Date: Tue, 13 Nov 2001 15:31:02 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: John Baldwin <jhb@FreeBSD.ORG> Cc: Robert Watson <rwatson@FreeBSD.ORG>, current@FreeBSD.ORG, Alexander Leidinger <Alexander@Leidinger.net> Subject: Re: daily run output & passwd diff Message-ID: <20011113153102.B61915@blossom.cjclark.org> In-Reply-To: <XFMail.011113143148.jhb@FreeBSD.org>; from jhb@FreeBSD.ORG on Tue, Nov 13, 2001 at 02:31:48PM -0800 References: <Pine.NEB.3.96L.1011113172509.55075A-100000@fledge.watson.org> <XFMail.011113143148.jhb@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 13, 2001 at 02:31:48PM -0800, John Baldwin wrote:
>
> On 13-Nov-01 Robert Watson wrote:
> >
> > On Tue, 13 Nov 2001, John Baldwin wrote:
> >
> >> > My temptation would actually be to ignore any commented lines in either
> >> > file for the purposes of the diff. For the purposes of security checking,
> >> > you care mostly about the uncommented lines. This would allow the script
> >> > to exclude content when it didn't understand its semantics (and hence
> >> > might risk revealing information it wasn't intended to).
> >>
> >> So if some (admittedly weird) sysadmin temporarily comments out a
> >> password line then the next day we will broadcast that crypted password
> >> in plaintext e-mail?
> >
> > Not sure I follow. I was suggesting that any line beginning with '#' be
> > excluded from the diffing, since the script can't know if information in
> > the comment is sensitive or not, and therefore can't censor it.
> >
> > I.e., the conceptual equivilent of:
> >
> > grep -v '^#' master.passwd > master.passwd.tmp
> > grep -v '^#' master.passwd.bak > master.passwd.bak.tmp
> > diff -u master.passwd.bak master.passwd
> >
> > If an entry was commented out, then uncommented, then both events would
> > show up, just as removal/addition.
> >
> > I could be missing something, of course :-).
>
> Oh. Hmm. That could work I suppose...
Index: /export/current/src/etc/periodic/daily/200.backup-passwd
===================================================================
RCS file: /export/ncvs/src/etc/periodic/daily/200.backup-passwd,v
retrieving revision 1.9
diff -u -r1.9 200.backup-passwd
--- /export/current/src/etc/periodic/daily/200.backup-passwd 11 Nov 2001 07:15:19 -0000 1.9
+++ /export/current/src/etc/periodic/daily/200.backup-passwd 13 Nov 2001 23:27:50 -0000
@@ -41,8 +41,8 @@
then
[ $rc -lt 1 ] && rc=1
echo "$host passwd diffs:"
- diff $bak/master.passwd.bak /etc/master.passwd |\
- sed 's/^\([<>] [^#][^:]*\):[^:]*:/\1:(password):/'
+ diff -I '^#' $bak/master.passwd.bak /etc/master.passwd |\
+ sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/'
mv $bak/master.passwd.bak $bak/master.passwd.bak2
cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3
fi
Good for everyone? The only odd thing about this is that the cmp(1)
that causes this code to be executed can find differences that the
diff(1) will ignore. I think this is a feature. You still get your old
master.passwd(5) file backed up whenever there is _any_ change, but
you get shown that nothing security-wise has changed with the empty
diff(1). But it may be confusing to some.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011113153102.B61915>