From owner-freebsd-current  Mon Nov 25 16:41:07 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA23259
          for current-outgoing; Mon, 25 Nov 1996 16:41:07 -0800 (PST)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA23231
          for <current@FreeBSD.org>; Mon, 25 Nov 1996 16:40:56 -0800 (PST)
Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id RAA27220; Mon, 25 Nov 1996 17:40:23 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id RAA22973; Mon, 25 Nov 1996 17:38:11 -0700 (MST)
Date: Mon, 25 Nov 1996 17:38:10 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@alive.ampr.ab.ca
To: Warner Losh <imp@village.org>
cc: current@FreeBSD.org
Subject: Re: find and xargs in /etc/security 
In-Reply-To: <E0vS4iR-0006oP-00@rover.village.org>
Message-ID: <Pine.BSF.3.95.961125172708.21281B-100000@alive.ampr.ab.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-current@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 25 Nov 1996, Warner Losh wrote:

> In message <Pine.BSF.3.95.961124230736.12070O-100000@alive.ampr.ab.ca> Marc Slemko writes:
> 
> : There is more wrong with /etc/security than that, so perhaps it is worth
> : looking at it a bit more deeply.  OpenBSD and NetBSD have a far more
> : comprehensive /etc/security.
> 
> Can you elaberate as to what makes them better?

I didn't necessarily say better, just more comprehensive.  <g>  

     579    2644   14887 OpenBSD/src/etc/security
      87     318    2104 FreeBSD/src/etc/security

Things like master.passwd file syntax and oddities, group file syntax and
oddities, stuff in root shell startup files (eg. .cshrc), "+" in various
files like hosts.equiv, special users with .rhosts files, home directory
permissions, mailbox permissions, /etc/exports, changes in setuid/setgid
files, permissions on block and character disk devices, special files and
binaries checksum. 

Some of the stuff is a bit questionable, and in general the less output
the better when security monitoring is involved, but some is quite useful. 

An option to easily add a tripwire scan wouldn't hurt, although perhaps a
security.local and a port with a good config file (ie. setup to watch
important things and ignore unimportant changes) would be better.