From owner-freebsd-security@freebsd.org Sat Feb 20 23:03:36 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE515AAF360 for ; Sat, 20 Feb 2016 23:03:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9EED610FC for ; Sat, 20 Feb 2016 23:03:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u1KN3a66030019 for ; Sat, 20 Feb 2016 23:03:36 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sat, 20 Feb 2016 23:03:36 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: des@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: bapt@FreeBSD.org X-Bugzilla-Flags: mfc-stable9+ mfc-stable10+ X-Bugzilla-Changed-Fields: bug_status flagtypes.name resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 21 Feb 2016 00:38:13 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Feb 2016 23:03:36 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 Dag-Erling Sm=C3=83=C2=B8rgrav changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Progress |Closed Flags|mfc-stable10? |mfc-stable10+ Resolution|--- |FIXED --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Wed Feb 24 04:17:41 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7802EAB20D9 for ; Wed, 24 Feb 2016 04:17:41 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: from mail-pf0-x232.google.com (mail-pf0-x232.google.com [IPv6:2607:f8b0:400e:c00::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 554111D2F for ; Wed, 24 Feb 2016 04:17:41 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: by mail-pf0-x232.google.com with SMTP id e127so5127065pfe.3 for ; Tue, 23 Feb 2016 20:17:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=hHxnA338WKAr1dh+3ZVKUEtiRWOSw+SpmsNwgPguSpk=; b=LH16stEepm1oWmSig4JaFe2EgSu4q/JmgdpRq+Y0XcVnQqcIygcBu4A/KSZ5HpB5RG KqsdXXHsZyao/aEKwr9XTb2/BVOgi8imWvo64IJwwp8it2oWpWWOgLN5l6ahoLIXrqxf Zx803/JmCwElSGJCTCBcYfHYbdDEbdJDCBYKQgfQAJQR6ug2AnOGQdplQmLPHgwX16wW hpozqqYuJ/6AhXHEUBhjyCHJcnMizKU7Bv2c+Vj+cU7+2tb3Pjik44mHV+ObbjyBqtJa YdVT2NcVOZLveI1dl4boWNRSXVUd4+vv8of2esro3/IJss5IV58DUaOVRemYVLeZNy2V 2TFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-type:content-transfer-encoding; bh=hHxnA338WKAr1dh+3ZVKUEtiRWOSw+SpmsNwgPguSpk=; b=Y9y0VmVZ7bn6P82u0B0wVjMNy2N7eIt0cl93Gr0+sBN4dy7dj/6FLTSZ5rxAmg2GyM Mu0c47ZF1Q9guaO+2c7FDFPqAXr+YwgPILAJSBxUXp02JUW0FWYV39RrghLwRLpp1alL 12fOfLDN94ieGhl5wKNEua4R5Tkwzfzf6oj6p2H190b1UcrXb3H6xly+yDbaFRTC9Qhn O2twQDAAnPxhI+a1Ej7CIV/rOiqSj7nD4WfGYfO1ItTo/LY5jVvTRt+aqCb2h6hc45zu TFbnSV2czMPWiaMdiYEq3YVkV7HTC4RM9ryCZ0WbtOyvqV/qXc907tCOtULaFoNRYubH Zxng== X-Gm-Message-State: AG10YOQXh+mXydMPgB3LT8P/QRV4NgnrngnM44Gj0UmRTEYjAzRi6nzN5qeR9ONffiX8Gg== X-Received: by 10.98.13.86 with SMTP id v83mr51730579pfi.162.1456287460790; Tue, 23 Feb 2016 20:17:40 -0800 (PST) Received: from [192.168.1.116] (c-50-156-112-176.hsd1.ca.comcast.net. [50.156.112.176]) by smtp.googlemail.com with ESMTPSA id m87sm985626pfj.38.2016.02.23.20.17.39 for (version=TLSv1/SSLv3 cipher=OTHER); Tue, 23 Feb 2016 20:17:40 -0800 (PST) To: freebsd-security@freebsd.org From: Robert Ayrapetyan Subject: verify FreeBSD installation Message-ID: <56CD2EE3.5080009@gmail.com> Date: Tue, 23 Feb 2016 20:17:39 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2016 04:17:41 -0000 Hi. Is there any reliable way to verify checksums of all local files for some FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed FreeBSD instances, how can I be sure there are no any patches\changes in a kernel\services etc? Does FreeBSD provides any automated tools for such kind of a verification? Thanks. From owner-freebsd-security@freebsd.org Wed Feb 24 06:18:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49D5BAB0F2C for ; Wed, 24 Feb 2016 06:18:35 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mx2.shrew.net (mx2.shrew.net [38.97.5.