From owner-freebsd-security  Wed Apr 11  9:34:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from aji.wilshire.net (worm.wilshire.net [64.161.77.242])
	by hub.freebsd.org (Postfix) with ESMTP id 498AD37B422
	for <freebsd-security@freebsd.org>; Wed, 11 Apr 2001 09:34:32 -0700 (PDT)
	(envelope-from rjm@Wilshire.Net)
Received: from emilyd (emilyd.wilshire.net [10.100.123.20])
	by aji.wilshire.net (8.11.1/8.11.1) with SMTP id f3BGRmW87067
	for <freebsd-security@freebsd.org>; Wed, 11 Apr 2001 09:27:48 -0700 (PDT)
From: "Riley J. McIntire" <rjm@Wilshire.Net>
To: "FreeBSD Security" <freebsd-security@freebsd.org>
Subject: How to interpret Security Check
Date: Wed, 11 Apr 2001 09:34:30 -0700
Message-ID: <NCBBLBILEPCHLFJAPIIPCEKOFNAA.rjm@Wilshire.Net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Importance: Normal
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Greetings:

This machine, a small mail server doing nat and (caching only) bind
(8.2.3-REL) cored dumped signal 11 twice--I thought it was a nic at
first, and removed it.  It happened again and I'm guessing it's memory
or a motherboard issue now(?).

The second time it dumped, it was powered off, then on, went into single
user.  The onsite operator did a fsck, and brought it back to multiuser.
She reported lots of file errors.  Which I'm assuming caused the
following in the security check  output.  But sometimes I assume too
much!  I'd like to make sure I'm not missing a security issue.

Comments are welcome.

Thanks,

Riley

To: undisclosed-recipients:
Subject: mail.somebiz.com security check output


checking setuid files and devices:
USER=root
host=mail.somebiz.com
c=?
HOME=/root
rc=0
PS1=#
OPTIND=1
PS2=>
LOGNAME=root
PATH=/sbin:/bin:/usr/bin
ignore=
MP=
sflag=FALSE
TMP=/var/run/_secure.7644
SHELL=/bin/sh
IFS=

