Date: Mon, 28 Aug 2006 11:11:37 -0400 From: "David Robillard" <david.robillard@gmail.com> To: "dick hoogendijk" <dick@nagual.nl> Cc: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: Fw: lothlorien.nagual.nl security run output Message-ID: <226ae0c60608280811t75213772j2d84cfc8a30c148f@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
> I'm a little worried after reading the security output this morning. > It seems some files [ping, ping6, shutdown, at, atq and atrm] have > setuid diffs. I really don't know why this could have happened. > I updated some ports yesterday, but I don't think any port writes > in /sbin (?) > > Could someboddy advice me on what can have happened? What ports have you updated? You can check if any of them has installed new files in /sbin by running `pkg_info -L your_updated_port-version`. See the -L option of pkg_info(1) in the man page http://www.freebsd.org/cgi/man.cgi?query=pkg_info&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html You can also consider installing a Host Based Integrity Monitoring software. I use Osiris which is quite simple to setup and administer. It's already in the ports as security/osiris which you can get there: http://www.freebsd.org/cgi/url.cgi?ports/security/osiris/pkg-descr. Of course, don't install osiris on a machine which you're not sure if it has been tampered with, it would defeat the purpose... You can also take a look at other integrity checking software such as Samhain, Tripwire or aide. Regards, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?226ae0c60608280811t75213772j2d84cfc8a30c148f>