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 23AC61BA0 for ; Wed, 24 Feb 2016 06:18:34 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20]) by mx2.shrew.net (8.14.7/8.14.7) with ESMTP id u1O6ATvQ057019 for ; Wed, 24 Feb 2016 00:10:29 -0600 (CST) (envelope-from mgrooms@shrew.net) Received: from [10.22.200.30] (unknown [136.62.17.204]) by mail.shrew.net (Postfix) with ESMTPSA id 8415218A794 for ; Wed, 24 Feb 2016 00:10:18 -0600 (CST) Subject: Re: verify FreeBSD installation To: freebsd-security@freebsd.org References: <56CD2EE3.5080009@gmail.com> From: Matthew Grooms Message-ID: <56CD49F6.8050907@shrew.net> Date: Wed, 24 Feb 2016 00:13:10 -0600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <56CD2EE3.5080009@gmail.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (mx2.shrew.net [10.24.10.11]); Wed, 24 Feb 2016 00:10:29 -0600 (CST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2016 06:18:35 -0000 On 2/23/2016 10:17 PM, Robert Ayrapetyan wrote: > Hi. Is there any reliable way to verify checksums of all local files > for some FreeBSD installation? E.g. I'm using a hoster which provides > pre-deployed FreeBSD instances, how can I be sure there are no any > patches\changes in a kernel\services etc? Does FreeBSD provides any > automated tools for such kind of a verification? Thanks. IYou can try freebsd-update with the IDS option. Have a look at the man page for details. -Matthew From owner-freebsd-security@freebsd.org Wed Feb 24 05:11:49 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 161ECAB2107 for ; Wed, 24 Feb 2016 05:11:49 +0000 (UTC) (envelope-from fwagglechop@gmail.com) Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C4C2C144F for ; Wed, 24 Feb 2016 05:11:48 +0000 (UTC) (envelope-from fwagglechop@gmail.com) Received: by mail-qg0-x22a.google.com with SMTP id y9so6222695qgd.3 for ; Tue, 23 Feb 2016 21:11:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=lN2Fo3001QvsBssHpJkvsHdZZE8B4vm/JsjoUETn3Yg=; b=gOnfcXStU0srleVCC8Chc4yp4/xzjyJ2jM/gdxy1M43uoFmzvmMWSdZ00JZpynwi6r tLMn9511WM1/jklHbwhIu9tCSVpGBOog6KHetaTnD6hy24Mf31iZFwoGSC5dcxDTYqIj 7xobrhreAqdkyNbbVJG6zTvwG+Iwpf7JSisLnIeisDy3c5Xv8hlU6ukMPoYw02jP8lrv 5JWl/5rgQkqAC6RnUxaKGig1cQvEwKQCq8cIc7NLhjJ/bbrSO/5BrWrDv5OU1h7P0jBF ar3ZdHb9n6eVf6zBI2gvTrfZlSHUFpTtXQwEVKoMjRS04bq1OalBz0nkkwy4j2/BMrBP u7NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=lN2Fo3001QvsBssHpJkvsHdZZE8B4vm/JsjoUETn3Yg=; b=NjeyoMBvZQCrvpld6wekdniou+syEKvTAH+0MVQ3FVQaVSJsjrvc6XF37KUl9bm+yQ gov94exhtZ8IFulUvQq5DAMnOUDoglYGycs0yUgA8NVt+fedZANugdDOxxv3QWaPKTAp w+Xr9kaRJOOmL3GA8L7LJ+S7MZx81MPGq/IMHtUlC3exaVJrVeY7m6cxnhJ8dpuFXjUV l18VvIm7EBUd9lS/uKDvgEuJua24jEdNZu6WYqBjFhHOIaSTdAaUYtllIquaVzPV3Xi9 WWLDRy34HU5WXdlRXuNCxSkqqroWywXGqPdIsxOJKSMhVLrDeMoqrDmM5AIeiRELGuBv uylQ== X-Gm-Message-State: AG10YOTfXenpU0ldgwb7dATAc504aqaosBKCOC3P/QTCZ46RVDHiq1IjN8KgRQVfHPy6+m9fJE6krT/YNjBmmA== MIME-Version: 1.0 X-Received: by 10.140.32.203 with SMTP id h69mr46432033qgh.55.1456290707920; Tue, 23 Feb 2016 21:11:47 -0800 (PST) Received: by 10.55.151.65 with HTTP; Tue, 23 Feb 2016 21:11:47 -0800 (PST) In-Reply-To: <56CD2EE3.5080009@gmail.com> References: <56CD2EE3.5080009@gmail.com> Date: Wed, 24 Feb 2016 16:11:47 +1100 Message-ID: Subject: Re: verify FreeBSD installation From: fwaggle To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Wed, 24 Feb 2016 11:59:01 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2016 05:11:49 -0000 Assuming you trust it to not be modified, and you point it at legitimate mirror, freebsd-update IDS should be able to tell you if anything's amiss. See: https://www.freebsd.org/doc/handbook/updating-upgrading-freebsdupdate.html Section: 23.2.4. System State