From owner-freebsd-current  Wed Apr  5 12:12:18 1995
Return-Path: current-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id MAA25717
          for current-outgoing; Wed, 5 Apr 1995 12:12:18 -0700
Received: from gndrsh.aac.dev.com (gndrsh.aac.dev.com [198.145.92.241])
          by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id MAA25693
          ; Wed, 5 Apr 1995 12:12:14 -0700
Received: (from rgrimes@localhost) by gndrsh.aac.dev.com (8.6.8/8.6.6) id MAA01157; Wed, 5 Apr 1995 12:12:04 -0700
From: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com>
Message-Id: <199504051912.MAA01157@gndrsh.aac.dev.com>
Subject: Re: "Cookbook" for security.
To: wollman@halloran-eldar.lcs.mit.edu (Garrett Wollman)
Date: Wed, 5 Apr 1995 12:12:03 -0700 (PDT)
Cc: jkh@freefall.cdrom.com, current@freefall.cdrom.com
In-Reply-To: <9504051622.AA25931@halloran-eldar.lcs.mit.edu> from "Garrett Wollman" at Apr 5, 95 12:22:13 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1364      
Sender: current-owner@FreeBSD.org
Precedence: bulk

> 
> <<On Wed, 05 Apr 1995 03:35:23 -0700, "Jordan K. Hubbard" <jkh@freefall.cdrom.com> said:
> 
> > It seems to me that this would serve as a very valuable security aid
> > and of use in creating the overall security tool from hell that I'd
> > like to see on FreeBSD someday! :-)
> 
> One of the results of `make distribution' should be to `cd
> /where/ever; mtree <insert_flags_here> >
> /somewhere/else/distname.mtree'.

Yes, and a lot of the work I put into mtree for the -c option was
aimed at just this.  Infact at one time /usr/src/etc/mtree/BSD.*
where the output of a series of mtree commands I ran and then
commited the resulting files.

I still run these mtree commands when doing my regression tests of
finding out what is working correctly with ``make DESTDIR=foo install''.

For creating new versions of /usr/src/etc/mtree/BSD.* files I use:

mtree -c -d -i -n -x -kuname,gname,mode -p /usr >/tmp/BSD.usr.dist

These still require some hand edits for the header, and now that include
has been moved out that requires a hand edit.

To create a really good file for checking your system use something
like:

mtree -c -i -n -kuname,gname,mode,size,link,time,md5digest \
	-p / >/tmp/BSD.full.dist


-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation Company                   Custom computers for FreeBSD