:05 makewhatis.cron

That looks promissing. I have to read up on how cron works, I guess

win32sux · 01-06-2009, 09:27 AM

Well, you've got a prelink set there as a daily cronjob.

So maybe prevent it from executing to see if it changes your situation:

Code:

chmod 644 /etc/cron.daily/prelink

My guess is that if you check your system-wide crontab you'll see that the execution time for the daily jobs will match the changes you've been seeing. I don't know about Fedora, but on Ubuntu the file is /etc/crontab.

martijnburger · 01-06-2009, 12:45 PM

Okay. Found it out, it is prelink. Hate it when an OS installs stuff for you without asking. Thanks for the help, guys!