Site Navigation

Date:      Thu, 7 Aug 2014 07:33:52 +0200
From:      Kenneth Bernholm <kenneth@bernholm.dk>
To:        freebsd-questions@freebsd.org
Subject:   Re: Investigating passwd, group and setuid diffs in status mails
Message-ID:  <20140807053352.GA20057@zork>
In-Reply-To: <3651ef748410db561b04fe10796b8e65@bernholm.dk>
References:  <3651ef748410db561b04fe10796b8e65@bernholm.dk>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

I'm terribly sorry for the formatting failure in my initial mail. Obviously the cut and paste in my webmail client left out the newlines. Here's the data once more (hopefully more readable):



The daily run output mail:


Removing stale files from /var/preserve:

Cleaning out old system announcements:

Removing stale files from /var/rwho:

Backup passwd and group files:
zork passwd diffs:
34a35
> logcheck:(password):915:915::0:0:Logcheck system
account:/var/lib/logcheck:/usr/local/bin/bash
zork group diffs:
41a42,43
> ssmtp:*:916:
> logcheck:*:915:

Verifying group file syntax:
/etc/group is fine

Backing up mail aliases:

Disk status:
Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/ada0p2    140G     25G    105G    19%    /
devfs          1.0K    1.0K      0B   100%    /dev
/dev/da0p1     451G     22G    393G     5%    /usbdisk

Network interface status:
Name    Mtu Network       Address              Ipkts Ierrs Idrop    Opkts Oerrs 
Coll Drop
em0    1500 <Link#1>      90:e2:ba:6a:c0:dc   247366     0     0   227852     0    
0    0 
em0    1500 192.168.1.0   zork                239442     -     -   226920     -    
-    - 
lo0   16384 <Link#2>                               0     0     0        0     0    
0    0 
lo0   16384 localhost     ::1                      0     -     -        0     -    
-    - 
lo0   16384 fe80::1%lo0   fe80::1                  0     -     -        0     -    
-    - 
lo0   16384 your-net      localhost                0     -     -        0     -    
-    - 

Local system status:
 3:01AM  up 22:21, 2 users, load averages: 0.24, 0.33, 0.25

Mail in local queue:
mailq: Mail queue is empty

Mail in submit queue:
mailq: Mail queue is empty

Security check:
    (output mailed separately)

Checking for rejected mail hosts:

Backing up pkgng database:

-- End of daily output --



The daily security run output mail:


Checking setuid files and devices:

zork setuid diffs:
--- /var/log/setuid.today        2014-05-21 03:07:00.000000000 +0200
+++ /tmp/security.kNUKUHM3        2014-08-07 03:06:29.000000000 +0200
@@ -32,13 +32,15 @@
 7704735 -r-sr-xr-x  6 root  wheel         22376 Jan 16 23:41:02 2014 /usr/bin/ypchpass
 7704735 -r-sr-xr-x  6 root  wheel         22376 Jan 16 23:41:02 2014 /usr/bin/ypchsh
 7704601 -r-sr-xr-x  2 root  wheel          8296 Jan 16 23:41:09 2014 /usr/bin/yppasswd
-7791699 -r-xr-sr-x  1 root  smmsp        676064 Jan 16 23:41:34 2014
/usr/libexec/sendmail/sendmail
+7791952 -r-xr-sr-x  1 root  smmsp        676064 Jun 26 06:30:49 2014
/usr/libexec/sendmail/sendmail
 7707857 -r-sr-xr-x  1 root  wheel         32824 Jan 16 23:40:38 2014
/usr/libexec/ssh-keysign
 7707853 -r-sr-xr-x  1 root  wheel          6000 Jan 16 23:40:05 2014
/usr/libexec/ulog-helper
 8268343 -r-sr-xr-x  1 root  wheel       1819872 Apr 15 05:47:39 2014
/usr/local/bin/Xorg
+8269540 -rwxr-sr-x  1 root  wheel         18064 Jun 26 06:34:34 2014
/usr/local/bin/lockfile
 8266420 -rwxr-sr-x  1 root  mail          11392 Apr  6 12:40:12 2014
/usr/local/bin/mutt_dotlock
 8268183 -rwsr-xr-x  1 root  wheel         20072 Apr 15 05:43:54 2014
/usr/local/bin/pkexec
-8268086 -rwsr-x---  1 root  messagebus   280784 Apr 15 05:41:41 2014
/usr/local/libexec/dbus-daemon-launch-helper
+8269542 -rwsr-sr-x  1 root  wheel         98224 Jun 26 06:34:34 2014
/usr/local/bin/procmail
+8269658 -rwsr-x---  1 root  messagebus   270896 Jul  1 12:14:01 2014
/usr/local/libexec/dbus-daemon-launch-helper
 8268207 -rwsr-xr-x  1 root  wheel         12152 Apr 15 05:43:54 2014
/usr/local/libexec/polkit-agent-helper-1
 8268125 -rwxr-sr-x  1 root  polkit        19736 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-explicit-grant-helper
 8268126 -rwxr-sr-x  1 root  polkit        17712 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-grant-helper
@@ -47,6 +49,7 @@
 8268129 -rwsr-xr-x  1 root  wheel          8472 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-resolve-exe-helper
 8268130 -rwxr-sr-x  1 root  polkit        21328 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-revoke-helper
 8268131 -rwsr-xr-x  1 root  polkit        22032 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-set-default-helper
+8269530 -r-xr-sr-x  1 root  ssmtp         32360 Jun 25 10:26:12 2014
/usr/local/sbin/ssmtp
 7707669 -r-sr-sr-x  2 root  authpf        24160 Jan 16 23:41:18 2014 /usr/sbin/authpf
 7707669 -r-sr-sr-x  2 root  authpf        24160 Jan 16 23:41:18 2014
/usr/sbin/authpf-noip
 7707607 -r-xr-sr-x  1 root  daemon        55584 Jan 16 23:41:27 2014 /usr/sbin/lpc

