Date: Tue, 19 Apr 2016 15:26:36 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: daily security run output - Checking setuid Message-ID: <5716401C.2000606@FreeBSD.org> In-Reply-To: <5716234C.1020900@gmail.com> References: <5716234C.1020900@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --INSajpeGBSqi6rPt1qMS99pbWddasl0cV Content-Type: multipart/mixed; boundary="S6pbM5UnOE54JrPKP9BabLHrb0WlqBJCP" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <5716401C.2000606@FreeBSD.org> Subject: Re: daily security run output - Checking setuid References: <5716234C.1020900@gmail.com> In-Reply-To: <5716234C.1020900@gmail.com> --S6pbM5UnOE54JrPKP9BabLHrb0WlqBJCP Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/04/19 13:23, Ernie Luzar wrote: > This morning the "daily security run output" lists a lot of files under= > the heading of Checking setuid files & devices. I have never seen this > before. >=20 > What does this mean? > Has my system been breached? > Where is the "daily security run output" documented? The output usually shows any changes to the lists of setuid or setgid files on your system. Take note of the leading '+' or '-' characters in that output. Suddenly adding one or a few new setuid files is suspicious. Adding write permissions to those files is frequently suspicious. However adding or removing /lots/ of setuid or setgid files all at once is more likely to be down to operator error. The daily script depends on keeping a list of all the known setuid / setgid files in (by default) /var/log/setuid.today and /var/log/setuid.yesterday. If one or both of those files get deleted or modified, or that partition fills up while the security/100.chksetuid script is running, you'll get spurious output. Setuid programs are often viewed as a security problem by inexperienced administrators, and some even go as far as turning off the setuid functionality. That, however, is one of those mistakes you only make once. Properly implemented, setuid and setgid *improves* your system security, and it's necessary for the system to function normally. Cheers, Matthew --S6pbM5UnOE54JrPKP9BabLHrb0WlqBJCP-- --INSajpeGBSqi6rPt1qMS99pbWddasl0cV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJXFkAjXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnwsIP/0qpTUyNTlTWr4AzNLuZg4/Y LHyOFunWlZTWcS6b+BiajbFguhANYiGypWcfl9WRCabDtsozMSv6D7p/OtS6op8U xmZ8ffyVan2UrY8fhlsjsIdtC7txXvCm2mUfSE/CM3XoGM4Pl2FsLgb9TLwEN3wD BhjmmZfvjfnGLtKuHqOA39h2sg4/JbnxdHG3buvxFdyaS5Ir4UAHx4Uxw/rF8B4k W0Q8cu6HeuC981jZrNmAr9Z3DYf6ev+i80LSQikEX5o4PG4NaVVA4fpspDlsvZyy qEMZBnflNQhCqxI8jqN24sJbqySpECxYlGx5QElF7JfjHBCVcjBivbw5jCOLd04a VvMqC34ejlC00lQBhY5aMzcLVv3TmSXge8oJBg48c+uSE0OFdmRwsG0wkDeuO9Oe JYEtwe9VFLBoDVVSCV16tt/2OSY7uxaKKfISlXr3rz/30E1X5N/NyW4BHM9EU2UZ NZcQ8G9u1LMfFTTFIn5h6rwUVIk5oGlhA+zWci9ZYVxGmMfvRq0BFQnIPUe4VaJL lAV4QTjDEQW0uHIbX1HRQV550dz52VJtswL1cNtSm9+JlmNR/e9zulPaqSmIVbfj Kp/QoTTjPjk2P00XU6yQJSdrTlyK8NuZ2mnwngkNZDoKBaGJ0hOpOggwIpsJ8WWk uf8HT03kNUe+yi5U0X6Z =M6Ab -----END PGP SIGNATURE----- --INSajpeGBSqi6rPt1qMS99pbWddasl0cV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5716401C.2000606>