Comparison From owner-freebsd-security@freebsd.org Wed Feb 24 17:05:05 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B50DFAB2601 for ; Wed, 24 Feb 2016 17:05:05 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id ABC37C46 for ; Wed, 24 Feb 2016 17:05:05 +0000 (UTC) (envelope-from marquis@roble.com) Date: Wed, 24 Feb 2016 09:04:58 -0800 (PST) From: Roger Marquis To: Robert Ayrapetyan cc: freebsd-security@freebsd.org Subject: Re: verify FreeBSD installation In-Reply-To: <56CD2EE3.5080009@gmail.com> References: <56CD2EE3.5080009@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2016 17:05:05 -0000 > Hi. Is there any reliable way to verify checksums of all local files for some > FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed > FreeBSD instances, how can I be sure there are no any patches\changes in a > kernel\services etc? At the filesystem-level there's security/integrit which we use with a wrapper script for readable reports. Integrit replaced tripwire when that company moved away from FOSS. >From the configuration-level there's 'pkg info', 'sysrc -a', 'ipfw sh', ... and of course the parsed output from /var/log/* to add real-time monitoring. I also recommend supplementing these tools with revision tracking for anything host-specific and non-binary such as /etc/periodic/*/* and /etc/rc.*. RCS works well for this on the localhost-level. On a large scale ansible is my tool of choice for pulling this information from any number of hosts into hg or git from which deltas and other reports can be easily generated. If you manage a large number of hosts and are interested in helping to pull all of these tools into a pkg/port let me know. Roger From owner-freebsd-security@freebsd.org Thu Feb 25 05:38:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7B76AB35AD for ; Thu, 25 Feb 2016 05:38:48 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: from mail-pa0-x22b.google.com (mail-pa0-x22b.google.com [IPv6:2607:f8b0:400e:c03::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A587D233 for ; Thu, 25 Feb 2016 05:38:48 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: by mail-pa0-x22b.google.com with SMTP id fl4so26010097pad.0 for ; Wed, 24 Feb 2016 21:38:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=JDwLDzTVNJ34BpuSq07lg2Y9e/x7ULgrO+jm0Tz+sOo=; b=krs3gLI7yIuGdU0snlsbOMBnYw3zYTPnuhhV6qWNiKV4mB6CelTCVDPkdAr0MlgKLX hC32Ha7o7DSK1zL5jiaLEWYt4YFHWLk1IrDkFGTAe1YkQifgmwLMcWp7ETQt87b0H1pq bJOqm3V1+G43mTmolLxF6eJiovCexCaIuxxXu1diuevMEtclknGKLAFPwRAWaU3vwTxj PyZ7yuNkQklULqIdwK6qsV3u6H90z/U1GswRbdm6oi6V6jk2oDSYjn1A2lVbXZHD0OE/ IZIu6afTocEDQhmOr1Rt0PeVgB1bpjIXEqtFtEMMRuMMzl+eIszuFJvH5Q0iUqdCtRzW oW2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=JDwLDzTVNJ34BpuSq07lg2Y9e/x7ULgrO+jm0Tz+sOo=; b=D/qlbdbWiMnJ/shBhy/yalOMIh/0lMVtbZlxa+C03qndOmFgIx4FoqRRAuOkMwU9Fx h2KqZuFTB0fTQ0moX0ezRmY61TyFhiEM5eLqW5S9JqaSm/psUHrCV0o/bc+gsZOgGJmk 7d/d9ErVaf5JWs3u2eP6Sal27amMECkl33r+vITEYuE1x6DrYe+ievwj7M5MoqY5Cxbt MPFwsAW3oyyoDS1EdsS4xAHKILhJdGvMe6Mugkzn6XjMgEd4jN4hM4B3Rlm2R+QSRFuj T1ewzONjbfiC5aLgcavi0A8iWwR+HOTqRtO+bsh0dbIPPmrrn1lr9pSIjQEteIV58SuS xOTw== X-Gm-Message-State: AG10YOS+iVg6SAKZK0SIf7a9XB0Z5HBDb9DNAE9LBRGjrLOeu3ifuVbHIJSLg6fCpj/Kxw== X-Received: by 10.66.61.204 with SMTP id s12mr19759852par.108.1456378728072; Wed, 24 Feb 2016 21:38:48 -0800 (PST) Received: from [192.168.1.116] (c-50-156-112-176.hsd1.ca.comcast.net. [50.156.112.176]) by smtp.googlemail.com with ESMTPSA id 19sm8800331pfb.64.2016.02.24.21.38.47 for (version=TLSv1/SSLv3 cipher=OTHER); Wed, 24 Feb 2016 21:38:47 -0800 (PST) Subject: Re: verify FreeBSD installation To: freebsd-security@freebsd.org References: <56CD2EE3.5080009@gmail.com> <56cde2cd.8964420a.945d.5802SMTPIN_ADDED_MISSING@mx.google.com> From: Robert Ayrapetyan Message-ID: <56CE9366.7050302@gmail.com> Date: Wed, 24 Feb 2016 21:38:46 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <56cde2cd.8964420a.945d.5802SMTPIN_ADDED_MISSING@mx.google.