From owner-freebsd-security Fri Mar 31 13:38:40 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id NAA06421 for security-outgoing; Fri, 31 Mar 1995 13:38:40 -0800 Received: from mpp.com (dialup-1-12.gw.umn.edu [134.84.101.12]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id NAA06405 for ; Fri, 31 Mar 1995 13:38:28 -0800 Received: (from mpp@localhost) by mpp.com (8.6.11/8.6.9) id PAA00270; Fri, 31 Mar 1995 15:34:25 -0600 From: Mike Pritchard Message-Id: <199503312134.PAA00270@mpp.com> Subject: Re: New /etc/security script for FreeBSD To: taob@gate.sinica.edu.tw (Brian Tao) Date: Fri, 31 Mar 1995 15:34:25 -0600 (CST) Cc: freebsd-security@FreeBSD.org In-Reply-To: from "Brian Tao" at Apr 1, 95 03:44:11 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2408 Sender: security-owner@FreeBSD.org Precedence: bulk > I've attached the script to this message and seek comments on it. > Two functional changes have been made to the script. The first is > changing line 33 to reflect FreeBSD's 8-char username limit. The > second is the addition of a checksum module starting at line 557. It > uses md5(1) to calculate checksums for all files in a specified set of > directories chosen to contain system binaries. It's purpose is to aid > in the detection of trojan horses. One change I made to my /etc/daily & /etc/security was to only send me mail if the security script detected something. The reason being, I didn't want to get sick of seeing the message every day and automatically delete it without really reading it and then miss something. I plan to do something like this with my daily/monthly scripts sometime, too. My feeling is that any automatic scripts like this should only produce mail where there really is something wrong, otherwise people just tend to glance at them and might miss something important (this is especially true if they receive mail from multiple machines). If we import this new security script, I would vote for doing things they way I described (otherwise it is just more work for me to port them to my way :-). I'm sure that there are people who like to see lots of mail in their mailbox, so maybe there should be some type of option in sysconfig that allows you to specify whether or not the automatic scripts should always produce output, or only produce output on "significant events"? My changes were done like so: #/etc/daily: [...lots of stuff removed...] sh /etc/security > /tmp/_daily.$$ 2>&1 if [ $? -ne 0 ] # change the above line to: # if [ $? -ne 0 -o "$SCRIPT_OUTPUT" = "TRUE" ] # if sysconfig is changed, and some option is added to control this then mail -s "daily insecurity output" root < /tmp/_daily.$$ fi rm -f /tmp/_daily.$$ Then changing security like this: #/etc/security: EXITSTAT=0 [...lots of stuff removed...] echo "checking for uids of 0:" awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd > $TMP if cmp $LOG/uids.today $TMP >/dev/null; then :; else echo "$host uid 0 diffs:" diff $LOG/uids.today $TMP mv $LOG/uids.today $LOG/uids.yesterday mv $TMP $LOG/uids.today EXITSTAT=1 fi rm -f $TMP exit $EXITSTAT -- Mike Pritchard pritc003@maroon.tc.umn.edu "Go that way. Really fast. If something gets in your way, turn"