Re: What in /var/logs shows system reboot?

[francis picabia <fpicabia@gmail.com>]

On Tue, Jan 24, 2017 at 9:47 AM, Greg Wooledge <wooledg@eeg.ccf.org> wrote:

On Mon, Jan 23, 2017 at 08:28:08PM -0400, francis picabia wrote:
> Here is the exercise anyone reading can try:
>
> Prove to yourself exactly when you rebooted your Debian system(s)

arc3:~$ uptime
 08:44:40 up 8 days, 31 min,  1 user,  load average: 0.02, 0.02, 0.00

Everything's easy on a live, running system.

> to ensure you were safe against dirty cow.

Oh, *that*?  In that case, you don't give a flying leap how long ago you
rebooted.  What you care about is the *exact running kernel version*.

arc3:~$ uname -v
#1 SMP Debian 3.16.39-1 (2016-12-30)

Then you compare 3.16.39-1 against the changelog.Debian.gz to see if it's
got the bug fixes you want.

http://mywiki.wooledge.org/XyProblem

I had unattended upgrades on, but didn't have reboot set to automatically
trigger.  I found evidence a user tried the Dirty COW
exploit a couple of days after the kernel was upgraded,
but I needed to know exactly when the system had
been rebooted, in October 2016, to see whether

the exploit had possibly worked.  With the old dmesg files, I would

likely have that on hand as they don't rotate away too quickly.

The solution was to restore /var/log from backup tapes and I see

when the reboot happened in kern.log.  I'll consider increasing the

number of kern.log to keep in logrotate so I might not need to wait

for backup tapes in the future.