Date: Sat, 22 Feb 1997 22:36:27 -0800 (PST) From: Don Lewis <Don.Lewis@tsc.tdk.com> To: freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: improved setuid and device file checker for /etc/security Message-ID: <199702230636.WAA22830@salsa.gv.tsc.tdk.com>
next in thread | raw e-mail | index | archive | help
A few weeks ago I solicited input on how to prevent locate.updatedb and
/etc/security wasting a lot of time digging around the article spool on
our news server. I got a lot of suggestions on different ways to tweak
these scripts to prevent this, but the suggestions mostly involved making
custom changes to these scripts that would be somewhat of a hassle to
maintain.
At least in the case of /etc/security, I came up with a scheme that should
be a lot more automatic. It's more complete in that it checks filesystems
other than UFS, such as NFS, since someone could sneak a setuid executable
onto one of these other filesystems. It doesn't check filesystems that
are mounted nosuid or noexec, since any setuid executables present on these
filesystems aren't a security threat. These two features give you more
incentive to mount filesystems nosuid or noexec unless you have a good
reason to do otherwise ;-)
I also added device file checking (other than their timestamps which tend
do get updated). I also supress the checking of the ownerships and
permissions on the tty devices, since these devices get chowned and
chmoded.
--------------------------------- Cut Here ---------------------------
echo "checking setuid files:"
# don't have ncheck, but this does the equivalent of the commented out block.
# note that one of the original problem, the possibility of overrunning
# the args to ls, is still here...
#
MP=`mount | awk '!/\([^(]*(noexec|nosuid)[^(]*\)$/{ print $3 }'`
set $MP
while test $# -ge 1; do
mount=$1
shift
find -X $mount -xdev -type f \
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
\( -perm -u+s -or -perm -g+s \) | sort
done | xargs -n 20 ls -lgTd > $TMP
if [ ! -f $LOG/setuid.today ] ; then
echo "no $LOG/setuid.today"
cp $TMP $LOG/setuid.today
fi
if cmp $LOG/setuid.today $TMP >/dev/null; then :; else
echo "$host setuid diffs:"
diff -b $LOG/setuid.today $TMP
mv $LOG/setuid.today $LOG/setuid.yesterday
mv $TMP $LOG/setuid.today
fi
rm -f $TMP
echo ""
echo ""
echo "checking device files:"
MP=`mount | awk '!/\([^(]*nodev[^(]*\)$/{ print $3 }'`
set $MP
while test $# -ge 1; do
mount=$1
shift
find -X $mount -xdev \( -type b -o -type c \) | sort
done | xargs -n 20 ls -lgTd | awk '{mode = $1; user = $3; group = $4; if ($11 ~ /\/tty/) { mode = substr(mode, 1, 1) "........."; user = ""; group = ""} printf "%7s %-2s %-8s %-8s %4s %9s %s\n", mode, $2, user, group, $5, $6, $11}' >> $TMP
if [ ! -f $LOG/device.today ] ; then
echo "no $LOG/device.today"
cp $TMP $LOG/device.today
fi
if cmp $LOG/device.today $TMP >/dev/null; then :; else
echo "$host device diffs:"
diff -b $LOG/device.today $TMP
mv $LOG/device.today $LOG/device.yesterday
mv $TMP $LOG/device.today
fi
rm -f $TMP
--------------------------------- Cut Here ---------------------------
--- Truck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702230636.WAA22830>