daily insecurity says my swap device changed

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

daily insecurity says my swap device changed

quisquous
My daily insecurity email on one of my boxes says this:

Block device changes:
brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b
brw-r----- 1 root operator 0, 1 Sep 8  18:43:56 2014 /dev/wd0b

On all my other (openbsd) boxes, the swap partition has the same date as
all the other block devices. And all the other devices on *this* box
have the same timestamp of August 16. After this insecurity report, I
ran a script that eats up memory and started to use swap space and I
verified that at least in that case, the swap device timestamp didn't
change...so it would seem that using swap wouldn't lead to the timestamp
change in my daily insecurity report.

Does anyone know why the date would change on a swap device like this?

Reply | Threaded
Open this post in threaded view
|

Re: daily insecurity says my swap device changed

Ingo Schwarze
Hi Scott,

Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700:

> My daily insecurity email on one of my boxes says this:
>
> Block device changes:
> brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b
> brw-r----- 1 root operator 0, 1 Sep 8  18:43:56 2014 /dev/wd0b
>
> On all my other (openbsd) boxes, the swap partition has the same date as
> all the other block devices. And all the other devices on *this* box
> have the same timestamp of August 16. After this insecurity report, I
> ran a script that eats up memory and started to use swap space and I
> verified that at least in that case, the swap device timestamp didn't
> change...so it would seem that using swap wouldn't lead to the timestamp
> change in my daily insecurity report.
>
> Does anyone know why the date would change on a swap device like this?

One obvious possibility would be that maybe somebody ran mknod(1)
or touch(1) on the file /dev/wd0b.

Yours,
  Ingo

Reply | Threaded
Open this post in threaded view
|

Re: daily insecurity says my swap device changed

Christer Solskogen-3
On Thu, Sep 11, 2014 at 7:21 PM, Ingo Schwarze <[hidden email]> wrote:

> Hi Scott,
>
> Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700:
>
>> My daily insecurity email on one of my boxes says this:
>>
>> Block device changes:
>> brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b
>> brw-r----- 1 root operator 0, 1 Sep 8  18:43:56 2014 /dev/wd0b
>>
>> On all my other (openbsd) boxes, the swap partition has the same date as
>> all the other block devices. And all the other devices on *this* box
>> have the same timestamp of August 16. After this insecurity report, I
>> ran a script that eats up memory and started to use swap space and I
>> verified that at least in that case, the swap device timestamp didn't
>> change...so it would seem that using swap wouldn't lead to the timestamp
>> change in my daily insecurity report.
>>
>> Does anyone know why the date would change on a swap device like this?
>
> One obvious possibility would be that maybe somebody ran mknod(1)
> or touch(1) on the file /dev/wd0b.
>

The script /dev/MAKEDEV was run, perhaps?

--
chs

Reply | Threaded
Open this post in threaded view
|

Re: daily insecurity says my swap device changed

quisquous
On Thu, Sep 11, 2014 at 07:35:47PM +0200, Christer Solskogen wrote:

> On Thu, Sep 11, 2014 at 7:21 PM, Ingo Schwarze <[hidden email]> wrote:
> > Hi Scott,
> >
> > Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700:
> >
> >> My daily insecurity email on one of my boxes says this:
> >>
> >> Block device changes:
> >> brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b
> >> brw-r----- 1 root operator 0, 1 Sep 8  18:43:56 2014 /dev/wd0b
> >>
> >> On all my other (openbsd) boxes, the swap partition has the same date as
> >> all the other block devices. And all the other devices on *this* box
> >> have the same timestamp of August 16. After this insecurity report, I
> >> ran a script that eats up memory and started to use swap space and I
> >> verified that at least in that case, the swap device timestamp didn't
> >> change...so it would seem that using swap wouldn't lead to the timestamp
> >> change in my daily insecurity report.
> >>
> >> Does anyone know why the date would change on a swap device like this?
> >
> > One obvious possibility would be that maybe somebody ran mknod(1)
> > or touch(1) on the file /dev/wd0b.
> >
>
> The script /dev/MAKEDEV was run, perhaps?

Understood. I'm the only user on this box and I did not run mknod,
touch, or MAKEDEV. I'm wondering whether something nefarious is going
on, or if there's some system process that's doing something normal.

Reply | Threaded
Open this post in threaded view
|

Re: daily insecurity says my swap device changed

Christer Solskogen-3
On Thu, Sep 11, 2014 at 9:23 PM, Scott Bonds <[hidden email]> wrote:

> Understood. I'm the only user on this box and I did not run mknod,
> touch, or MAKEDEV. I'm wondering whether something nefarious is going
> on, or if there's some system process that's doing something normal.
>

Not upgraded in the last few days either?

