IDS detected smbpasswd modified
Hello, all!
Looking at how samhain was recommended as a pain-free
IDS here, I decided to give it a try. I never had
enough time to configure a IDS properly in the past.
Now samhain seems to work fine and does not appear to
be too difficult at the first sight. Thanks for the
recommendation.
Anyway, samhain detected a problem with /etc/samba/smbpasswd.
Here is what I got suddenly:
CRIT : [2005-07-18T13:26:28+0200] msg=<POLICY [ReadOnly] --------T->,
path=</etc/samba/smbpasswd>, ctime_old=<[2005-07-18T09:23:20]>,
ctime_new=<[2005-07-18T09:44:55]>,
Here is the output of stat:
root@horse:/etc/samba# stat smbpasswd
File: `smbpasswd'
Size: 106 Blocks: 8 IO Block: 4096 regular file
Device: 301h/769d Inode: 33636 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2005-07-18 14:52:40.000000000 +0200
Modify: 2005-01-21 13:54:21.000000000 +0100
Change: 2005-07-18 11:44:55.000000000 +0200
Does anyone have any idea why the ctime would change
so often for a file that is essentially not changing
in any way, especially not the attributes?
Thanks in advance,
Albert
Reply to: