[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] why did wtmp rotate?

Subject: RE: [cobalt-security] why did wtmp rotate?
From: Dan Keller <dan@xxxxxxxxxx>
Date: Wed, 01 Aug 2001 10:49:08 -0700
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

At 05:28 PM 7/31/01 -0700, Dean Hall wrote:
>> On my RaQ2, last week, my /var/log/wtmp
>> file rotated for the first time in the 2.5 years
>> I've had the box.  I have never seen wtmp
>> get rotated before.
>> 
>> That is, the old wtmp was gzipped and
>> renamed wtmp.1.gz and a new wtmp file
>> was started.  Nothing wrong with that...
>> but as a paranoid sysadmin, I get
>> suspicious about log files.  Could it be a
>> hacker covering her tracks?  Or is there
>> some script that I haven't noticed before
>> that rotates wtmp?
>
>Take a look at your /etc/rotate.conf (raq4) or your raq2 equivalent and
>check the parameters.  It may be configured to rotate on reaching a
>certain size and not weekly, monthly, yearly, etc.  If that's the case,
>unzip it and see if the size it right to have triggered the rotate.
>---- 
>Dean Hall at Tactix ReEngineering ( dean@xxxxxxxxxx ) 
>503 520-9699  http://www.tactix.com 

Yes -- that's exactly what happened.

The file /etc/logrotate.conf on my RaQ2
rotates wtmp when it reaches 2M in size.

Thanks, Dean, for your sage advice!

Dan Keller
dan@xxxxxxxxxx
http://www.keller.com/
+1 415 861-4500 (voice)
+1 415 861-4593 (fax)

References:
- [cobalt-security] why did wtmp rotate?
  - From: Dan Keller
- RE: [cobalt-security] why did wtmp rotate?
  - From: Dean Hall

Prev by Date: Re: [cobalt-security] Mail to root ???
Next by Date: [cobalt-security] SFTP on Raq4 as Root?
Previous by thread: RE: [cobalt-security] why did wtmp rotate?
Next by thread: [cobalt-security] SFTP on Raq4 as Root?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index