Date: Thu, 30 Aug 2001 07:38:08 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Peter Pentchev <roam@ringlet.net> Cc: Fernan Aguero <fernan@iib.unsam.edu.ar>, FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: changed /dev/ttys is this normal? Message-ID: <200108301438.f7UEcVd10501@cwsys.cwsent.com> In-Reply-To: Your message of "Wed, 29 Aug 2001 17:11:25 %2B0300." <20010829171125.G780@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010829171125.G780@ringworld.oblivion.bg>, Peter Pentchev writes: > On Wed, Aug 29, 2001 at 04:59:06PM +0300, Peter Pentchev wrote: > > On Wed, Aug 29, 2001 at 10:20:31AM -0300, Fernan Aguero wrote: > > > Hi > > > > > > I started using tripwire to monitor for changed files on my system. > > > I noticed that /dev/console and /dev/ttys were changed and the > > > tripwire report showed the following: > > > > > > [...] > > > > > > Modified object name: /dev/console > > > > > > Property: Expected Observed > > > ------------- ----------- ----------- > > > Object Type Character Device Character Device > > > Device Number 160768 160768 > > > Inode Number 7208 7208 > > > Mode crw--w--w- crw--w--w- > > > Num Links 1 1 > > > * UID fernan (1001) root (0) > > > GID wheel (0) wheel (0) > > [snip] > > > > > > Is this normal? If so, is it safe to change tripwire's policy to > > > ignore this changes? > > > > Yes, this is normal - the owner of a terminal device is always > > set to the user who has logged in, so he can open it and perform > > reads/writes/ioctls on it. > > > > I believe that it should be safe to have tripwire ignore terminal > > devices :) > > ..but actually, it might be wise if Tripwire would warn you about > changes in *anything* but the owner on terminal devices. Also, > it would be wise to have it warn you for the appearance of *new* > files looking like terminal devices. I've seen more than one > rootkit which installed a setuid shell or a config file or whatever > as /dev/ttySomething, or as a replacement for one of the higher-numbered > tty devices (in the hope that those are reached only very rarely, > and this would go unnoticed for quite some time). The upcoming Tripwire 2.3.1 port (PR is in but not committed yet) actually does this. E.g., /dev/console -> $(SEC_TTY) ; /dev/ttyv0 -> $(SEC_TTY) ; ... Where SEC_TTY is defined as, SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108301438.f7UEcVd10501>