On Wed 05 May 2021 at 07:26:34 (-0400), Greg Wooledge wrote: > On Tue, May 04, 2021 at 09:32:49PM -0500, David Wright wrote: > > It looks reasonable for determining whether your system files are > > being interfered with. But you just showed one example from the > > log, which was for the /etc/.pwd.lock lockfile. I assume you don't > > have 2757 of these but, rather, the names of an assortment of files. > > That's an interesting interpretation. If that's actually *true*, I > wish the OP had made that more clear. I interpreted it as literally > being thousands of instances of the *same* file, the one shown in the > Subject: header and in the original message body. > > (In which case, removing iwatch will certainly stop the logging, but > it won't stop whoever is locking and unlocking your passwd/shadow > files thousands of times, which is something I might care enough to > investigate -- and is a great reason for installing iwatch, to look for > such a thing.) > > (Also I'd never heard of "monkeysphere" before and didn't even know > that openssh-client suggested it. So it's been an educational thread.)
FYI: I installed iwatch, and that immediately generated two messages from /etc/.etckeeper. Then I upgraded: apt apt-doc apt-utils bind9-host curl dnsutils exim4 exim4-base exim4-config exim4-daemon-light firefox-esr firefox-esr-l10n-en-gb gstreamer1.0-gl gstreamer1.0-libav gstreamer1.0-plugins-bad gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-pulseaudio gstreamer1.0-x libapt-inst2.0 libapt-pkg5.0 libbind9-161 libcurl3-gnutls libcurl4 libdns-export1104 libdns1104 libgstreamer-gl1.0-0 libgstreamer-plugins-bad1.0-0 libgstreamer-plugins-base1.0-0 libirs161 libisc-export1100 libisc1100 libisccc161 libisccfg163 libjs-underscore libldb1 liblwres161 libopenjp2-7 openjdk-11-jre openjdk-11-jre-headless wpasupplicant xserver-common xserver-xorg-core xserver-xorg-legacy 44 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. and got 387 more messages. I then added one new user, which generated 97 more, where /etc/.pwd.lock was the subject of four of them. Purging iwatch then generated a final three. So the OP's 2757 is no surprise with the default configuration. Cheers, David.