From owner-freebsd-security  Tue Jul 24 11:23:36 2001
Delivered-To: freebsd-security@freebsd.org
Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13])
	by hub.freebsd.org (Postfix) with ESMTP id 4089437B407
	for <security@freebsd.org>; Tue, 24 Jul 2001 11:23:30 -0700 (PDT)
	(envelope-from ben@FreeBSD.org)
Received: from strontium.shef.vinosystems.com ([192.168.91.36] ident=root)
	by scientia.demon.co.uk with esmtp (Exim 3.30 #1)
	id 15P6q8-000Gd7-00; Tue, 24 Jul 2001 19:23:28 +0100
Received: (from ben@localhost)
	by strontium.shef.vinosystems.com (8.11.4/8.11.4) id f6OINRu78977;
	Tue, 24 Jul 2001 19:23:27 +0100 (BST)
	(envelope-from ben@FreeBSD.org)
X-Authentication-Warning: strontium.shef.vinosystems.com: ben set sender to ben@FreeBSD.org using -f
Date: Tue, 24 Jul 2001 19:23:27 +0100
From: Ben Smithurst <ben@FreeBSD.org>
To: alex wetmore <alex@phred.org>
Cc: Peter Pentchev <roam@orbitel.bg>, Jon Loeliger <jdl@jdl.com>,
	security@freebsd.org
Subject: Re: Security Check Diffs Question
Message-ID: <20010724192327.G20105@strontium.shef.vinosystems.com>
References: <20010724190607.F20105@strontium.shef.vinosystems.com> <20010724110942.L32042-100000@phred.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="IrhDeMKUP4DT/M7F"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010724110942.L32042-100000@phred.org>
X-PGP-Key: http://www.smithurst.org/ben/pgp-key.txt
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--IrhDeMKUP4DT/M7F
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

alex wetmore wrote:

>> hmm, so if an intruder replaced a file without changing it's link count,
>> size, or modification time, I wouldn't be alerted?  Perhaps we should
>> change the security script to print the files ctime instead of mtime,
>> since the ctime can't be forged?
>=20
> Or keep md5 signatures around...

well, yes, but that requires more than a single character change to
/etc/security. :-)

--=20
Ben Smithurst / ben@FreeBSD.org                 FreeBSD: The Power To Serve
                                                    http://www.FreeBSD.org/

--IrhDeMKUP4DT/M7F
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7Xb0ebPzJ+yzvRCwRAjbxAKDKVH09rpYc85kvQtlXdBk0nYTKHwCcCcDA
VYQdU61kajpaiZam4CmisL0=
=Kzt9
-----END PGP SIGNATURE-----

--IrhDeMKUP4DT/M7F--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message