Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 31 Mar 1995 15:34:25 -0600 (CST)
From:      Mike Pritchard <pritc003@maroon.tc.umn.edu>
To:        taob@gate.sinica.edu.tw (Brian Tao)
Cc:        freebsd-security@FreeBSD.org
Subject:   Re: New /etc/security script for FreeBSD
Message-ID:  <199503312134.PAA00270@mpp.com>
In-Reply-To: <Pine.BSI.3.91.950401032811.1567K-200000@aries.ibms.sinica.edu.tw> from "Brian Tao" at Apr 1, 95 03:44:11 am

next in thread | previous in thread | raw e-mail | index | archive | help
>     I've attached the script to this message and seek comments on it.
> Two functional changes have been made to the script.  The first is
> changing line 33 to reflect FreeBSD's 8-char username limit.  The
> second is the addition of a checksum module starting at line 557.  It
> uses md5(1) to calculate checksums for all files in a specified set of
> directories chosen to contain system binaries.  It's purpose is to aid
> in the detection of trojan horses.

One change I made to my /etc/daily & /etc/security was to only
send me mail if the security script detected something.  The reason
being, I didn't want to get sick of seeing the message every day
and automatically delete it without really reading it and then
miss something.  I plan to do something like this with my daily/monthly
scripts sometime, too.  My feeling is that any automatic scripts like
this should only produce mail where there really is something wrong,
otherwise people just tend to glance at them and might miss something
important (this is especially true if they receive mail from multiple
machines).  If we import this new security script, I would vote for doing 
things they way I described (otherwise it is just more work for me to port 
them to my way :-).  

I'm sure that there are people who like to see lots of mail in their
mailbox, so maybe there should be some type of option in sysconfig that 
allows you to specify whether or not the automatic scripts should always
produce output, or only produce output on "significant events"?

My changes were done like so:

#/etc/daily:
[...lots of stuff removed...]
sh /etc/security > /tmp/_daily.$$ 2>&1 
if [ $? -ne 0 ]		
#	change the above line to:
# if [ $? -ne 0 -o "$SCRIPT_OUTPUT" = "TRUE" ]
#	if sysconfig is changed, and some option is added to control this
then
	mail -s "daily insecurity output" root < /tmp/_daily.$$
fi
rm -f /tmp/_daily.$$


Then changing security like this:

#/etc/security:
EXITSTAT=0
[...lots of stuff removed...]
echo "checking for uids of 0:"
awk 'BEGIN {FS=":"} $3=="0" {print $1,$3}' /etc/master.passwd > $TMP
if cmp $LOG/uids.today $TMP >/dev/null; then :; else
	echo "$host uid 0 diffs:"
	diff $LOG/uids.today $TMP
	mv $LOG/uids.today $LOG/uids.yesterday
	mv $TMP $LOG/uids.today
	EXITSTAT=1
fi
rm -f $TMP
exit $EXITSTAT
--
Mike Pritchard
pritc003@maroon.tc.umn.edu
"Go that way.  Really fast.  If something gets in your way, turn"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503312134.PAA00270>