--
chs

Reply | Threaded
Open this post in threaded view
|

Re: daily insecurity says my swap device changed

System Administrator-39
In reply to this post by quisquous
On 11 Sep 2014 at 12:23, Scott Bonds wrote:

> On Thu, Sep 11, 2014 at 07:35:47PM +0200, Christer Solskogen wrote:
> > On Thu, Sep 11, 2014 at 7:21 PM, Ingo Schwarze <[hidden email]> wrote:
> > > Hi Scott,
> > >
> > > Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700:
> > >
> > >> My daily insecurity email on one of my boxes says this:
> > >>
> > >> Block device changes:
> > >> brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b
> > >> brw-r----- 1 root operator 0, 1 Sep 8  18:43:56 2014 /dev/wd0b
> > >>
> > >> On all my other (openbsd) boxes, the swap partition has the same date as
> > >> all the other block devices. And all the other devices on *this* box
> > >> have the same timestamp of August 16. After this insecurity report, I
> > >> ran a script that eats up memory and started to use swap space and I
> > >> verified that at least in that case, the swap device timestamp didn't
> > >> change...so it would seem that using swap wouldn't lead to the timestamp
> > >> change in my daily insecurity report.
> > >>
> > >> Does anyone know why the date would change on a swap device like this?
> > >
> > > One obvious possibility would be that maybe somebody ran mknod(1)
> > > or touch(1) on the file /dev/wd0b.
> > >
> >
> > The script /dev/MAKEDEV was run, perhaps?
>
> Understood. I'm the only user on this box and I did not run mknod,
> touch, or MAKEDEV. I'm wondering whether something nefarious is going
> on, or if there's some system process that's doing something normal.
>
>

Does anyone know whether system crash dump (which goes to the swap
device) updates the timestampt? And did the system crash with a dump?

Reply | Threaded
Open this post in threaded view
|

Re: daily insecurity says my swap device changed

quisquous
In reply to this post by Christer Solskogen-3
On Thu, Sep 11, 2014 at 10:13:14PM +0200, Christer Solskogen wrote:
> On Thu, Sep 11, 2014 at 9:23 PM, Scott Bonds <[hidden email]> wrote:
>
> > Understood. I'm the only user on this box and I did not run mknod,
> > touch, or MAKEDEV. I'm wondering whether something nefarious is going
> > on, or if there's some system process that's doing something normal.
> >
>
> Not upgraded in the last few days either?

Correct, I did not upgrade the OS.

Reply | Threaded
Open this post in threaded view
|

Re: daily insecurity says my swap device changed

quisquous
In reply to this post by System Administrator-39
On Thu, Sep 11, 2014 at 04:25:04PM -0400, System Administrator wrote:

> On 11 Sep 2014 at 12:23, Scott Bonds wrote:
>
> > On Thu, Sep 11, 2014 at 07:35:47PM +0200, Christer Solskogen wrote:
> > > On Thu, Sep 11, 2014 at 7:21 PM, Ingo Schwarze <[hidden email]> wrote:
> > > > Hi Scott,
> > > >
> > > > Scott Bonds wrote on Thu, Sep 11, 2014 at 09:38:10AM -0700:
> > > >
> > > >> My daily insecurity email on one of my boxes says this:
> > > >>
> > > >> Block device changes:
> > > >> brw-r----- 1 root operator 0, 1 Aug 16 17:44:40 2014 /dev/wd0b
> > > >> brw-r----- 1 root operator 0, 1 Sep 8  18:43:56 2014 /dev/wd0b
> > > >>
> > > >> On all my other (openbsd) boxes, the swap partition has the same date as
> > > >> all the other block devices. And all the other devices on *this* box
> > > >> have the same timestamp of August 16. After this insecurity report, I
> > > >> ran a script that eats up memory and started to use swap space and I
> > > >> verified that at least in that case, the swap device timestamp didn't
> > > >> change...so it would seem that using swap wouldn't lead to the timestamp
> > > >> change in my daily insecurity report.
> > > >>
> > > >> Does anyone know why the date would change on a swap device like this?
> > > >
> > > > One obvious possibility would be that maybe somebody ran mknod(1)
> > > > or touch(1) on the file /dev/wd0b.
> > > >
> > >
> > > The script /dev/MAKEDEV was run, perhaps?
> >
> > Understood. I'm the only user on this box and I did not run mknod,
> > touch, or MAKEDEV. I'm wondering whether something nefarious is going
> > on, or if there's some system process that's doing something normal.
> >
> >
>
> Does anyone know whether system crash dump (which goes to the swap
> device) updates the timestampt? And did the system crash with a dump?

I think you've got it. There's a core dump in /var/crashes with the same
time stamp. Thanks!