From owner-freebsd-security@FreeBSD.ORG Thu Mar 4 19:53:15 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 050D81065670 for ; Thu, 4 Mar 2010 19:53:15 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id C847A8FC08 for ; Thu, 4 Mar 2010 19:53:14 +0000 (UTC) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id o24JrDhi038522 for ; Thu, 4 Mar 2010 14:53:13 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <201003041953.o24JrDhi038522@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 04 Mar 2010 14:53:24 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: tripwire and device numbers X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Mar 2010 19:53:15 -0000 While getting a box ready for deployment, I noticed on two occasions, I would get some exception reports flagging all files as the underlying device number through reboots had changed. Is this "normal" for Tripwire and FreeBSD ? (RELENG_7) The file system is on da0 at twa0 bus 0 target 0 lun 0 da0: Fixed Direct Access SCSI-5 device da0: 100.000MB/s transfers da0: 238408MB (488259584 512 byte sectors: 255H 63S/T 30392C) SMP: AP CPU #1 Launched! eg. Rule Name: Local files (/usr/local/sbin) Severity Level: 66 ------------------------------------------------------------------------------- ---------------------------------------- Modified Objects: 10 ---------------------------------------- Modified object name: /usr/local/sbin Property: Expected Observed ------------- ----------- ----------- Object Type Directory Directory * Device Number 92 98 Inode Number 2637949 2637949 Mode drwxr-xr-x drwxr-xr-x Num Links 2 2 UID root (0) root (0) GID wheel (0) wheel (0) Size 512 512 Modify Time Wed Mar 3 15:24:02 2010 Wed Mar 3 15:24:02 2010 Blocks 4 4 ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Thu Mar 4 20:51:40 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 532931065670 for ; Thu, 4 Mar 2010 20:51:40 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 15BD78FC1A for ; Thu, 4 Mar 2010 20:51:39 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 1A9031FFC59; Thu, 4 Mar 2010 20:51:39 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id EC31C84507; Thu, 4 Mar 2010 21:51:38 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Mike Tancsa References: <201003041953.o24JrDhi038522@lava.sentex.ca> Date: Thu, 04 Mar 2010 21:51:38 +0100 In-Reply-To: <201003041953.o24JrDhi038522@lava.sentex.ca> (Mike Tancsa's message of "Thu, 04 Mar 2010 14:53:24 -0500") Message-ID: <86ocj3hkth.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: tripwire and device numbers X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Mar 2010 20:51:40 -0000 Mike Tancsa writes: > While getting a box ready for deployment, I noticed on two occasions, > I would get some exception reports flagging all files as the > underlying device number through reboots had changed. Is this > "normal" for Tripwire and FreeBSD ? FreeBSD does not have fixed device numbers, they are allocated on the fly as each device attaches. I don't know if there is a way around this. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Mar 4 20:55:42 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 200561065676 for ; Thu, 4 Mar 2010 20:55:42 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id D7EFE8FC08 for ; Thu, 4 Mar 2010 20:55:41 +0000 (UTC) Received: from critter.freebsd.dk (critter-phk.freebsd.dk [192.168.48.2]) by phk.freebsd.dk (Postfix) with ESMTP id 69028646E; Thu, 4 Mar 2010 20:55:40 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.3/8.14.3) with ESMTP id o24Ktdge003403; Thu, 4 Mar 2010 20:55:40 GMT (envelope-from phk@critter.freebsd.dk) To: Mike Tancsa From: "Poul-Henning Kamp" In-Reply-To: Your message of "Thu, 04 Mar 2010 14:53:24 EST." <201003041953.o24JrDhi038522@lava.sentex.ca> Date: Thu, 04 Mar 2010 20:55:39 +0000 Message-ID: <3402.1267736139@critter.freebsd.dk> Sender: phk@critter.freebsd.dk Cc: freebsd-security@freebsd.org Subject: Re: tripwire and device numbers X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Mar 2010 20:55:42 -0000 In message <201003041953.o24JrDhi038522@lava.sentex.ca>, Mike Tancsa writes: >While getting a box ready for deployment, I noticed on two occasions, >I would get some exception reports flagging all files as the >underlying device number through reboots had changed. Is this >"normal" for Tripwire and FreeBSD ? (RELENG_7) Yes, device numbers in freebsd carry no meaning, unless it is a compat /dev directory to boot ancient systems (SunOS, very old FreeBSD etc) diskless. In general, tripwire should ignore devfs and possibly all pseudo-fs mount-points. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. From owner-freebsd-security@FreeBSD.ORG Thu Mar 4 21:20:35 2010 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 006001065676 for ; Thu, 4 Mar 2010 21:20:34 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id CE7BF8FC1F for ; Thu, 4 Mar 2010 21:20:34 +0000 (UTC) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id o24LKVZF038956; Thu, 4 Mar 2010 16:20:31 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <201003042120.o24LKVZF038956@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 04 Mar 2010 16:20:42 -0500 To: Dag-Erling =?iso-8859-1?Q?Sm=C3=B8rgrav?= From: Mike Tancsa In-Reply-To: <86ocj3hkth.fsf@ds4.des.no> References: <201003041953.o24JrDhi038522@lava.sentex.ca> <86ocj3hkth.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org Subject: Re: tripwire and device numbers X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Mar 2010 21:20:35 -0000 At 03:51 PM 3/4/2010, Dag-Erling Sm=C3=B8rgrav wrote: >Mike Tancsa writes: > > While getting a box ready for deployment, I noticed on two occasions, > > I would get some exception reports flagging all files as the > > underlying device number through reboots had changed. Is this > > "normal" for Tripwire and FreeBSD ? > >FreeBSD does not have fixed device numbers, they are allocated on the >fly as each device attaches. I don't know if there is a way around >this. OK, I think there is a way around it in the config file. I am thinking the FreeBSD default config could be changed to @@section FS -SEC_CRIT =3D $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID =3D $(IgnoreNone)-SHa ; # Binaries=20 with the SUID or SGID flags set -SEC_BIN =3D $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG =3D $(Dynamic) ; # Config=20 files that are changed infrequently but accessed often -SEC_TTY =3D $(Dynamic)-ugp ; # Tty files=20 that change ownership at login -SEC_LOG =3D $(Growing) ; # Files=20 that grow, but that should never change ownership -SEC_INVARIANT =3D +tpug ; #=20 Directories that should never change permission or ownership +SEC_CRIT =3D $(IgnoreNone)-SHad ; # Critical files that cannot change +SEC_SUID =3D $(IgnoreNone)-SHad ; # Binaries=20 with the SUID or SGID flags set +SEC_BIN =3D $(ReadOnly)-d ; # Binaries that should not change +SEC_CONFIG =3D $(Dynamic)-d ; # Config=20 files that are changed infrequently but accessed often +SEC_TTY =3D $(Dynamic)-ugpd ; # Tty=20 files that change ownership at login +SEC_LOG =3D $(Growing)-d ; # Files=20 that grow, but that should never change ownership +SEC_INVARIANT =3D +tpug-d ; #=20 Directories that should never change permission or ownership SIG_LOW =3D 33 ; #=20 Non-critical files that are of minimal security impact SIG_MED =3D 66 ; #=20 Non-critical files that are of significant security impact SIG_HI =3D 100 ; # Critical=20 files that are significant points of vulnerability Where = ###########################################################################= ### # Predefined=20 Variables # ############################################################################= ## # # Property Masks # # - ignore the following properties # + check the following properties # # a access timestamp (mutually exclusive with +CMSH) # b number of blocks allocated # c inode creation/modification timestamp # d ID of device on which inode resides # g group id of owner # i inode number # l growing files (logfiles for example) # m modification timestamp # n number of links # p permission and file mode bits # r ID of device pointed to by inode (valid only for device objects) # s file size # t file type # u user id of owner # # C CRC-32 hash # H HAVAL hash # M MD5 hash # S SHA hash # I have bcc'd the maintainer for input Thanks, ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Fri Mar 5 11:59:08 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C670C106566B for ; Fri, 5 Mar 2010 11:59:08 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 8C2888FC1A for ; Fri, 5 Mar 2010 11:59:08 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id AD8A91FFC59; Fri, 5 Mar 2010 11:59:07 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 8EE438448E; Fri, 5 Mar 2010 12:59:07 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: "Poul-Henning Kamp" References: <3402.1267736139@critter.freebsd.dk> Date: Fri, 05 Mar 2010 12:59:07 +0100 In-Reply-To: <3402.1267736139@critter.freebsd.dk> (Poul-Henning Kamp's message of "Thu, 04 Mar 2010 20:55:39 +0000") Message-ID: <863a0f569g.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: tripwire and device numbers X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 11:59:08 -0000 "Poul-Henning Kamp" writes: > Mike Tancsa writes: > > While getting a box ready for deployment, I noticed on two > > occasions, I would get some exception reports flagging all files as > > the underlying device number through reboots had changed. Is this > > "normal" for Tripwire and FreeBSD ? (RELENG_7) > Yes, device numbers in freebsd carry no meaning, unless it is a compat > /dev directory to boot ancient systems (SunOS, very old FreeBSD etc) > diskless. > > In general, tripwire should ignore devfs and possibly all pseudo-fs > mount-points. Nothing to do with devfs; IIUC, tripwire is complaining about st.st_dev on regular files and directories. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Mar 5 12:48:13 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B730106564A for ; Fri, 5 Mar 2010 12:48:13 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id ED6F68FC1C for ; Fri, 5 Mar 2010 12:48:12 +0000 (UTC) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id o25Cm9Bd044380; Fri, 5 Mar 2010 07:48:09 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <201003051248.o25Cm9Bd044380@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 05 Mar 2010 07:48:20 -0500 To: Dag-Erling =?iso-8859-1?Q?Sm=C3=B8rgrav?= , "Poul-Henning Kamp" From: Mike Tancsa In-Reply-To: <863a0f569g.fsf@ds4.des.no> References: <3402.1267736139@critter.freebsd.dk> <863a0f569g.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: tripwire and device numbers X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 12:48:13 -0000 At 06:59 AM 3/5/2010, Dag-Erling Sm=C3=B8rgrav wrote: >"Poul-Henning Kamp" writes: > > Mike Tancsa writes: > > > While getting a box ready for deployment, I noticed on two > > > occasions, I would get some exception reports flagging all files as > > > the underlying device number through reboots had changed. Is this > > > "normal" for Tripwire and FreeBSD ? (RELENG_7) > > Yes, device numbers in freebsd carry no meaning, unless it is a compat > > /dev directory to boot ancient systems (SunOS, very old FreeBSD etc) > > diskless. > > > > In general, tripwire should ignore devfs and possibly all pseudo-fs > > mount-points. > >Nothing to do with devfs; IIUC, tripwire is complaining about st.st_dev >on regular files and directories. Correct. It was upset by just regular files and=20 directories on regular file systems in /usr/bin /sbin etc. ---Mike >DES >-- >Dag-Erling Sm=C3=B8rgrav - des@des.no -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike