Date: Thu, 26 Feb 2015 14:58:07 -0600 From: Mark Felder <feld@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: has my 10.1-RELEASE system been compromised Message-ID: <1424984287.4120744.232959461.2199527B@webmail.messagingengine.com> In-Reply-To: <1424983940.4119761.232957121.03701F8A@webmail.messagingengine.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> <20150226201234.GA1920@dhole.grinstead.net> <1424983940.4119761.232957121.03701F8A@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 26, 2015, at 14:52, Malcolm Herbert wrote: > I'd also suggest you take a look at using mtree for tripwire-like > functionality into the future - its primary purpose is to be able to > take the specification for a directory tree and either report > differences or make the filesystem conform to the specification. > > not sure whether it is used in the base FreeBSD system but it's > definitely part of NetBSD where it is used to confirm the permissions > and other metadata information for files from each of the release > tarballs and (iirc) runs once a week as part of normal system cron > > mtree can also be turned on a directory tree to capture a specification > that matches it ... it is better than find in this instance for > comparing the state of a filesystem over time as it can be set to > calculate file digests by a variety of algorithms and produce output > that can be parsed and compared against later (which can be difficult > with the -ls output from find) > > I also found a copy of it to run on Solaris to confirm that changes we > were making to our source only had the desired impacts to large > application data sets as part of our upgrade process > > plus until I mentioned it here, it might have been obscure enough for > it not to be trojanned by a rootkit ... :) mtree is a really handy tool. I especially love it for large changes like changing the UIDs and GIDs for a lot of accounts. If you take an mtree dump, change the UIDs and GIDs, and re-apply the mtree dump it will quickly fix the permissions across your server because it stores the user and group names, not the IDs. I wish mtree was readily available on Linux.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1424984287.4120744.232959461.2199527B>