LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Strange Repeating Error message in /var/log/message (http://www.linuxquestions.org/questions/linux-security-4/strange-repeating-error-message-in-var-log-message-495826/)

lucktsm 10-26-2006 02:48 PM

Strange Repeating Error message in /var/log/message
 
The error is this:
pam_timestamp_check: pam_timestamp: `/' owner UID != 0
repeated over and over.

I have done this:
# chown root:root '/'
# ls -ld '/'
drwxr-xr-x 25 root root 4096 Oct 25 09:12 /

Yet I see this:
Oct 26 14:36:27 tsm su(pam_unix)[4962]: session closed for user root
Oct 26 14:36:28 tsm pam_timestamp_check: pam_timestamp: `/' owner UID != 0
Oct 26 14:37:00 tsm last message repeated 13 times
Oct 26 14:38:03 tsm last message repeated 25 times
Oct 26 14:39:05 tsm last message repeated 25 times
Oct 26 14:40:08 tsm last message repeated 25 times
Oct 26 14:41:10 tsm last message repeated 25 times

I changed the password of the user that is assuming ownership of '/' but it happens again. This leads me to believe it is some sort of batch process. Anyone seen this before?

i_grok 10-26-2006 03:28 PM

Try:
Code:

ls -lnd /
This will make sure that the UID and GID are actually 0.

You can take a look in /var/spool/cron/ for jobs that might be doing this.

lucktsm 10-27-2006 09:29 AM

Additional info.. Looks like selinux is doing it?

Oct 27 03:00:02 tsm kernel: SELinux: initialized (dev cifs, type cifs), uses genfs_con
texts
Oct 27 03:00:30 tsm kernel: SELinux: initialized (dev cifs, type cifs), uses genfs_con
texts
Oct 27 03:00:45 tsm pam_timestamp_check: pam_timestamp: `/' owner UID != 0
Oct 27 03:01:19 tsm last message repeated 13 times


All times are GMT -5. The time now is 06:03 AM.