"Find -sx" over my ZFS mountpoint appeared in processes running under root

Zare

Zare

Well I heard my fixed drives spinning up and in heavy I/O by the looks on the LED. Ran top, seen this running. I needed confirmation that this is system scheduled or else I was facing some security issues?

Looked in myself and it is indeed inside a periodic check for setuid binaries and negative permissions which runs find over mountpoints. Posting this because I wasn't able to google it quickly.
 
You need to look at the manual for periodic(8), the default settings in /etc/defaults/periodic.conf, and the local over-rides in /etc/periodic.conf.

You may also care to investigate the contents of the directory /etc/periodic, where the scripts run from cron(8) reside.

Here is a copy from my ZFS server, which has 10TB in the tank:
Code: 
[sherman.148] # cat /etc/periodic.conf
# PMC.  Sun May  3 12:23:33 AEST 2020.

# Look in /usr/local/etc/periodic for these (I always forget!).
daily_status_smart_devices="AUTO"

# Look in /etc/periodic for these
daily_status_gmirror_enable="YES"                       # Check gmirror(8)
daily_scrub_zfs_enable="YES"
# This runs a find over the tank
security_status_chksetuid_enable="NO"
# This runs a find over the tank
security_status_neggrpperm_enable="NO"
 
periodic(8) typically runs at around 3 a.m. and does a lot of checks. You should read root's mail every once in a while, you'll see daily, weekly and monthly status reports.
 
Another one nipped by periodic at 3am (3:05am I think). If you have systems with just SSDs you just see the drive lights on. Spinning devices, may make a bit of noise "What the heck is that?"

One can also send the period output to log files instead of mailing to root. I tend to do this on my desktops simply because I always forget to look at root email. Easier to ls -ltr /var/log and then cat daily.log.
Code: 
daily_output="/var/log/daily.log"
daily_status_security_output="/var/log/dailysecurity.log"
weekly_output="/var/log/weekly.log"
weekly_status_security_output="/var/log/weeklysecurity.log"
monthly_output="/var/log/monthly.log"
monthly_status_security_output="/var/log/monthlysecurity.log"
 
You must log in or register to reply here.
Back
Top