a question on mount count and maximum mount count

Stephen Samuel (gmail) darkonc at gmail.com
Sun May 31 23:36:44 UTC 2009


The mount count can give you a good idea of how many times the system has
been rebooted.
It's probably a better way of figuring that out than looking at the output
of 'last reboot'.

Thing is that, in either case, the count can get reset, so you need a way of
determining
when that has happened.

For the mount count of / , it gets reset whenever you do an fsck (usually at
boot time)
When that happens, then you know that the system has been rebooted 'at least
once'
since the last time you looked.  (the current mount count would be the
probable count
of the number of times the system has been rebooted).
Note that, if someone does, for example, a CDROM boot and mounts the normal
root
filesystem, there would be no real way to distinguish that from a boot.
Similarly, if someone
does multiple such mounts and then does an FSCK, you would see that as only
one
'boot'.

wtmp (used for 'last') is good as far as it goes, but the file is cycled
from time to time,
so you need to keep track of the most recent boot time the last  time you
checked, and
only count  more recent boots.   If someone gains root access, they can mess
with the file,
but if an attacker gets root access they can change pretty much anything
that you're dependant
on, anyways.. (i.e. you're hooped at that point if you've got a malicious
root process).- Show quoted text -


On Sat, May 30, 2009 at 12:11 AM, lakshmi pathi <lakshmipathi.g at gmail.com>wrote:

> Hi,
> If I need to know ,how many times the system has been rebooted , Shall
> I use mount count value (tune2fs -l )?
>
> >From below it says, warning message will be displayed  when it equals
> the maximum mount count .
> What happens after that ,is mount count value reset back to 0 ?
>


-- 
Stephen Samuel http://www.bcgreen.com  Software, like love,
778-861-7641                              grows when you give it away
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/ext3-users/attachments/20090531/2b416177/attachment.htm>


More information about the Ext3-users mailing list