From owner-freebsd-security@FreeBSD.ORG Mon Aug 20 21:06:52 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 501A21065675 for ; Mon, 20 Aug 2012 21:06:52 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au [122.100.2.194]) by mx1.freebsd.org (Postfix) with ESMTP id BD66A8FC15 for ; Mon, 20 Aug 2012 21:06:51 +0000 (UTC) Received: from aspire.rulingia.com (12.58.233.220.static.exetel.com.au [220.233.58.12]) by vps.rulingia.com (8.14.5/8.14.5) with ESMTP id q7KL6eHB079326 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 21 Aug 2012 07:06:42 +1000 (EST) (envelope-from peter@rulingia.com) Received: from aspire.rulingia.com (localhost [127.0.0.1]) by aspire.rulingia.com (8.14.5/8.14.5) with ESMTP id q7KL4mBG042872 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Aug 2012 07:05:18 +1000 (EST) (envelope-from peter@aspire.rulingia.com) Received: (from peter@localhost) by aspire.rulingia.com (8.14.5/8.14.5/Submit) id q7KL4l1r042871; Tue, 21 Aug 2012 07:04:47 +1000 (EST) (envelope-from peter) Date: Tue, 21 Aug 2012 07:04:47 +1000 From: Peter Jeremy To: Paul Schenkeveld Message-ID: <20120820210447.GB27130@aspire.rulingia.com> References: <31946.192.168.0.107.1344505442.squirrel@mail.redix.it:443> <20120819144637.GA17778@psconsult.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kXdP64Ggrk/fb43R" Content-Disposition: inline In-Reply-To: <20120819144637.GA17778@psconsult.nl> X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2012 21:06:52 -0000 --kXdP64Ggrk/fb43R Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2012-Aug-19 16:46:37 +0200, Paul Schenkeveld wrot= e: > - Teach both installworld and freebsd-update to maintain manifest > files of what is installed and log that update, place all manifests > somewhere under /var/db and the update log in /var/log. I'm not sure what detail you intend here. One line per installworld or similar sounds OK. One line per file seems excessive - especially if you intend to retain history ("df -ki" suggests that a base install is around 30,000 files). > - Having manifests of what's installed, one could check if all files > are stil the right version, if older manifests are not discarded > when performing an update this could also detect files that were > not updated for whatever reason or that were reverted, i.e. by > restoring some backup. E.g.: > > Current userland version: 8.3-RELEASE-p4 > /usr/sbin/named is at 8.3-RELEASE-p2 > /usr/bin/openssl is at 8.3-RELEASE How do you envisage this tool determining that /usr/sbin/foo is at 8.3-RELEASE-p2 and this is incorrect when userland is at (eg) 8.3-RELEASE-p4? Note that updating your system from 8.3-RELEASE-p2 to 8.3-RELEASE-p4 may not change /usr/sbin/foo and therefore it will remain untouched. >The /etc/issue file mentioned several times in this thread is like motd >but intended to be shown before a login prompt. This works for console >logins (getty) but not for remote logins. SSH includes provision for displaying information prior to login - see the "Banner" option in sshd_config. Note that this is most definitely the wrong place to include system version details. --=20 Peter Jeremy --kXdP64Ggrk/fb43R Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlAypm8ACgkQ/opHv/APuIdJ5ACeMNFbmDyks/bni7oOYELRc/A/ zRYAoLQEjQHx8s5718YGvF0F82XzTuTu =jh8H -----END PGP SIGNATURE----- --kXdP64Ggrk/fb43R--