From owner-freebsd-security  Tue Jul 24 11: 6:14 2001
Delivered-To: freebsd-security@freebsd.org
Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13])
	by hub.freebsd.org (Postfix) with ESMTP id 75D9837B405
	for <security@freebsd.org>; Tue, 24 Jul 2001 11:06:10 -0700 (PDT)
	(envelope-from ben@FreeBSD.org)
Received: from strontium.shef.vinosystems.com ([192.168.91.36] ident=root)
	by scientia.demon.co.uk with esmtp (Exim 3.30 #1)
	id 15P6ZM-0001NZ-00; Tue, 24 Jul 2001 19:06:08 +0100
Received: (from ben@localhost)
	by strontium.shef.vinosystems.com (8.11.4/8.11.4) id f6OI68l30404;
	Tue, 24 Jul 2001 19:06:08 +0100 (BST)
	(envelope-from ben@FreeBSD.org)
X-Authentication-Warning: strontium.shef.vinosystems.com: ben set sender to ben@FreeBSD.org using -f
Date: Tue, 24 Jul 2001 19:06:07 +0100
From: Ben Smithurst <ben@FreeBSD.org>
To: Peter Pentchev <roam@orbitel.bg>
Cc: Jon Loeliger <jdl@jdl.com>, security@freebsd.org
Subject: Re: Security Check Diffs Question
Message-ID: <20010724190607.F20105@strontium.shef.vinosystems.com>
References: <200107241632.LAA05639@chrome.jdl.com> <20010724205228.A16243@ringworld.oblivion.bg>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg>
X-PGP-Key: http://www.smithurst.org/ben/pgp-key.txt
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Peter Pentchev wrote:

> ypchfn changed its inode number, and its link count.  This means that
> somebody performed an unlink() (delete) on ypchfn, and then created
> a new ypchfn with the same size, timestamp, permissions and stuff,
> but still a new file - and that's where the hardlink count + inum
> tracking of /etc/security kicked in and alerted you.

hmm, so if an intruder replaced a file without changing it's link count,
size, or modification time, I wouldn't be alerted?  Perhaps we should
change the security script to print the files ctime instead of mtime,
since the ctime can't be forged?

--=20
Ben Smithurst / ben@FreeBSD.org                 FreeBSD: The Power To Serve
                                                    http://www.FreeBSD.org/

--SLDf9lqlvOQaIe6s
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7XbkPbPzJ+yzvRCwRAkPYAKDIMXvUljV8w/cDAB55KEXxchrvjACfZfAH
pvJtofLsTwLr+Zsmpq3Nges=
=YIY0
-----END PGP SIGNATURE-----

--SLDf9lqlvOQaIe6s--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message