From owner-freebsd-security  Tue Dec 19 12:19:59 2000
From owner-freebsd-security@FreeBSD.ORG  Tue Dec 19 12:19:57 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP id B2A5037B698
	for <freebsd-security@FreeBSD.ORG>; Tue, 19 Dec 2000 12:19:54 -0800 (PST)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA33368;
	Tue, 19 Dec 2000 15:19:48 -0500 (EST)
	(envelope-from wollman)
Date: Tue, 19 Dec 2000 15:19:48 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200012192019.PAA33368@khavrinen.lcs.mit.edu>
To: Guy Helmer <ghelmer@palisadesys.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Securing FreeBSD against hacking
In-Reply-To: <Pine.LNX.4.21.0012191349360.739-100000@magellan.palisadesys.com>
References: <000e01c069e8$d30dccc0$f46fbdd1@pacex.net>
	<Pine.LNX.4.21.0012191349360.739-100000@magellan.palisadesys.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

<<On Tue, 19 Dec 2000 14:00:32 -0600 (CST), Guy Helmer <ghelmer@palisadesys.com> said:

> Use mtree(8) to check the md5 hashes of your system's binaries against the
> original 4.2 release (I haven't tried it, but I believe you can run "mtree
> -K md5digest" and compare the results against the *.mtree files in the
> release).

You'd probably find that to be rather difficult and tedious, and
there's no reason to do such a comparison by hand since that function
is built in to mtree.  Just do `mtree -d /mnt/foo -f /rdonly/foo.mtree'.

After setting up a new system for the first time, I recommend doing a:

mtree -c -i -x -p /file/system -k \
 size,flags,gid,md5digest,sha1digest,ripemd160digest,mode,nlink,uid,link,time

for every filesystem.  You might well want to use an excludes file
for directories containing files which are very likely to change.  For
example, a quick test showed me:

.:      modification time (Tue Dec 19 15:10:20 2000, Tue Dec 19 15:11:34 2000)
dev/ttyp1: 
        modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000)
dev/ptyp1: 
        modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000)
dev/ttyp2: 
        modification time (Tue Dec 19 15:10:25 2000, Tue Dec 19 15:15:26 2000)
dev/null: 
        modification time (Tue Dec 19 15:05:54 2000, Tue Dec 19 15:11:03 2000)
tmp:    modification time (Tue Dec 19 15:10:01 2000, Tue Dec 19 15:15:23 2000)

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message