On Thu, 31 Mar 2011 15:05:38 -0500, "Nate Woodward"
<[email protected]> wrote:
I finally got around to investigating this a bit more today. Instead
of
just removing a few lines from a log, this time I clobbered the whole
thing:
root@muon:log# cp /var/log/secure{,.back}
root@muon:log# : >/var/log/secure; date
Thu Mar 31 14:38:23 CDT 2011
Just a theory..
Maybe this is a race condition. OSSEC is checking the file size (same
inode) to make sure it grows and doesn't shrink. You delete some data
but more data is added before the next check, so the overall result is
that the file is still larger than the last check. But when you clobber
the file, it is smaller, and therefore triggers the alert.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
