From owner-freebsd-security  Wed Aug 29  6:20:55 2001
Delivered-To: freebsd-security@freebsd.org
Received: from lila.inti.gov.ar (lila.inti.gov.ar [200.10.161.32])
	by hub.freebsd.org (Postfix) with ESMTP id 107AD37B401
	for <freebsd-security@freebsd.org>; Wed, 29 Aug 2001 06:20:48 -0700 (PDT)
	(envelope-from fernan@iib005.iib.unsam.edu.ar)
Received: from nav.inti.gov.ar ([200.10.161.45])
	by lila.inti.gov.ar with smtp (Exim 3.02 #1)
	id 15c5H0-0006ES-00
	for freebsd-security@freebsd.org; Wed, 29 Aug 2001 10:20:50 -0300
Received: from iib005.iib.unsam.edu.ar ([200.3.113.15])
 by NAV.inti.gov.ar (NAVGW 2.5.1.6) with SMTP id M2001082910240002894
 for <freebsd-security@freebsd.org>; Wed, 29 Aug 2001 10:24:00 -0300
Received: (from fernan@localhost)
	by iib005.iib.unsam.edu.ar (8.11.3/8.11.3) id f7TDKV922347
	for freebsd-security@freebsd.org; Wed, 29 Aug 2001 10:20:31 -0300 (ART)
	(envelope-from fernan)
Date: Wed, 29 Aug 2001 10:20:31 -0300
From: Fernan Aguero <fernan@iib.unsam.edu.ar>
To: FreeBSD Security <freebsd-security@freebsd.org>
Subject: changed /dev/ttys is this normal?
Message-ID: <20010829102031.A22076@iib005.iib.unsam.edu.ar>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi

I started using tripwire to monitor for changed files on my system.
I noticed that /dev/console and /dev/ttys were changed and the
tripwire report showed the following:

[...]

 Modified object name:  /dev/console
 
  Property:            Expected                    Observed
  -------------        -----------                 -----------
  Object Type          Character Device            Character Device
  Device Number        160768                      160768
  Inode Number         7208                        7208
  Mode                 crw--w--w-                  crw--w--w-
  Num Links            1                           1
* UID                  fernan (1001)               root (0)
  GID                  wheel (0)                   wheel (0)
	
[...]

Modified object name:  /dev/ttyp1
 
  Property:            Expected                    Observed
  -------------        -----------                 -----------
  Object Type          Character Device            Character Device
  Device Number        160768                      160768
  Inode Number         7537                        7537
  Mode                 crw--w----                  crw--w----
  Num Links            1                           1
* UID                  fernan (1001)               root (0)
* GID                  tty (4)                     wheel (0)

[...]

Modified object name:  /dev/ttyp6
 
  Property:            Expected                    Observed
  -------------        -----------                 -----------
  Object Type          Character Device            Character Device
  Device Number        160768                      160768
  Inode Number         7547                        7547
* Mode                 crw-rw-rw-                  crw--w----
  Num Links            1                           1
* UID                  root (0)                    genhum2001 (1000)
* GID                  wheel (0)                   tty (4)


Is this normal? If so, is it safe to change tripwire's policy to
ignore this changes?

Thanks in advance for your help.

Fernan

-- 

|  F e r n a n   A g u e r o  |  B i o i n f o r m a t i c s  |
|   fernan@iib.unsam.edu.ar   |      genoma.unsam.edu.ar      |

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message