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2016 05:38:49 -0000 Thanks everyone! On 02/24/16 09:04, Roger Marquis wrote: >> Hi. Is there any reliable way to verify checksums of all local files >> for some FreeBSD installation? E.g. I'm using a hoster which provides >> pre-deployed FreeBSD instances, how can I be sure there are no any >> patches\changes in a kernel\services etc? > > At the filesystem-level there's security/integrit which we use with a > wrapper script for readable reports. Integrit replaced tripwire when > that company moved away from FOSS. > > From the configuration-level there's 'pkg info', 'sysrc -a', 'ipfw sh', > ... and of course the parsed output from /var/log/* to add real-time > monitoring. > > I also recommend supplementing these tools with revision tracking for > anything host-specific and non-binary such as /etc/periodic/*/* and > /etc/rc.*. RCS works well for this on the localhost-level. On a large > scale ansible is my tool of choice for pulling this information from any > number of hosts into hg or git from which deltas and other reports can be > easily generated. > > If you manage a large number of hosts and are interested in helping to > pull all of these tools into a pkg/port let me know. > > Roger > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Thu Feb 25 06:12:32 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2232EAB3289 for ; Thu, 25 Feb 2016 06:12:32 +0000 (UTC) (envelope-from terje@elde.net) Received: from rand.keepquiet.net (keepquiet.net [144.76.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "keepquiet.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E32601335 for ; Thu, 25 Feb 2016 06:12:31 +0000 (UTC) (envelope-from terje@elde.net) Received: from [10.130.11.109] (unknown [84.210.87.28]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: terje@elde.net) by rand.keepquiet.net (Postfix) with ESMTPSA id AC3679D7; Thu, 25 Feb 2016 06:03:14 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: verify FreeBSD installation From: Terje Elde X-Mailer: iPhone Mail (13D20) In-Reply-To: <56CD2EE3.5080009@gmail.com> Date: Thu, 25 Feb 2016 07:03:05 +0100 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <56CD2EE3.5080009@gmail.com> To: Robert Ayrapetyan X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2016 06:12:32 -0000 > On 24 Feb 2016, at 05:17, Robert Ayrapetyan w= rote: >=20 > Hi. Is there any reliable way to verify checksums of all local files for s= ome FreeBSD installation? E.g. I'm using a hoster which provides pre-deploye= d FreeBSD instances, how can I be sure there are no any patches\changes in a= kernel\services etc? Does FreeBSD provides any automated tools for such kin= d of a verification? Just a quick note; if you suspect malicious intent from a competent attacker= (your provider in this case), running an IDS-type check won't do. It's poss= ible to use a kernel-module that omits itself when you're looking at the fil= e system after boot for example, so it'd be invisible or look normal when ch= ecking the filesystem.=20 Since you say "instance", I'm thinking probably VPS, in which case there nee= ds to be a level of trust in the provider anyway, and this probably doesn't a= pply to you. Just wanted to mention it quickly as an apropos.