Hi, If I need to know ,how many times the system has been rebooted , Shall I use mount count value (tune2fs -l )?>From below it says, warning message will be displayed when it equalsthe maximum mount count . What happens after that ,is mount count value reset back to 0 ? Is there any command available to check how many times system has been rebooted? "Mount Count and Maximum Mount Count Together these allow the system to determine if the file system should be fully checked. The mount count is incremented each time the file system is mounted and when it equals the maximum mount count the warning message ``maximal mount count reached, running e2fsck is recommended'' is displayed" -- Cheers, Lakshmipathi.G
On Sat, May 30, 2009 at 12:41:38 +0530, lakshmi pathi <lakshmipathi.g at gmail.com> wrote:> Hi, > If I need to know ,how many times the system has been rebooted , ShallThis is a case of where knowing what you are really trying to do would be useful. Is this supposed to be some sort of canary to detect intrusions, used to display a vanity number of reboots somewhere or what?
On Sat, 30 May 2009, lakshmi pathi wrote:> If I need to know ,how many times the system has been rebooted , Shall > I use mount count value (tune2fs -l )?Well, you *could* use this command, at least for the root filesystem, as this usually only gets mounted during boot, but:> What happens after that ,is mount count value reset back to 0 ?Yes, the counter is reset, so a batter way to find out how many times a system has been rebooted would be the last(1) command. Use "last reboot" to find out about the system's reboots. Christian. -- BOFH excuse #245: The Borg tried to assimilate your system. Resistance is futile.
Stephen Samuel (gmail)
2009-May-31 23:36 UTC
a question on mount count and maximum mount count
The mount count can give you a good idea of how many times the system has been rebooted. It's probably a better way of figuring that out than looking at the output of 'last reboot'. Thing is that, in either case, the count can get reset, so you need a way of determining when that has happened. For the mount count of / , it gets reset whenever you do an fsck (usually at boot time) When that happens, then you know that the system has been rebooted 'at least once' since the last time you looked. (the current mount count would be the probable count of the number of times the system has been rebooted). Note that, if someone does, for example, a CDROM boot and mounts the normal root filesystem, there would be no real way to distinguish that from a boot. Similarly, if someone does multiple such mounts and then does an FSCK, you would see that as only one 'boot'. wtmp (used for 'last') is good as far as it goes, but the file is cycled from time to time, so you need to keep track of the most recent boot time the last time you checked, and only count more recent boots. If someone gains root access, they can mess with the file, but if an attacker gets root access they can change pretty much anything that you're dependant on, anyways.. (i.e. you're hooped at that point if you've got a malicious root process).- Show quoted text - On Sat, May 30, 2009 at 12:11 AM, lakshmi pathi <lakshmipathi.g at gmail.com>wrote:> Hi, > If I need to know ,how many times the system has been rebooted , Shall > I use mount count value (tune2fs -l )? > > >From below it says, warning message will be displayed when it equals > the maximum mount count . > What happens after that ,is mount count value reset back to 0 ? >-- Stephen Samuel http://www.bcgreen.com Software, like love, 778-861-7641 grows when you give it away -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://listman.redhat.com/archives/ext3-users/attachments/20090531/2b416177/attachment.htm>