From owner-freebsd-security Wed Aug 13 17:24:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA09826 for security-outgoing; Wed, 13 Aug 1997 17:24:18 -0700 (PDT) Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA09815 for ; Wed, 13 Aug 1997 17:24:13 -0700 (PDT) Received: from localhost (breynolds@localhost) by ns2.harborcom.net (8.8.5/8.8.5) with SMTP id UAA14977; Wed, 13 Aug 1997 20:24:02 -0400 (EDT) Date: Wed, 13 Aug 1997 20:24:02 -0400 (EDT) From: "Bradley E. Reynolds" To: Jeff Aitken cc: freebsd-security@FreeBSD.ORG Subject: Re: post-break-in checklist? In-Reply-To: <199708120324.XAA27102@eagle.aitken.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > As far as FreeBSD goes, I've got the CDs and know about mtree, but > I'm looking for a more generic "these are the sorts of things to > look for if you suspect a security violation" just to be sure I'm > not overlooking anything. (FWIW, the machine(s) which were > compromised have been reinstalled from scratch anyway). > > Additionally, where might I find a list of all "security" issuse > since 2.2.2-R was released? I looked in > > ftp://freebsd.org/pub/CERT/advisories > > but only turned up 4 advisories from 1997, all of which were patched > prior to the release of 2.2.2. > Well, try looking up the BUGTRAQ archives and be sure to look for things like BSD 4.4 also (you may have been looking for 2.2.2 or something like that). As for finding an intruder, look for setuid root shells and the like. Bradley Reynolds breynolds@harborcom.net ber@cwru.edu PGP Fingerprint: 73 17 77 08 8A 72 DB 45 76 28 C5 5A 97 52 26 PGP Public Key: http://www.harborcom.net/~breynolds/pgp.html