Date: Tue, 19 Apr 2016 17:57:45 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-questions@freebsd.org Subject: Re: daily security run output - Checking setuid Message-ID: <5716A9D9.4040102@gmail.com> In-Reply-To: <5716401C.2000606@FreeBSD.org> References: <5716234C.1020900@gmail.com> <5716401C.2000606@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote: > On 2016/04/19 13:23, Ernie Luzar wrote: >> This morning the "daily security run output" lists a lot of files under >> the heading of Checking setuid files & devices. I have never seen this >> before. >> >> What does this mean? >> Has my system been breached? >> Where is the "daily security run output" documented? > > The output usually shows any changes to the lists of setuid or setgid > files on your system. Take note of the leading '+' or '-' characters in > that output. Suddenly adding one or a few new setuid files is > suspicious. Adding write permissions to those files is frequently > suspicious. However adding or removing /lots/ of setuid or setgid files > all at once is more likely to be down to operator error. > > The daily script depends on keeping a list of all the known setuid / > setgid files in (by default) /var/log/setuid.today and > /var/log/setuid.yesterday. If one or both of those files get deleted or > modified, or that partition fills up while the security/100.chksetuid > script is running, you'll get spurious output. > > Setuid programs are often viewed as a security problem by inexperienced > administrators, and some even go as far as turning off the setuid > functionality. That, however, is one of those mistakes you only make > once. Properly implemented, setuid and setgid *improves* your system > security, and it's necessary for the system to function normally. > > Cheers, > > Matthew > Thank you Matthew for your reply. I am well aware of the security concerns of fies showing up on this report. My problem is I can not find any documentation describing what the meaning of the report columns are. Like what does the leading + or - characters really mean. If the changing of the setuid or setgid caused the file to show up on the report, how do I know what they were before and what they are now? I sure don't see anything labeled setuid or setgid on the report. Here is some of the report I got as example. 570967 -r-sr-xr-x 6 root wheel 18320 Mar 24 23:52:23 2016 /usr/bin/ypchpass 570967 -r-sr-xr-x 6 root wheel 18320 Mar 24 23:52:23 2016 /usr/bin/ypchsh 571182 -r-sr-xr-x 2 root wheel 6516 Mar 24 23:52:27 2016 /usr/bin/yppasswd - 804930 -r-sr-xr-x 1 root wheel 18912 Mar 24 23:51:54 2016 /usr/jails/sharedfs/bin/rcp - 805128 -r-sr-xr-- 1 root operator 7716 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/mksnap_ffs - 805089 -r-sr-xr-x 1 root wheel 25700 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/ping - 805082 -r-sr-xr-x 1 root wheel 33836 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/ping6 - 805062 -r-sr-xr-- 2 root operator 10952 Mar 24 23:52:07 2016 /usr/jails/sharedfs/sbin/poweroff - 805062 -r-sr-xr-- 2 root operator 10952 Mar 24 23:52:07 2016 /usr/jails/sharedfs/sbin/shutdown - 804915 -r-sr-xr-x 4 root wheel 23312 Mar 24 23:52:22 2016 /usr/jails/sharedfs/usr/bin/at - 804915 -r-sr-xr-x 4 root wheel 23312 Mar 24 23:52:22 2016 /usr/jails/sharedfs/usr/bin/atq Thanks for any help.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5716A9D9.4040102>