=20 Terje From owner-freebsd-security@freebsd.org Fri Feb 26 05:50:40 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC0A4AB42DE for ; Fri, 26 Feb 2016 05:50:40 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8EBD5F4B for ; Fri, 26 Feb 2016 05:50:40 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: by mail-pf0-x22d.google.com with SMTP id x65so46203566pfb.1 for ; Thu, 25 Feb 2016 21:50:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:cc:subject:references:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=ht4DyhAmHpvUkwkjnGx1+0Qz27+Z7IhSWovhsoXJnpM=; b=pCyQV95sx+L1fGaOBphp7N/yUYxvog0DCw8XiXhNFN5d7QnheCnubrUYzBYMj2NB1+ 4IyX+Pe9VCdLWI2bktHuAXQ8zFRT2ITZsjseiLWkuq+iCjvi4CASiV8ET59lK1GQ6AIB kiaSEzCC3GNCDTy/SuhBBAKdX2UIwuidD4pcgIiSNvpxtS0TS/T+TZp5MMJpidkiO+tI 1C7DrpnbjXs0+6RlyH9dfi0RKLWjKq4GVGQq8sJ0nEHflXXgQIp01kdyjnAk0L5BpGNj nQ2vU0g8EjevLEH2X8zIDoCzGZfWfCSgTtI0Bgb9/m3nINhAykA+PQ5U1ms+5INsPj+e Lf/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:cc:subject:references:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=ht4DyhAmHpvUkwkjnGx1+0Qz27+Z7IhSWovhsoXJnpM=; b=azLxXD2cUV59hHd/E0pNSE66gihKPzK407mCLCljSOW0w44thNDI5RhA0cdiMrbjXF plnwh/jpXPJ50LV31AAM8Jw4nH5tjGDJw4hiYaKOzbN14q5A81MMyudqmw9/WYoq8ThL SYI2K49AehprUIrVGDrRSLkg5IO3JJITtO0fUH1XIkRoYRykSp5DonAHSf1rgYhrO6Cf I5xVaPI7xxpVVFGcRJhtAmBSG6Nz29wt3vS5ZDHoF0pMLzgi0FmWYgH0/uH2yVt/8c88 SdMEPvUYAhGfJhujd0kxwDpwWp9X8dQ2pg6WA9Vv7k4e3ZLeAY9ThM+i34Sp7qp63do/ ILnQ== X-Gm-Message-State: AG10YOQt+8/9BfBZNOnXxlGHUnFpNodPYEEHI5IrkxUH6v5uVLuPvu548Ivin6TM7TqDZw== X-Received: by 10.98.14.146 with SMTP id 18mr68870655pfo.35.1456465840043; Thu, 25 Feb 2016 21:50:40 -0800 (PST) Received: from [192.168.1.116] (c-50-156-112-176.hsd1.ca.comcast.net. [50.156.112.176]) by smtp.googlemail.com with ESMTPSA id a21sm16083495pfj.40.2016.02.25.21.50.38 for (version=TLSv1/SSLv3 cipher=OTHER); Thu, 25 Feb 2016 21:50:38 -0800 (PST) From: Robert Ayrapetyan Cc: freebsd-security@freebsd.org Subject: Re: verify FreeBSD installation References: <56CD2EE3.5080009@gmail.com> Message-ID: <56CFE7AE.3080507@gmail.com> Date: Thu, 25 Feb 2016 21:50:38 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 05:50:40 -0000 Yeah, finally I've decided to re-install from an official iso. I've found some services in crontab I didn't liked at all - they were submitting a lot of info to a third-party servers (officially for monitoring purposes). p.s. Under "instance" I mean a dedicated unmanaged server. On 02/24/16 22:03, Terje Elde wrote: > > > > On 24 Feb 2016, at 05:17, Robert Ayrapetyan wrote: > > > > Hi. Is there any reliable way to verify checksums of all local files for some FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed FreeBSD instances, how can I be sure there are no any patches\changes in a kernel\services etc? Does FreeBSD provides any automated tools for such kind of a verification? > > Just a quick note; if you suspect malicious intent from a competent attacker (your provider in this case), running an IDS-type check won't do. It's possible to use a kernel-module that omits itself when you're looking at the file system after boot for example, so it'd be invisible or look normal when checking the filesystem. > > Since you say "instance", I'm thinking probably VPS, in which case there needs to be a level of trust in the provider anyway, and this probably doesn't apply to you. Just wanted to mention it quickly as an apropos. > > Terje > From owner-freebsd-security@freebsd.org Fri Feb 26 07:30:14 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3BED0AB4690 for ; Fri, 26 Feb 2016 07:30:14 +0000 (UTC) (envelope-from terje@elde.net) Received: from rand.keepquiet.net (keepquiet.net [144.76.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "keepquiet.