Checking negative group permissions:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

zork kernel log messages:
+++ /tmp/security.GuJvYr8G        2014-08-07 03:11:32.000000000 +0200
+FreeBSD 10.0-RELEASE-p6 #0: Tue Jun 24 07:47:37 UTC 2014
+vgapci0: <VGA-compatible display> port 0x2220-0x2227 mem
0xf0100000-0xf017ffff,0xe0000000-0xefffffff,0xf0000000-0xf00fffff irq 16 at device
2.0 on pci0
+em0: <Intel(R) PRO/1000 Network Connection 7.3.8> port 0x2100-0x211f mem
0xf0180000-0xf019ffff,0xf01a4000-0xf01a4fff irq 19 at device 25.0 on pci0
+uhci0: <Intel 82801I (ICH9) USB controller> port 0x2120-0x213f irq 20 at device
26.0 on pci0
+uhci1: <Intel 82801I (ICH9) USB controller> port 0x2140-0x215f irq 21 at device
26.1 on pci0
+uhci2: <Intel 82801I (ICH9) USB controller> port 0x2160-0x217f irq 22 at device
26.2 on pci0
+uhci3: <Intel 82801I (ICH9) USB controller> port 0x2180-0x219f irq 20 at device
29.0 on pci0
+uhci4: <Intel 82801I (ICH9) USB controller> port 0x21a0-0x21bf irq 21 at device
29.1 on pci0
+em0: <Intel(R) PRO/1000 Legacy Network Connection 1.0.6> port 0x1100-0x113f mem
0xf0200000-0xf021ffff,0xf0220000-0xf023ffff irq 20 at device 4.0 on pci7
+em0: Ethernet address: 90:e2:ba:6a:c0:dc
+atapci0: <Intel ICH9 SATA300 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x21e0-0x21ef,0x21f0-0x21ff irq 18 at device
31.2 on pci0
+atapci1: <Intel ICH9 SATA300 controller> port
0x2238-0x223f,0x2250-0x2253,0x2240-0x2247,0x2254-0x2257,0x2200-0x220f,0x2210-0x221f
irq 18 at device 31.5 on pci0
+Timecounter "TSC-low" frequency 1163772879 Hz quality 1000
+ugen3.2: <Western Digital> at usbus3
+ugen1.2: <Logitech> at usbus1
+ukbd0: <Logitech USB Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1
+ums0: <Logitech USB Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1
+uhid0: <Logitech USB Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1

zork login failures:

zork refused connections:

Checking for packages with security vulnerabilities:
dbus-1.8.4
firefox-30.0_1,1
nss-3.16

-- End of security output --

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140807053352.GA20057>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact