Date: Thu, 24 Aug 2000 09:16:49 -0400 From: Bill Munger <dave@nrmail.com> To: security@freebsd.org Subject: Re: after "make world" Message-ID: <39A52041.B83D3C64@nrmail.com>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------55FAC5B90003E9E80A9620C1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Keep in mind that by doing this kind of thing you are crippling an important part of intrusion detection, i.e. a tripwire-esque filesystem checker to alert you of funky stuff going on with your systems. It's better to be forced to reload a damaged system from media than to be unaware of a compromised machine or one under attack. A machine should be hardened against attack (whether from remote or local sources), but should be permissive enough that once compromised, the admins are immediately made aware of the problem. Eric Brueggmann wrote: > > Hello, > > I try to keep my box up to date, and cvsup every week or so with > cron. And make install world when ever there is a security alert. My > question to the list is: What kind of scripts do shell server admins use > after they make world? This question is in regaurds to permissions, suid, > sgid, etc.. Do you upgrade often enough to even warrent a script like > this? Below is a little script, of some of the stuff that I have > collected over the past couple of weeks. Am I missing something? > > Thanks for the help, > Eric Brueggmann > Hobbiest > > P.S. Sorry for posting to 2 lists, I thought it pertained to both of `em. > I know my spelling sucks.. > > =============================================================================== > > #!/bin/sh > > # Run this after a make world, for better security. > > chflags noschg /bin/* > chflags noschg /usr/bin/* > chflags noschg /sbin/* > chflags noschg /usr/sbin/* > chflags noschg /bin ; chflags noschg /sbin > chflags noschg /usr/bin ; chflags noschg /usr/sbin > cd /var/log; chmod g-w,o-r * ; chmod a+r wtmp > > etc ... <snip> --------------55FAC5B90003E9E80A9620C1 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <39A51EE4.365078ED@nrmail.com> Date: Thu, 24 Aug 2000 09:11:00 -0400 From: Bill Munger <dave@nrmail.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: Eric Brueggmann <brueggma@students.uiuc.edu> Subject: Re: after "make world" References: <Pine.GSO.4.10.10008232251410.13167-100000@ux11.cso.uiuc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Keep in mind that by doing this kind of thing you are crippling an important part of intrusion detection, i.e. a tripwire-esque filesystem checker to alert you of funky stuff going on with your systems. It's better to be forced to reload a damaged system from media than to be unaware of a compromised machine or one under attack. A machine should be hardened against attack (whether from remote or local sources), but should be permissive enough that once compromised, the admins are immediately made aware of the problem. Eric Brueggmann wrote: > > Hello, > > I try to keep my box up to date, and cvsup every week or so with > cron. And make install world when ever there is a security alert. My > question to the list is: What kind of scripts do shell server admins use > after they make world? This question is in regaurds to permissions, suid, > sgid, etc.. Do you upgrade often enough to even warrent a script like > this? Below is a little script, of some of the stuff that I have > collected over the past couple of weeks. Am I missing something? > > Thanks for the help, > Eric Brueggmann > Hobbiest > > P.S. Sorry for posting to 2 lists, I thought it pertained to both of `em. > I know my spelling sucks.. > > =============================================================================== > > #!/bin/sh > > # Run this after a make world, for better security. > > chflags noschg /bin/* > chflags noschg /usr/bin/* > chflags noschg /sbin/* > chflags noschg /usr/sbin/* > chflags noschg /bin ; chflags noschg /sbin > chflags noschg /usr/bin ; chflags noschg /usr/sbin > cd /var/log; chmod g-w,o-r * ; chmod a+r wtmp > > echo "Edit /etc/rc.conf and change the kernellevel to 2" > > for i in ` find / -type f -perm -2000 | egrep -wv "lockfile" ` ; do chmod g-s $i ; done > > for i in ` find / -type f -perm -4000 | egrep -wv "man|login|passwd|su|ssh|sendmail|procmail|sudo|mail.local" ` ; do chmod u-s $i ; done > > for i in ` find / -type d -perm -002 | egrep -v "tmp" ` ; do chmod o-w $i ; done > > chmod 700 /root > # cd to /home and chmod 700 every directory except "apache|newuser|ftp|?????" > > chflags schg /bin/* > chflags schg /usr/bin/* > chflags schg /sbin/* > chflags schg /usr/sbin/* > chflags schg /bin ; chflags schg /sbin > chflags schg /usr/bin ; chflags schg /usr/sbin > > # > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --------------55FAC5B90003E9E80A9620C1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39A52041.B83D3C64>