From owner-freebsd-security  Thu Jan  8 08:46:26 1998
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA01317
          for security-outgoing; Thu, 8 Jan 1998 08:46:26 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from mailbox.nosc.mil (mailbox.nosc.mil [198.253.34.39])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA01310
          for <freebsd-security@freebsd.org>; Thu, 8 Jan 1998 08:46:23 -0800 (PST)
          (envelope-from swann@nosc.mil)
Received: from localhost (swann@localhost) by mailbox.nosc.mil (8.8.3/8.8.3) with SMTP id LAA01918; Thu, 8 Jan 1998 11:45:47 -0500 (EST)
X-Authentication-Warning: mailbox.nosc.mil: swann owned process doing -bs
Date: Thu, 8 Jan 1998 11:45:47 -0500 (EST)
From: Bryan Swann <swann@nosc.mil>
X-Sender: swann@mailbox
To: Lance Hartford <lhartfor@mtghouse.com>
cc: freebsd-security@freebsd.org
Subject: Re: /usr/bin/su modification time changing
In-Reply-To: <Pine.BSF.3.95.980108093729.14685B-100000@larry>
Message-ID: <Pine.GSO.3.96.980108113554.1842B-100000@mailbox>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I believe there are three different times associated with each file,
creation time, last access time, last modification time.  I assume your
message came from tripwire or a similar tool.  You can use options to the
ls command to determine which of the times have changed.  You may find
that you need to alter the 'time' your security check monitors for.

Best of luck.

 __________________________________________________________________________
| Bryan Swann (swann@nosc.mil)  803/974-4267   803/974-5080 (Fax)          |
| Eagan McAllister Associates, Inc.                                        |
|                                                                          |
|  "Everything must be working perfectly, cause I don't smell any smoke"   |
 --------------------------------------------------------------------------

On Thu, 8 Jan 1998, Lance Hartford wrote:

> 
> I just installed 2.2.5 on a PC and I received the following portion of
> message in a security mail that was sent out last night:
> 
> xyz setuid diffs:
> 152c152
> < -r-sr-xr-x  1 root  bin      16384 Oct 21 10:19:25 1997 /usr/bin/su
> ---
> > -r-sr-xr-x  1 root  bin      16384 Jan  7 19:40:28 1998 /usr/bin/su
> 
> I did a "sum" on the /usr/bin/su on another system onsite, and found
> that there was no difference compared to the one on this system.  Does
> this imply that there is a security problem at my site?
> 
> Thanks.
> 
> 	Lance
> 
>