From owner-freebsd-questions@freebsd.org  Mon Mar  1 16:56:44 2021
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0E1135647C4
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon,  1 Mar 2021 16:56:44 +0000 (UTC)
 (envelope-from freebsd@dreamchaser.org)
Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client CN "dreamchaser.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Dq5yL671pz3D3S
 for <freebsd-questions@freebsd.org>; Mon,  1 Mar 2021 16:56:42 +0000 (UTC)
 (envelope-from freebsd@dreamchaser.org)
Received: from breakaway.dreamchaser.org (breakaway [192.168.151.122])
 by nightmare.dreamchaser.org (8.15.2/8.15.2) with ESMTP id 121GueO6073284;
 Mon, 1 Mar 2021 09:56:40 -0700 (MST)
 (envelope-from freebsd@dreamchaser.org)
Reply-To: freebsd@dreamchaser.org
Subject: Re: installed ports library audit?
To: "Steve O'Hara-Smith" <steve@sohara.org>, freebsd-questions@freebsd.org
References: <a99e82cc-da39-70e8-f3b1-7b250250876a@dreamchaser.org>
 <97db8511-c5e0-26cc-5e56-4dfa976d7d12@FreeBSD.org>
 <0935eab6-d458-2c3e-3f8a-a6879fe27363@FreeBSD.org>
 <efddda4a-d2a6-a1ab-9b7f-0a03b8cba1e8@dreamchaser.org>
 <20210301160552.454db2bec5975457026c57ba@sohara.org>
From: Gary Aitken <freebsd@dreamchaser.org>
Message-ID: <4a1160b1-a6a2-6bc1-cb37-476d89ef1ff3@dreamchaser.org>
Date: Mon, 1 Mar 2021 09:51:32 -0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.6.1
MIME-Version: 1.0
In-Reply-To: <20210301160552.454db2bec5975457026c57ba@sohara.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2
 (nightmare.dreamchaser.org [192.168.151.101]);
 Mon, 01 Mar 2021 09:56:40 -0700 (MST)
X-Rspamd-Queue-Id: 4Dq5yL671pz3D3S
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of freebsd@dreamchaser.org designates
 66.109.141.57 as permitted sender) smtp.mailfrom=freebsd@dreamchaser.org
X-Spamd-Result: default: False [-2.27 / 15.00];
 HAS_REPLYTO(0.00)[freebsd@dreamchaser.org]; ARC_NA(0.00)[];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain];
 SUBJECT_ENDS_QUESTION(1.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[];
 DMARC_NA(0.00)[dreamchaser.org];
 SPAMHAUS_ZRD(0.00)[66.109.141.57:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[66.109.141.57:from];
 NEURAL_HAM_SHORT(-0.97)[-0.971]; RCPT_COUNT_TWO(0.00)[2];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_TLS_LAST(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2];
 ASN(0.00)[asn:21947, ipnet:66.109.128.0/19, country:US];
 MAILMAN_DEST(0.00)[freebsd-questions]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 16:56:44 -0000

On 3/1/21 9:05 AM, Steve O'Hara-Smith wrote:
> On Mon, 1 Mar 2021 08:54:53 -0700
> Gary Aitken <freebsd@dreamchaser.org> wrote:
> 
>> Is there a similar check for the base system install?  I see security
>> audits but those are event related.
> 
> 	freebsd-update IDS - note caveats in man page.

Thanks.

The results are mostly tweaked files in /etc, which is not in /usr,
which was the problem filesystem, so I should be ok there.  I'm puzzled
by a symlink complaint, though:

/usr/src/contrib/tcpdump/README is a symlink, should be a regular file

It's a symlink to README.md, which seems reasonable and deliberate.

For future disasters...
If I needed to, is there a master easy to get at that I can diff against
to see what the changes to things like /etc/passwd are?
I could regenerate the .db files if I knew the source was ok, but to check
that I would need to be able to diff.

Gary