From owner-freebsd-security@FreeBSD.ORG Tue Aug 21 15:56:22 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9FB5106566C for ; Tue, 21 Aug 2012 15:56:22 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx1.freebsd.org (Postfix) with ESMTP id 896548FC19 for ; Tue, 21 Aug 2012 15:56:22 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) by mx5.roble.com (Postfix) with ESMTP id 5473967840 for ; Tue, 21 Aug 2012 08:49:32 -0700 (PDT) Date: Tue, 21 Aug 2012 08:49:32 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20120821120031.9B0771065674@hub.freebsd.org> References: <20120821120031.9B0771065674@hub.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Message-Id: <20120821155622.A9FB5106566C@hub.freebsd.org> Subject: Re: getting the running patch level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 15:56:22 -0000 Jilles Tjoelker wrote: > I think the idea of having 'make installworld' create something is good, > but we should not hard-code policy by writing the information into a > file that may be shown to unauthenticated users (such as by getty). > > A new file with a name=value format somewhat like /etc/lsb-release on > Linux seems more appropriate. If the admin wants /etc/issue, > /etc/rc.d/motd can create it. Automatically updating /etc/issue (or /etc/issue.net, but not issue.* should that be adopted from other OS) has security implications due to potentially unintended information disclosure. WRT writing a new file, something like /etc/bsd-release would be a good choice following the principle of least surprise. Mergemaster can and should ignore it (and motd, issue, ...). Strict adherence to the KIS principle, however, would only write this information to the first line of the motd, after the kernel info. Simon Nielsen wrote: > A simple approach would be to just append -uX to the uname string, but I'm > not really sure if I like that... To ilustrate, if for a 9.0 system, where > kernel is patch 3 userland is patch 5, we would show FreeBSD > 9.0-RELEASE-p3-u5. The nice thing is that we don't try to be clever and > therefor are less likely to get it wrong. There's not a good way to report on every userland (lib/binary) file but a simple find and/or checksum (a la integrit) could indicate whether anything had been updated since the last installworld. That could be noted by appending a simple "-modified" to whatever uname prints for the userland version. Attempting to do more than that, IMO, would have a negative ROI. IMO, Roger Marquis