On Tue, Jan 24, 2017 at 9:47 AM, Greg Wooledge <wool...@eeg.ccf.org> wrote:
> On Mon, Jan 23, 2017 at 08:28:08PM -0400, francis picabia wrote: > > Here is the exercise anyone reading can try: > > > > Prove to yourself exactly when you rebooted your Debian system(s) > > arc3:~$ uptime > 08:44:40 up 8 days, 31 min, 1 user, load average: 0.02, 0.02, 0.00 > > Everything's easy on a live, running system. > > > to ensure you were safe against dirty cow. > > Oh, *that*? In that case, you don't give a flying leap how long ago you > rebooted. What you care about is the *exact running kernel version*. > > arc3:~$ uname -v > #1 SMP Debian 3.16.39-1 (2016-12-30) > > Then you compare 3.16.39-1 against the changelog.Debian.gz to see if it's > got the bug fixes you want. > > http://mywiki.wooledge.org/XyProblem > > I had unattended upgrades on, but didn't have reboot set to automatically trigger. I found evidence a user tried the Dirty COW exploit a couple of days after the kernel was upgraded, but I needed to know exactly when the system had been rebooted, in October 2016, to see whether the exploit had possibly worked. With the old dmesg files, I would likely have that on hand as they don't rotate away too quickly. The solution was to restore /var/log from backup tapes and I see when the reboot happened in kern.log. I'll consider increasing the number of kern.log to keep in logrotate so I might not need to wait for backup tapes in the future.
