From owner-freebsd-questions@freebsd.org Tue Apr 19 14:26:02 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7D93EB139A2 for ; Tue, 19 Apr 2016 14:26:02 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0A4CA1CD2 for ; Tue, 19 Apr 2016 14:26:02 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 7FCA1110E4 for ; Tue, 19 Apr 2016 14:25:58 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/7FCA1110E4; dkim=none; dkim-atps=neutral Subject: Re: daily security run output - Checking setuid To: freebsd-questions@freebsd.org References: <5716234C.1020900@gmail.com> From: Matthew Seaman Message-ID: <5716401C.2000606@FreeBSD.org> Date: Tue, 19 Apr 2016 15:26:36 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <5716234C.1020900@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="INSajpeGBSqi6rPt1qMS99pbWddasl0cV" X-Virus-Scanned: clamav-milter 0.99.1 at smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2016 14:26:02 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --INSajpeGBSqi6rPt1qMS99pbWddasl0cV Content-Type: multipart/mixed; boundary="S6pbM5UnOE54JrPKP9BabLHrb0WlqBJCP" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: <5716401C.2000606@FreeBSD.org> Subject: Re: daily security run output - Checking setuid References: <5716234C.1020900@gmail.com> In-Reply-To: <5716234C.1020900@gmail.com> --S6pbM5UnOE54JrPKP9BabLHrb0WlqBJCP Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/04/19 13:23, Ernie Luzar wrote: > This morning the "daily security run output" lists a lot of files under= > the heading of Checking setuid files & devices. I have never seen this > before. >=20 > What does this mean? > Has my system been breached? > Where is the "daily security run output" documented? The output usually shows any changes to the lists of setuid or setgid files on your system. Take note of the leading '+' or '-' characters in that output. Suddenly adding one or a few new setuid files is suspicious. Adding write permissions to those files is frequently suspicious. However adding or removing /lots/ of setuid or setgid files all at once is more likely to be down to operator error. The daily script depends on keeping a list of all the known setuid / setgid files in (by default) /var/log/setuid.today and /var/log/setuid.yesterday. If one or both of those files get deleted or modified, or that partition fills up while the security/100.chksetuid script is running, you'll get spurious output. Setuid programs are often viewed as a security problem by inexperienced administrators, and some even go as far as turning off the setuid functionality. That, however, is one of those mistakes you only make once. Properly implemented, setuid and setgid *improves* your system security, and it's necessary for the system to function normally. Cheers, Matthew --S6pbM5UnOE54JrPKP9BabLHrb0WlqBJCP-- --INSajpeGBSqi6rPt1qMS99pbWddasl0cV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJXFkAjXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnwsIP/0qpTUyNTlTWr4AzNLuZg4/Y LHyOFunWlZTWcS6b+BiajbFguhANYiGypWcfl9WRCabDtsozMSv6D7p/OtS6op8U xmZ8ffyVan2UrY8fhlsjsIdtC7txXvCm2mUfSE/CM3XoGM4Pl2FsLgb9TLwEN3wD BhjmmZfvjfnGLtKuHqOA39h2sg4/JbnxdHG3buvxFdyaS5Ir4UAHx4Uxw/rF8B4k W0Q8cu6HeuC981jZrNmAr9Z3DYf6ev+i80LSQikEX5o4PG4NaVVA4fpspDlsvZyy qEMZBnflNQhCqxI8jqN24sJbqySpECxYlGx5QElF7JfjHBCVcjBivbw5jCOLd04a VvMqC34ejlC00lQBhY5aMzcLVv3TmSXge8oJBg48c+uSE0OFdmRwsG0wkDeuO9Oe JYEtwe9VFLBoDVVSCV16tt/2OSY7uxaKKfISlXr3rz/30E1X5N/NyW4BHM9EU2UZ NZcQ8G9u1LMfFTTFIn5h6rwUVIk5oGlhA+zWci9ZYVxGmMfvRq0BFQnIPUe4VaJL lAV4QTjDEQW0uHIbX1HRQV550dz52VJtswL1cNtSm9+JlmNR/e9zulPaqSmIVbfj Kp/QoTTjPjk2P00XU6yQJSdrTlyK8NuZ2mnwngkNZDoKBaGJ0hOpOggwIpsJ8WWk uf8HT03kNUe+yi5U0X6Z =M6Ab -----END PGP SIGNATURE----- --INSajpeGBSqi6rPt1qMS99pbWddasl0cV--