From owner-freebsd-security@FreeBSD.ORG Thu Feb 26 20:58:09 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 501AB9AA for ; Thu, 26 Feb 2015 20:58:09 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C27F60D for ; Thu, 26 Feb 2015 20:58:08 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 29CAB20527 for ; Thu, 26 Feb 2015 15:58:07 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Thu, 26 Feb 2015 15:58:08 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:in-reply-to :references:subject:date; s=smtpout; bh=M4PqyZQKjny95jolAJwZzSsR 5h0=; b=H4zFj+JIJ/zhYSBEsp2TzK1zj+bskUfE70Tb1YCPQnXHlzE9Lsfwx/5E wdJH8xUvnR47b122AWrBR1ZRNqJfcvAcAVVEA5UyOoiZ6Vpm1EQidW4SsOysZT/Q NBaq98GBcgwE3vRNcfA/BZgMYtTY2sn52GO27n9+RtFKjjvH46M= Received: by web3.nyi.internal (Postfix, from userid 99) id DB811117680; Thu, 26 Feb 2015 15:58:07 -0500 (EST) Message-Id: <1424984287.4120744.232959461.2199527B@webmail.messagingengine.com> X-Sasl-Enc: aQdaVWXJsWuRW17/SAqcDZgFz5q+N/VXkfenRTmsWKfz 1424984287 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-4ba7306c In-Reply-To: <1424983940.4119761.232957121.03701F8A@webmail.messagingengine.com> References: <864mq9zsmm.fsf@gly.ftfl.ca> <32202C62-3CED-49B6-8259-0B18C52159D1@spam.lifeforms.nl> <1424973772.4085078.232885457.0277C7ED@webmail.messagingengine.com> <20150226201234.GA1920@dhole.grinstead.net> <1424983940.4119761.232957121.03701F8A@webmail.messagingengine.com> Subject: Re: has my 10.1-RELEASE system been compromised Date: Thu, 26 Feb 2015 14:58:07 -0600 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2015 20:58:09 -0000 On Thu, Feb 26, 2015, at 14:52, Malcolm Herbert wrote: > I'd also suggest you take a look at using mtree for tripwire-like > functionality into the future - its primary purpose is to be able to > take the specification for a directory tree and either report > differences or make the filesystem conform to the specification. > > not sure whether it is used in the base FreeBSD system but it's > definitely part of NetBSD where it is used to confirm the permissions > and other metadata information for files from each of the release > tarballs and (iirc) runs once a week as part of normal system cron > > mtree can also be turned on a directory tree to capture a specification > that matches it ... it is better than find in this instance for > comparing the state of a filesystem over time as it can be set to > calculate file digests by a variety of algorithms and produce output > that can be parsed and compared against later (which can be difficult > with the -ls output from find) > > I also found a copy of it to run on Solaris to confirm that changes we > were making to our source only had the desired impacts to large > application data sets as part of our upgrade process > > plus until I mentioned it here, it might have been obscure enough for > it not to be trojanned by a rootkit ... :) mtree is a really handy tool. I especially love it for large changes like changing the UIDs and GIDs for a lot of accounts. If you take an mtree dump, change the UIDs and GIDs, and re-apply the mtree dump it will quickly fix the permissions across your server because it stores the user and group names, not the IDs. I wish mtree was readily available on Linux.