How to turn off promisc_check.sh running every minute?

[joseppi]

Just discovered that something is running "/usr/share/msec/promisc_check.sh)" EVERY minute of every day, filling up several files in /var/log with tens of thousands of entries every day.  Egad what a nuisance.  Where is this being started?  And how can I turn it off?  I can't find it in crontab (or anyplace else).

I do see that a while ago Rudge started a topic about this and later said, "don't turn it off."  As far as I know, no other distro does anything like this.  Surely if it is beneficial for some security reason, there must be some way to invoke it without having thousands upon thousands of nuisance entries cluttering up syslog and several other log files.

joe (at) actionline.com

[Texstar]

Turn off the  msec service  in the PCLinuxOS Control Center

[wyohman]

Having just done this, the script runs every minute and checks to see if your network adapter is in promiscuous mode. It was original to Mandriva so it's not unique to PCLOS.

At the command prompt, as root:

# msecgui

Choose Periodic Checks tab
Scroll down to Check_Promisc
Double-click and change value to No
File -> save configuration
Exit

# /etc/init.d/crond restart

You'll be good to go.

Cheers.

[Rudge]

What are the repercussions of doing this? I can't imagine that this process is running every minuet and filling up the logs for no reason. 

[wyohman]

What are the repercussions of doing this? I can't imagine that this process is running every minuet and filling up the logs for no reason. 

It's not doing it for no reason. If your network adapter has promiscuous mode turned on that generally means you're sniffing your network. You would normally only do this on purpose using some kind of tool for that purpose. If you're not concerned about the possibility of your system being hacked and someone using it against your network, disable it. Otherwise it's a very small entry and the logs get rolled automatically.

Cheers.

[Rudge]

What are the repercussions of doing this? I can't imagine that this process is running every minuet and filling up the logs for no reason. 

It's not doing it for no reason. If your network adapter has promiscuous mode turned on that generally means you're sniffing your network. You would normally only do this on purpose using some kind of tool for that purpose. If you're not concerned about the possibility of your system being hacked and someone using it against your network, disable it. Otherwise it's a very small entry and the logs get rolled automatically.

Cheers.

That's exactly the answer I was expecting. Thanks!

[joseppi]

Thanks for all the responses.

I wonder if this 'msec' has ever actually worked to generate a report to a system admin or owner that their system was actually being hacked?

At the very least, how might this 'msec' be modified so it does not send its EVERY-minute action report to THREE different places (syslog, messages, AND security), but ONLY send it to a security log so it is not cluttering up syslog and messages.

Makes it very difficult to look through syslog and/or messages to find other activity reports that one might be looking for.

I hope someone will please tell me if they know of ANYONE who has ever received a report of anything malicious or unseemly being reported on their Linux system by 'msec.'

Thanks.

[joseppi]

I was able to turn off msec on one computer, but I'm unable to do so on another computer because both in the pcl control center and when starting 'msecgui' from root, the "Periodic checks" tab (and all but the basic tab) are greyed out and not accessible. What can I do to overcome this?