Hi All!
We have recently started getting a couple of new incidents that I cannot
explain. They are appearing on two Solaris 9.2 machines that are in a 3.0
cluster, running Server Sensor 7.0 XPU 22.29.
The first event is Changes_to_important_files and the file name is always
something liek this: /dev/rdsk/dev/rdsk/c2t41d0s2. First, the fact that
"/dev/rdsk/" is doubled bothers me. Second, why would this device be changing?
From the event details, I cannot determine what was changed.
The next event is Failed_change_of_important_files with file names like
/dev/dsk/c2t42d0. Here the directory is not doubled, but again I cannot figure
why someone/something was trying to change this device.
We have not changed anything in the auditing, but is it possible that the
default settings have been changed and more is being audited?
Any info would be greatly appreaciated.
Regards,
James Mohr
Systembetrieb
____________________________________________________
ELAXY Business Solution & Services GmbH & Co. KG.
Am Hofbräuhaus 1
96450 Coburg
Germany
Fon +49 (0) 95 61.55 43.0
Fax +49 (0) 95 61.55 43.302
E-Mail: james.mohr@elaxy.com
---------------------------------------
"Be more concerned with your character than with your
reputation. Your character is what you really are while
your reputation is merely what others think you are." --
John Wooden
---------------------------------------
Be sure to visit the Linux Tutorial:
http://www.linux-tutorial.info
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
