HPE Community
Operating System - HP-UX
1824984 Members
4093 Online
109678 Solutions
New Discussion юеВ

Re: permissions on /usr/bin/compress

 
kdc
Regular Advisor

тАО08-29-2002 07:35 AM

тАО08-29-2002 07:35 AM

permissions on /usr/bin/compress

For the past two nights the permissions on /usr/bin/compress have been changing to 500 from 555. Does anyone have any suggestions on how I could track what has been performing this change. I have checked the .sh_history and have talked with numerous people asking if there have been any changes on the system.

my email is kim.chester@gwl.ca
0 Kudos
Reply
3 REPLIES 3
Darren Prior
Honored Contributor

тАО08-29-2002 07:53 AM

тАО08-29-2002 07:53 AM

Re: permissions on /usr/bin/compress

Hi Joe/Kim,

If it's a trusted system then this is just what auditing is for. moddac is the event that you should monitor - check manpage for audevent(1M) for further info. There's also documentation for auditing on docs.hp.com

Otherwise, perhaps you should check whether any cronjobs are using compress and investigate those. Are you able to track the exact time that this occurs?

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
kdc
Regular Advisor

тАО08-29-2002 10:05 AM

тАО08-29-2002 10:05 AM

Re: permissions on /usr/bin/compress

I have checked all the crons for root, there are none for bin. No luck. I have also gone through the other suggestions with no luck, I am going to create a script to monitor the time it changes, this may help me narrow it down. Thanks for your help everyone. Keep the suggestions coming if anyone else can think of anything.
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО08-29-2002 10:31 AM

тАО08-29-2002 10:31 AM

Re: permissions on /usr/bin/compress

A couple of other ways to monitor it:

# ps -ef | grep compress > /tmp/compress.log

You could script it and have it run every couple of seconds, but you are still taking a chance that you'll miss whatever it is that is changing permissions.

You could also temporarily move the chmod executable to chmod.orig and then have a custom chmod script that looks at the user invoking it, and writes all the information to a log file. Something like:

date >> /tmp/log
echo $LOGNAME >> /tmp/log
ps -ef | grep $LOGNAME >> /tmp/log

Something to help you trace who's doing this for you.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.