Nothing in the history stands out but I’ll keep an eye on it anyway.

Oh and the commands above I posted worked fine…

Thanks again…

None of these files really should have been changed. The attributes of /var/log/btmp should be:


# lsattr /var/log/btmp
------------- /var/log/btmp


This also includes all other files in the /var/log directory. To answer your first question, there is not a way for me to figure this out; you could have been hacked, or it could have been an error in a custom script, including a bug. It could have been a legit user that typed in the wrong command, too. Things you should try first would be to check the history:

# history | less

This should show you a list of your whole history of the currently logged on user. You can go through that to see if there is anything that stands out.

To answer question number two, you could enter that command to change that if you would like. Basically none of the files should have any attributes whatsoever, and they should be 600 permissions on files and 755 permissions for directories.

Let me know if you have any questions,
Drew

lsattr btmp
-----a------- btmp

Now on another Linux box there are no attributes set for this file. This response indicates to me that the attributes for the file only allow append right?

running lsattr /var/log shows that all the following logs have the a attribute:

lastlog
maillog
xferlog
boot
messages
cron
secure
wtmp
tty5
faillog

So I ran:

chattr -a btmp

This cleared the attribute and then allowed me to truncate the file. So my question(s) would be:

1) Any idea what would have caused the attributes to change as I don’t recall doing it?
2) can I run chattr -a /var/log to reset the attributes on all the files in the logs directory safely?

Thanks in advance, you have been a massive help :)

No problem. Were you able to resolve the issue? Also, have you made sure that you weren’t hacked by any chance? Do you have a VM (Virtual Machine) that you can test on to make sure it works on another system that is as close to your production box as possible? Let me know, I can further help you if you need me to.

Regards,
Drew

I have to head home from work – I work graveyard shift. However, based on your findings, it appears that this is more than my command not working. If the case is that you run cat /dev/null > /var/log/messages, and you get the same error, that is a permissions error with either the user or the files. Check your user and file permissions.

Regards,
Drew

cat /dev/null > /var/log/maillog
-bash: /var/log/maillog: Operation not permitted
cat /dev/null > /var/log/messages
-bash: /var/log/messages: Operation not permitted
cat /dev/null > /var/log/secure
-bash: /var/log/secure: Operation not permitted

Perms are:
-rw——- 1 root root 68408979 Jan 5 12:52 maillog

-rw——- 1 root root 55888419 Jan 5 12:52 messages

-rw——- 1 root root 2208980 Jan 5 12:52 secure

Try running it on a file other than /var/log/btmp. That’s a special file. See if you can either create a new file and run it, or if there is a log file that you don’t need right now, run it on that. Let me know if you get the error on just the /var/log/btmp file or if it is on multiple files.

Regards,
Drew

What’s changed? Did you upgrade anything? Have you made any changes to the permissions of your files or to the user running the command?

Regards,
Drew