From owner-freebsd-security Tue Jul 24 11:12:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from catfood.nt.phred.org (fw.phred.org [216.39.149.188]) by hub.freebsd.org (Postfix) with ESMTP id 67FD537B405; Tue, 24 Jul 2001 11:12:29 -0700 (PDT) (envelope-from alex@phred.org) Received: from phred.org ([216.39.149.189]) by catfood.nt.phred.org with Microsoft SMTPSVC(5.0.2195.3779); Tue, 24 Jul 2001 11:09:40 -0700 Date: Tue, 24 Jul 2001 11:11:17 -0700 (PDT) From: alex wetmore To: Ben Smithurst Cc: Peter Pentchev , Jon Loeliger , Subject: Re: Security Check Diffs Question In-Reply-To: <20010724190607.F20105@strontium.shef.vinosystems.com> Message-ID: <20010724110942.L32042-100000@phred.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-OriginalArrivalTime: 24 Jul 2001 18:09:40.0703 (UTC) FILETIME=[CED24EF0:01C1146B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 24 Jul 2001, Ben Smithurst wrote: > Peter Pentchev wrote: > > ypchfn changed its inode number, and its link count. This means that > > somebody performed an unlink() (delete) on ypchfn, and then created > > a new ypchfn with the same size, timestamp, permissions and stuff, > > but still a new file - and that's where the hardlink count + inum > > tracking of /etc/security kicked in and alerted you. > > hmm, so if an intruder replaced a file without changing it's link count, > size, or modification time, I wouldn't be alerted? Perhaps we should > change the security script to print the files ctime instead of mtime, > since the ctime can't be forged? Or keep md5 signatures around... Jon: Did you patch the telnet hole? alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message