# "Find -sx" over my ZFS mountpoint appeared in processes running under root



## Zare (Aug 27, 2021)

Well I heard my fixed drives spinning up and in heavy I/O by the looks on the LED. Ran top, seen this running. I needed confirmation that this is system scheduled or else I was facing some security issues? 

Looked in myself and it is indeed inside a periodic check for setuid binaries and negative permissions which runs find over mountpoints. Posting this because I wasn't able to google it quickly.


----------



## gpw928 (Aug 27, 2021)

You need to look at the manual for periodic(8), the default settings in /etc/defaults/periodic.conf, and the local over-rides in /etc/periodic.conf.

You may also care to investigate the contents of the directory /etc/periodic, where the scripts run from cron(8) reside.

Here is a copy from my ZFS server, which has 10TB in the tank:
	
	



```
[sherman.148] # cat /etc/periodic.conf
# PMC.  Sun May  3 12:23:33 AEST 2020.

# Look in /usr/local/etc/periodic for these (I always forget!).
daily_status_smart_devices="AUTO"

# Look in /etc/periodic for these
daily_status_gmirror_enable="YES"                       # Check gmirror(8)
daily_scrub_zfs_enable="YES"
# This runs a find over the tank
security_status_chksetuid_enable="NO"
# This runs a find over the tank
security_status_neggrpperm_enable="NO"
```


----------



## SirDice (Aug 30, 2021)

periodic(8) typically runs at around 3 a.m. and does a lot of checks. You should read root's mail every once in a while, you'll see daily, weekly and monthly status reports.


----------



## mer (Aug 30, 2021)

Another one nipped by periodic at 3am (3:05am I think).  If you have systems with just SSDs you just see the drive lights on.  Spinning devices, may make a bit of noise "What the heck is that?"

One can also send the period output to log files instead of mailing to root.  I tend to do this on my desktops simply because I always forget to look at root email.  Easier to `ls -ltr /var/log` and then `cat daily.log`.

```
daily_output="/var/log/daily.log"
daily_status_security_output="/var/log/dailysecurity.log"
weekly_output="/var/log/weekly.log"
weekly_status_security_output="/var/log/weeklysecurity.log"
monthly_output="/var/log/monthly.log"
monthly_status_security_output="/var/log/monthlysecurity.log"
```


----------