LC_ALL=C
yesterday=Apr 10
LOG=/var/log
cmp: EOF on /var/run/_secure.7644


mail.somebiz.com setuid diffs:
1,71d0
< 14989 -r-xr-sr-x  1 root  operator   57076 Nov 20 03:59:17 2000
/bin/df
< 15002 -r-sr-xr-x  1 root  wheel     319548 Nov 20 04:06:07 2000
/bin/rcp
< 15051 -r-xr-sr-x  1 root  kmem       62944 Nov 20 04:00:57 2000
/sbin/ccdconfig
< 15057 -r-xr-sr-x  1 root  kmem       69604 Nov 20 04:00:58 2000
/sbin/dmesg
< 15121 -r-xr-sr-x  2 root  tty       331452 Nov 20 04:06:51 2000
/sbin/dump
< 15096 -r-sr-xr-x  1 root  wheel     195812 Nov 20 04:01:09 2000
/sbin/ping
< 15097 -r-sr-xr-x  1 root  bin       191012 Nov 20 04:01:09 2000
/sbin/ping6
< 15121 -r-xr-sr-x  2 root  tty       331452 Nov 20 04:06:51 2000
/sbin/rdump
< 15119 -r-xr-sr-x  2 root  tty       358284 Nov 20 04:06:55 2000
/sbin/restore
< 15101 -r-sr-xr-x  1 root  wheel     191924 Nov 20 04:01:10 2000
/sbin/route
< 15119 -r-xr-sr-x  2 root  tty       358284 Nov 20 04:06:55 2000
/sbin/rrestore
< 15106 -r-sr-x---  1 root  operator  164668 Nov 20 04:01:11 2000
/sbin/shutdown
<  8035 -r-sr-xr-x  4 root  wheel      19540 Nov 20 04:01:51 2000
/usr/bin/at
<  8035 -r-sr-xr-x  4 root  wheel      19540 Nov 20 04:01:51 2000
/usr/bin/atq
< 8035 -r-sr-xr-x  4 root  wheel  19540 Nov 20 04:01:51 2000
/usr/bin/atrm
< 8035 -r-sr-xr-x  4 root  wheel  19540 Nov 20 04:01:51 2000
/usr/bin/batch
< 8047 -r-sr-xr-x  6 root  wheel  32184 Nov 20 04:01:52 2000
/usr/bin/chfn
< 8047 -r-sr-xr-x  6 root  wheel  32184 Nov 20 04:01:52 2000
/usr/bin/chpass
< 8047 -r-sr-xr-x  6 root  wheel  32184 Nov 20 04:01:52 2000
/usr/bin/chsh
<   8241 -r-sr-xr-x  1 root  wheel    24508 Nov 20 04:02:26 2000
/usr/bin/crontab
<  7937 -r-sr-sr-x  1 uucp  dialer    123824 Nov 20 03:59:39 2000
/usr/bin/cu
< 8075 -r-xr-sr-x  1 root  kmem   13108 Nov 20 04:01:56 2000
/usr/bin/fstat
< 8090 -r-xr-sr-x  1 root  kmem    9832 Nov 20 04:01:57 2000
/usr/bin/ipcs
< 8096 -r-sr-xr-x  1 root  wheel    510 Nov 20 04:01:58 2000
/usr/bin/keyinfo
< 8097 -r-sr-xr-x  1 root  wheel   7444 Nov 20 04:01:58 2000
/usr/bin/keyinit
< 8114 -r-sr-xr-x  1 root  wheel   7004 Nov 20 04:02:00 2000
/usr/bin/lock
< 8117 -r-sr-xr-x  1 root  wheel  19764 Nov 20 04:06:42 2000
/usr/bin/login
<   8246 -r-sr-sr-x  1 root  daemon   20008 Nov 20 04:02:48 2000
/usr/bin/lpq
<   8247 -r-sr-sr-x  1 root  daemon   23368 Nov 20 04:02:48 2000
/usr/bin/lpr
<   8248 -r-sr-sr-x  1 root  daemon   19372 Nov 20 04:02:48 2000
/usr/bin/lprm
<  7989 -r-sr-xr-x  1 man   wheel      28512 Nov 20 04:00:02 2000
/usr/bin/man
< 8136 -r-xr-sr-x  1 root  kmem   85104 Nov 20 04:02:07 2000
/usr/bin/netstat
< 8138 -r-xr-sr-x  1 root  kmem    9904 Nov 20 04:02:07 2000
/usr/bin/nfsstat
< 8269 -r-sr-xr-x  2 root  wheel  30540 Nov 20 04:06:44 2000
/usr/bin/passwd
< 8151 -r-sr-xr-x  1 root  wheel  10440 Nov 20 04:02:08 2000
/usr/bin/quota
< 8146 -r-sr-xr-x  1 root  wheel  17244 Nov 20 04:06:45 2000
/usr/bin/rlogin
<   8155 -r-sr-xr-x  1 root  wheel    14460 Nov 20 04:06:48 2000
/usr/bin/rsh
<   8268 -r-sr-xr-x  2 root  wheel   170136 Nov 20 04:11:20 2000
/usr/bin/slogin
<   8268 -r-sr-xr-x  2 root  wheel   170136 Nov 20 04:11:20 2000
/usr/bin/ssh