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 06F48187F for ; Fri, 26 Feb 2016 07:30:12 +0000 (UTC) (envelope-from terje@elde.net) Received: from [10.96.74.209] (2.150.20.162.tmi.telenormobil.no [2.150.20.162]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: terje@elde.net) by rand.keepquiet.net (Postfix) with ESMTPSA id 4CF5BAD0; Fri, 26 Feb 2016 07:30:03 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: verify FreeBSD installation From: Terje Elde X-Mailer: iPhone Mail (13D20) In-Reply-To: <56CFE7AE.3080507@gmail.com> Date: Fri, 26 Feb 2016 08:30:01 +0100 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <0977BC22-D5FC-42FB-B75F-455215479F86@elde.net> References: <56CD2EE3.5080009@gmail.com> <56CFE7AE.3080507@gmail.com> To: Robert Ayrapetyan X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 07:30:14 -0000 > On 26 Feb 2016, at 06:50, Robert Ayrapetyan w= rote: >=20 > Yeah, finally I've decided to re-install from an official iso. > I've found some services in crontab I didn't liked at all - they were subm= itting a lot of info to a third-party servers (officially for monitoring pur= poses). > p.s. Under "instance" I mean a dedicated unmanaged server. With a dedicated unmanaged, a reinstall would be my preference as well. Ther= e's an interesting option for this, called mfsBSD. It can be a bit of hassle= to set it up the first time (just a bit), but once it's up, it'll give you a= n image that you can simply dd onto the harddrive(s), and boot from. It then= runs only in memory, no longer dependent on the drives, and allows you to s= sh in, and do an install just like you would from a dvd.=20 The reason that it can be a slight hassle, is that unless your provider has D= HCP, you'd have to configure IP etc in the image, so it'd be able to bring u= p networking correctly.=20 Other options that can be interesting for setups like this, is using geli fo= r disk-encryption.=20 Terje From owner-freebsd-security@freebsd.org Fri Feb 26 11:33:47 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9A498AB4AB9 for ; Fri, 26 Feb 2016 11:33:47 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) Received: from mailout4.lrau.net (mailout4.lrau.net [IPv6:2a02:d40:2:2::73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5DC40C5F for ; Fri, 26 Feb 2016 11:33:47 +0000 (UTC) (envelope-from Axel.Rau@Chaos1.DE) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=chaos1.de; s=email1; h=To:References:Message-Id:Cc:Date:In-Reply-To:From:Content-Type: Mime-Version:Subject; bh=v3kplf01UbMkmj7lCGlGgS5Gh5z+LPd55woEm+XSze0=; b=Nkfh Zbj+csipmBeXjWu+qhlhFvI465Kc/q/t4ExXDjOYlKMIzHW13UB0PG2Ctqlvm5FFU98zgBN/xlfj4 v/ygEdFL2ZPTtvXhjvAdwfAE25UOn5BJKtYENuo1K3c4mpV/f1rfZML0pjxiT4pCQh4GyuW0Nel9L yFYh8V562/vWRbhMtIbvMYFudWRTteBFD4BxFz+4N11iH3Ql/uDrYj79d1rtYIGfEbhhHWkGoVrgj uQRi7q7AVrX7NgNFiuTu+XPcD6KSzt86Q4DNSs4ubSgZchLE//m3Tro6trUV2wjp25O3/T4VNYw2J e6e32qZGAK5XyXQIe7CPXBXF67iUow==; Received: from [91.216.35.74] (helo=imap.lrau.net) by mailout4.lrau.net with esmtp (Exim 4.86 (FreeBSD)) (envelope-from ) id 1aZGeW-000HDb-Dm; Fri, 26 Feb 2016 11:33:44 +0000 Received: from Axel.Rau@Chaos1.DE by imap.lrau.net (Archiveopteryx 3.2.0) with esmtpsa id 1456486423-57208-57207/6/7448; Fri, 26 Feb 2016 11:33:43 +0000 Subject: Re: verify FreeBSD installation Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="Apple-Mail=_6AD333DE-0C19-4581-ADAF-0025C8D8C332"; micalg=pgp-sha256 X-Pgp-Agent: GPGMail 2.6b2 From: Axel Rau In-Reply-To: <2PpBNmPTf3O1/sO5P6lEF.md5@buggy-sender.no-message-id.invalid> Date: Fri, 26 Feb 2016 12:33:35 +0100 Cc: FreeBSD-security@FreeBSD.org Message-Id: <8B9A5F34-D577-47A4-BE9D-C74DCE22C5D6@Chaos1.DE> References: <56CD2EE3.5080009@gmail.com> <2PpBNmPTf3O1/sO5P6lEF.md5@buggy-sender.no-message-id.invalid> To: Robert Ayrapetyan X-Mailer: Apple Mail (2.3112) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 11:33:47 -0000 --Apple-Mail=_6AD333DE-0C19-4581-ADAF-0025C8D8C332 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > Am 24.02.2016 um 18:04 schrieb Roger Marquis : >=20 > At the filesystem-level there's security/integrit which we use with a > wrapper script for readable reports. Integrit replaced tripwire when > that company moved away from FOSS. There is also security/aide, which we used for many years, also with a (remote) wrapper script. aide can produce deltas and has many nice = features. Axel --- PGP-Key:29E99DD6 =E2=98=80 +49 160 9945 7889 =E2=98=80 computing @ = chaos claudius --Apple-Mail=_6AD333DE-0C19-4581-ADAF-0025C8D8C332 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0NClZlcnNpb246IEdudVBHL01hY0dQRzIg djIuMC4yOA0KQ29tbWVudDogR1BHVG9vbHMgLSBodHRwOi8vZ3BndG9vbHMub3JnDQoNCmlR RWNCQUVCQ0FBR0JRSlcwRGdWQUFvSkVNRno5KzZiYWNUUlBIY0lBSzZaTERQdFpuRUhjeGtM ajBNbGJXc0UNCkpLZ0VPU1NpakVIaUFQbW02bllUcEhXaWFrZzFaRUxQWlpqUmw2R25UR2dU ampLVG9tOVlGMGp0QUYrZVZCbUINCjJLM2hVNVREaE1JcEZFaDlOYnptSVVqVS9wOTU4MktQ UDVqZEJucEVkTC9LdmdmNTRnbzFQT25Yck9sYVVnYkMNCm5UVSs3K1dqZmNRbDAxOEFLSW5m YitTdUx6YW1KT3pwWmlaS3FHQ2ZrNVp6SDBTN1h3bGtrU01ySy94TDVNR0wNCjg5L0s2YmpI ejNzODV2WmdHVFJMRDM5OHhML3lPQkRrM21UckJFcVI4NEtNdXQ1dTU3YXdjV0l6amQ0YzN0 Ny8NCjVFSmNiSDg3dmFvZExUWmsxSVoyUk0waEtweEc2WDJkM0JxdTFkc2c1RStGZGpoWk16 eW1GTDU4MUJtcEFJaz0NCj1qSWNFDQotLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0NCg== --Apple-Mail=_6AD333DE-0C19-4581-ADAF-0025C8D8C332-- From owner-freebsd-security@freebsd.org Fri Feb 26 14:56:38 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61BCFAB4510 for ; Fri, 26 Feb 2016 14:56:38 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 34B6E848 for ; Fri, 26 Feb 2016 14:56:38 +0000 (UTC) (envelope-from robert.ayrapetyan@gmail.com) Received: by mail-pf0-x22b.google.com with SMTP id x65so53353655pfb.1 for ; Fri, 26 Feb 2016 06:56:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:references:cc:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=v3HKcu7fO6u2KTWVWvYhqqA+UJyEc+kXsh9y4SnArro=; b=OIVyr368MLphjI8zhO5g7dEMWD0K1Qy0rmwTpe4H8rKN+RfdGQac1q7LAvHASN3r+f BWAnUFeOGEjleN6w/P3ErqB+1r/hoariLTQa2Ka4+Af6w+2SBcI+UiXrkWpPnSrtzYlu Whnz9DnSP4Nqx3GE1HTwT3yWB+23zU4wnqqfB1yv+dC0+Jif1aFBLibyyzQBOI/+Civ2 wZoPtBb8hk1/MCeWuNvc33KCJWTpgcmqabvMW7izZtVRGb8nKIQzjYiTLMAkKxF2ImCR 3B7h457I4jSYbEDKZlRvoMKEC3wyM6M6OdGgnMTCh7V8WgV7UsM07HbGCkysiuHpJPd0 kvug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:references:cc:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=v3HKcu7fO6u2KTWVWvYhqqA+UJyEc+kXsh9y4SnArro=; b=Cad0oL6OZorH4iykAV0VO4iTrHnivi4CjmYZjDu3U9y9D2v09v9bw8q4ZjRz9iSehY 3uU7DThqxwlgzZQY3/lBzapTjJhXWkRZApQM0Eep6FmP8MPAlXaMWPKI2kKdaEh2wYHj c6xbh1n8jOo1zWhRW+6DR3ofYPdWtWd9CovsEvZUcNCW0yfCSZyz1/oCypKoj+DAZwPu bk0P3UiDik0OTHSBP406e/bYOeL+Ypof8COy3sk+UPvyL+Db0xmoNqKaX+O0cHsConVz csD7iECwCtEkFY9sUPPCFTwVoxJvCuBDxeHofrSzeNqP+6NpmEOzeL7E2eSuA4GpooJF i5cA== X-Gm-Message-State: AD7BkJIpUw/JYBAs9BL8w5d7HSYdWk6vsEmzlPEUgGag+xXX1Xnvsyhjkiu9iUwwathl8g== X-Received: by 10.98.33.77 with SMTP id h74mr2593362pfh.157.1456498597690; Fri, 26 Feb 2016 06:56:37 -0800 (PST) Received: from [192.168.1.116] (c-50-156-112-176.hsd1.ca.comcast.net. [50.156.112.176]) by smtp.googlemail.com with ESMTPSA id b63sm20058285pfj.25.2016.02.26.06.56.36 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 26 Feb 2016 06:56:37 -0800 (PST) From: Robert Ayrapetyan To: Terje Elde Subject: Re: verify FreeBSD installation References: <56CD2EE3.5080009@gmail.com> <56CFE7AE.3080507@gmail.com> <0977BC22-D5FC-42FB-B75F-455215479F86@elde.net> Cc: freebsd-security@freebsd.org Message-ID: <56D067A4.2060200@gmail.com> Date: Fri, 26 Feb 2016 06:56:36 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <0977BC22-D5FC-42FB-B75F-455215479F86@elde.