From owner-freebsd-questions@freebsd.org Tue Apr 19 21:57:42 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06125B138A6 for ; Tue, 19 Apr 2016 21:57:42 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C463A11AF; Tue, 19 Apr 2016 21:57:41 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x242.google.com with SMTP id u185so4528320iod.2; Tue, 19 Apr 2016 14:57:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=I6xrXhe7mEJkIppp7Y7g4kiUM+6Hq5WmwK4UWxpMNM8=; b=wnXke8eDiZaudkTBhlXe9N8IQlhcnK/BSs/5e71tZLMTob03NKQ2YNTqBWAE/6Wcsx xBemKsireo1pjPRdEQQzT6sNzm5JsVJdEsE8QD2pL4zIvN6SjvUyE1biRgMWLyfQdqL6 AWMP4eT1I9wPUQJ22R1LnrkfXO22x4U/QXObXrfwcTDmjA3Ih17CBZoO0WAkiN4Lmc/b 3wS1UXbFhvXL+m9Rh0aH7uaQF1dyZFJkb3dmRIseaoBjbRZGD36T2fYcFMvQYcG4cr23 7P7Tg1//4rv0TDM5gm+TsLqcgYCFJCSvRsX+d9eTN1RkFv5rzHJVXPMbPGrMU3eux6pn 6Itg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=I6xrXhe7mEJkIppp7Y7g4kiUM+6Hq5WmwK4UWxpMNM8=; b=ZxS16WXFnheH5Kan6somS64iJh6N+bcnJFQvWytJJH6BSPjNb5T4JexNrZQanuntvS W8gQ85JSa11WEZavcoEv5iD9OJw9YttPlbIQB4NcwGdayCJmvKhl6fb/juZmtLtueiL9 j9r6Wuaj7Kc7Ey6Oz9IhCZtDhy8aXNbAjB78LTLowyuy3hJz6Px5cHmHN0nCUmFF8XWv eHXovzJyhzwNf9OMFTZoSUVkQ3vBpV4RW/wlKeMyinbcl4ManUF1VRFbMesk6442wQj+ SDppCB54Zhku4JTSUSZ9kMpAxBLO78mVBI756Jnh/c+tuDiz78ioyXabRiCtXnRXnXf7 ZttA== X-Gm-Message-State: AOPr4FWV24oc5iZh0itFaN+X0JCM7QlEJdaKsZIIlqRT1GgYsrLGN4QhzhNwuPxZo9KWOA== X-Received: by 10.107.17.19 with SMTP id z19mr6363568ioi.43.1461103061126; Tue, 19 Apr 2016 14:57:41 -0700 (PDT) Received: from [10.0.10.3] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by smtp.googlemail.com with ESMTPSA id l80sm1161900iod.14.2016.04.19.14.57.40 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 19 Apr 2016 14:57:40 -0700 (PDT) Message-ID: <5716A9D9.4040102@gmail.com> Date: Tue, 19 Apr 2016 17:57:45 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Matthew Seaman CC: freebsd-questions@freebsd.org Subject: Re: daily security run output - Checking setuid References: <5716234C.1020900@gmail.com> <5716401C.2000606@FreeBSD.org> In-Reply-To: <5716401C.2000606@FreeBSD.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2016 21:57:42 -0000 Matthew Seaman wrote: > On 2016/04/19 13:23, Ernie Luzar wrote: >> This morning the "daily security run output" lists a lot of files under >> the heading of Checking setuid files & devices. I have never seen this >> before. >> >> What does this mean? >> Has my system been breached? >> Where is the "daily security run output" documented? > > The output usually shows any changes to the lists of setuid or setgid > files on your system. Take note of the leading '+' or '-' characters in > that output. Suddenly adding one or a few new setuid files is > suspicious. Adding write permissions to those files is frequently > suspicious. However adding or removing /lots/ of setuid or setgid files > all at once is more likely to be down to operator error. > > The daily script depends on keeping a list of all the known setuid / > setgid files in (by default) /var/log/setuid.today and > /var/log/setuid.yesterday. If one or both of those files get deleted or > modified, or that partition fills up while the security/100.chksetuid > script is running, you'll get spurious output. > > Setuid programs are often viewed as a security problem by inexperienced > administrators, and some even go as far as turning off the setuid > functionality. That, however, is one of those mistakes you only make > once. Properly implemented, setuid and setgid *improves* your system > security, and it's necessary for the system to function normally. > > Cheers, > > Matthew > Thank you Matthew for your reply. I am well aware of the security concerns of fies showing up on this report. My problem is I can not find any documentation describing what the meaning of the report columns are. Like what does the leading + or - characters really mean. If the changing of the setuid or setgid caused the file to show up on the report, how do I know what they were before and what they are now? I sure don't see anything labeled setuid or setgid on the report. Here is some of the report I got as example. 570967 -r-sr-xr-x 6 root wheel 18320 Mar 24 23:52:23 2016 /usr/bin/ypchpass 570967 -r-sr-xr-x 6 root wheel 18320 Mar 24 23:52:23 2016 /usr/bin/ypchsh 571182 -r-sr-xr-x 2 root wheel 6516 Mar 24 23:52:27 2016 /usr/bin/yppasswd - 804930 -r-sr-xr-x 1 root wheel 18912 Mar 24 23:51:54 2016 /usr/jails/sharedfs/bin/rcp - 805128 -r-sr-xr-- 1 root operator 7716 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/mksnap_ffs - 805089 -r-sr-xr-x 1 root wheel 25700 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/ping - 805082 -r-sr-xr-x 1 root wheel 33836 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/ping6 - 805062 -r-sr-xr-- 2 root operator 10952 Mar 24 23:52:07 2016 /usr/jails/sharedfs/sbin/poweroff - 805062 -r-sr-xr-- 2 root operator 10952 Mar 24 23:52:07 2016 /usr/jails/sharedfs/sbin/shutdown - 804915 -r-sr-xr-x 4 root wheel 23312 Mar 24 23:52:22 2016 /usr/jails/sharedfs/usr/bin/at - 804915 -r-sr-xr-x 4 root wheel 23312 Mar 24 23:52:22 2016 /usr/jails/sharedfs/usr/bin/atq Thanks for any help.