papaschtroumpf Posted September 18, 2006 Report Share Posted September 18, 2006 I run logwatch (www2.logwatch.com) nightly. it goes through system logs and extracts "interesting" information. This morning I have the following in my log: --------------------- Connections (secure-log) Begin ------------------------ **Unmatched Entries** msec: changed group of /var/log/rkhunter.log from root to adm: 1 Time(s) msec: changed mode of /var/log/rkhunter.log from 644 to 640: 1 Time(s) msec: changed mode of /var/log/security/open_port.today from 644 to 640: 1 Time(s) msec: changed mode of /var/log/security/sgid.today from 644 to 640: 1 Time(s) msec: changed mode of /var/log/security/suid_md5.today from 644 to 640: 1 Time(s) msec: changed mode of /var/log/security/suid_root.today from 644 to 640: 1 Time(s) msec: changed mode of /var/log/security/unowned_group.today from 644 to 640: 1 Time(s) msec: changed mode of /var/log/security/unowned_user.today from 644 to 640: 1 Time(s) msec: changed mode of /var/log/security/writable.today from 644 to 640: 1 Time(s) is this normal? I don't remember seeing eanything like that before. [moved from Software by spinynorman] Quote Link to comment Share on other sites More sharing options...
arctic Posted September 18, 2006 Report Share Posted September 18, 2006 The msec package manages permissions to several files on its own on a regular basis, based on a script named security.sh. This script will be launched when the system detects folders that do not match the default security settings of your box. Then, msec will "correct" the settings for those folders so they are in line with the rest of the system-security settings. It is usually nothing to worry about. Quote Link to comment Share on other sites More sharing options...
papaschtroumpf Posted September 18, 2006 Author Report Share Posted September 18, 2006 The msec package manages permissions to several files on its own on a regular basis, based on a script named security.sh. This script will be launched when the system detects folders that do not match the default security settings of your box. Then, msec will "correct" the settings for those folders so they are in line with the rest of the system-security settings. It is usually nothing to worry about. the problem is hwy did they have the wrong permission to start with? Quote Link to comment Share on other sites More sharing options...
arctic Posted September 18, 2006 Report Share Posted September 18, 2006 First of all, it is not really "wrong permissions" but altered permissions that are considered potentially "insecure" by msec. The permission settings of root are different to those of msec and once you log in as root, certain permissions of files will be changed. Root has the right to read and write every file (except immutable files) while msec wants to set certain files to read-only status for security reasons. Thus, all files with 644 permission that basically should not have a 644 permission will be restored to the system-default 640 setting of msec. Quote Link to comment Share on other sites More sharing options...
papaschtroumpf Posted September 18, 2006 Author Report Share Posted September 18, 2006 thanks I feel better Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.