<   8159 -r-sr-xr-x  1 root  wheel    11560 Nov 20 04:06:49 2000
/usr/bin/su
<   8174 -r-xr-sr-x  1 root  kmem     56112 Nov 20 04:02:11 2000
/usr/bin/systat
<   8182 -r-xr-sr-x  1 root  kmem     32312 Nov 20 04:02:12 2000
/usr/bin/top
<  7938 -r-sr-xr-x  1 uucp  wheel      88228 Nov 20 03:59:40 2000
/usr/bin/uucp
<  7940 -r-sr-xr-x  1 uucp  wheel      37312 Nov 20 03:59:40 2000
/usr/bin/uuname
<  7943 -r-sr-sr-x  1 uucp  dialer     96752 Nov 20 03:59:41 2000
/usr/bin/uustat
<  7945 -r-sr-xr-x  1 uucp  wheel      88844 Nov 20 03:59:41 2000
/usr/bin/uux
<   8207 -r-xr-sr-x  1 root  kmem     15920 Nov 20 04:02:15 2000
/usr/bin/vmstat
<   8209 -r-xr-sr-x  1 root  tty       9072 Nov 20 04:02:16 2000
/usr/bin/wall
<   8217 -r-xr-sr-x  1 root  tty       7500 Nov 20 04:02:17 2000
/usr/bin/write
< 8047 -r-sr-xr-x  6 root  wheel  32184 Nov 20 04:01:52 2000
/usr/bin/ypchfn
< 8047 -r-sr-xr-x  6 root  wheel  32184 Nov 20 04:01:52 2000
/usr/bin/ypchpass
< 8047 -r-sr-xr-x  6 root  wheel  32184 Nov 20 04:01:52 2000
/usr/bin/ypchsh
< 8269 -r-sr-xr-x  2 root  wheel  30540 Nov 20 04:06:44 2000
/usr/bin/yppasswd
< 405663 -r-sr-xr-x  1 root  wheel   396564 Nov 20 04:02:50 2000
/usr/libexec/sendmail/sendmail
< 420614 -r-sr-sr-x  1 uucp  dialer  220672 Nov 20 03:59:40 2000
/usr/libexec/uucp/uucico
< 420615 -r-sr-s---  1 uucp  uucp     99552 Nov 20 03:59:41 2000
/usr/libexec/uucp/uuxqt
< 373981 -rwsr-xr-x  1 root  wheel    10172 Feb  5 14:57:28 2001
/usr/local/libexec/pinger
< 428598 -r-xr-sr-x  1 root  kmem      4664 Nov 20 04:02:28 2000
/usr/sbin/ifmcstat
< 428600 -r-xr-sr-x  1 root  kmem      9608 Nov 20 04:02:28 2000
/usr/sbin/iostat
< 428712 -r-xr-sr-x  1 root  daemon    27028 Nov 20 04:02:48 2000
/usr/sbin/lpc
< 428618 -r-sr-xr-x  1 root  wheel    16348 Nov 20 04:02:30 2000
/usr/sbin/mrinfo
< 428620 -r-sr-xr-x  1 root  wheel     29896 Nov 20 04:02:33 2000
/usr/sbin/mtrace
< 428755 -r-sr-xr--  1 root  network  283624 Nov 20 04:02:39 2000
/usr/sbin/ppp
< 428756 -r-sr-xr-x  1 root  wheel     95580 Nov 20 04:02:39 2000
/usr/sbin/pppd
< 428654 -r-xr-sr-x  2 root  kmem      14584 Nov 20 04:02:39 2000
/usr/sbin/pstat
< 428676 -r-sr-x---  1 root  network   10984 Nov 20 04:02:42 2000
/usr/sbin/sliplogin
< 428654 -r-xr-sr-x  2 root  kmem      14584 Nov 20 04:02:39 2000
/usr/sbin/swapinfo
< 428684 -r-sr-xr-x  1 root  wheel     15112 Nov 20 04:02:43 2000
/usr/sbin/timedc
< 428685 -r-sr-xr-x  1 root  wheel     13168 Nov 20 04:02:44 2000
/usr/sbin/traceroute
< 428686 -r-sr-xr-x  1 root  bin       14952 Nov 20 04:02:44 2000
/usr/sbin/traceroute6
< 428687 -r-xr-sr-x  1 root  kmem       8040 Nov 20 04:02:44 2000
/usr/sbin/trpt
Segmentation fault - core dumped


mail.somebiz.com changes in mounted filesystems:
1,4d0
< /dev/ad0s1a	/	ufs rw	1 1
< /dev/ad0s1e	/usr	ufs rw	2 2
< /dev/ad0s1f	/var	ufs rw	2 2
< procfs	/proc	procfs rw	0 0


checking for uids of 0:
root 0
toor 0


checking for passwordless accounts:


mail.somebiz.com denied packets:


mail.somebiz.com kernel log messages:
> pid 7665 (mount), uid 0: exited on signal 11 (core dumped)


mail.somebiz.com login failures:


mail.somebiz.com refused connections:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message