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 14:56:38 -0000 I'm using a following very simple and clear way instead of mfsBSD: - Reboot into "rescue mode" (feature provided by any hoster) - SSH to remote machine rebooted in "rescue mode" and run two commands: - wget ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64 /ISO-IMAGES/10.2/FreeBSD-10.2-RELEASE-amd64-bootonly.iso - kvm -curses -m 13000 -hda /dev/sda -hdb /dev/sdb -cdrom ~/FreeBSD-10.2-RELEASE-amd64-bootonly.iso -boot d That's all lol ). From this moment you just follow standard FreeBSD installation procedure (I prefer ZfsOnRoot mode). On 02/25/16 23:30, Terje Elde wrote: > > > On 26 Feb 2016, at 06:50, Robert Ayrapetyan > wrote: > > > > Yeah, finally I've decided to re-install from an official iso. > > I've found some services in crontab I didn't liked at all - they > were submitting a lot of info to a third-party servers (officially for > monitoring purposes). > > p.s. Under "instance" I mean a dedicated unmanaged server. > > With a dedicated unmanaged, a reinstall would be my preference as > well. There's an interesting option for this, called mfsBSD. It can be > a bit of hassle to set it up the first time (just a bit), but once > it's up, it'll give you an image that you can simply dd onto the > harddrive(s), and boot from. It then runs only in memory, no longer > dependent on the drives, and allows you to ssh in, and do an install > just like you would from a dvd. > > The reason that it can be a slight hassle, is that unless your > provider has DHCP, you'd have to configure IP etc in the image, so > it'd be able to bring up networking correctly. > > Other options that can be interesting for setups like this, is using > geli for disk-encryption. > > Terje > From owner-freebsd-security@freebsd.org Fri Feb 26 23:34:53 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65BDDAB5FA7 for ; Fri, 26 Feb 2016 23:34:53 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0742D91A for ; Fri, 26 Feb 2016 23:34:53 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-wm0-x22c.google.com with SMTP id a4so88657005wme.1 for ; Fri, 26 Feb 2016 15:34:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to; bh=pnlQYnBLG9iJadxH0gUzJrRA1UvQgCfXWv0qLrZvmvQ=; b=Jht9hYJMsfBj8//kMpTvmMVnsvjgb+clU/jdy7Vf8dwAjJai0EU2QI/NfXaSiZbCtU OP2T8rfM856H1xsul6ex+AMC4ECOoWmSsGc+YEmNPfNIZXyoS3vEosFfT+Tgp6kHb3jc oTESU3g1/2I+OkD1PMkfyuNOkxlvzMoDSE6QG62JDey0biLC2OHMGAbhOrifvKGigR7A sXGlZtwnd9KB2csZjjCl7iod3vsxxB5+e5BuVKZrmQtIjqiECy8drKKPcimhAy1Mbsv0 Lm+XLcsEhaq8SSlu7eqKvj4ThZ4D/l1Ami5KotyA4uhgxnI7yhCx0sA33oP8nDEtNbmy PGGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=pnlQYnBLG9iJadxH0gUzJrRA1UvQgCfXWv0qLrZvmvQ=; b=KxaTW0FnyeClrHeGO0cvOKUe+djvtcJCfVNf3MIWwtJDF9aqBJEXgiLs2+5zKFqJ9Z NMtmmIuSnsuJEHKzCfbrJ3vPdGpF1lwarnM0mppfE1CSS0qFbrWbIvgKlH8KmsP/60fx REiU1fSuUbyPbNAvCmU2NZYFLgkcBqGebV5zf9bcZHMQwK2A3EbTtokiNaiWaIsrnGio QGygho8XEFEM/u/U4fm1wP1Bd7e1IRZP+8VgRCvvQ6RlG8tdohoLizNc9Un5qgFSkm9a bdhtVuS19E+WdDWnBSP9JHxfjoqdeeWPaQ14P6UyKr1RzOh03DMQIIJgUwLVqiDEB1Rm 3j9Q== X-Gm-Message-State: AD7BkJINVWxPCCGIgSuHODkhVGMaONlfZUSsPyH3vV1/fIikmR+3EKp59x2hoxYhXPYXulykG79dnDG9isN/2csD MIME-Version: 1.0 X-Received: by 10.28.216.141 with SMTP id p135mr427043wmg.22.1456529691020; Fri, 26 Feb 2016 15:34:51 -0800 (PST) Received: by 10.194.243.98 with HTTP; Fri, 26 Feb 2016 15:34:50 -0800 (PST) Date: Sat, 27 Feb 2016 00:34:50 +0100 Message-ID: Subject: FYI: OpenSSL versions 1.0.2g, 1.0.1s. @ 2016.03.01 From: Oliver Pinter To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Feb 2016 23:34:53 -0000 [openssl-announce] Forthcoming OpenSSL releases https://mta.openssl.org/pipermail/openssl-announce/2016-February/000063.html