From owner-freebsd-stable Sat Oct 5 13:48:54 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7545337B404 for ; Sat, 5 Oct 2002 13:48:52 -0700 (PDT) Received: from web11606.mail.yahoo.com (web11606.mail.yahoo.com [216.136.172.58]) by mx1.FreeBSD.org (Postfix) with SMTP id ECA6243E42 for ; Sat, 5 Oct 2002 13:48:51 -0700 (PDT) (envelope-from holtor@yahoo.com) Message-ID: <20021005204851.89445.qmail@web11606.mail.yahoo.com> Received: from [24.188.24.163] by web11606.mail.yahoo.com via HTTP; Sat, 05 Oct 2002 13:48:51 PDT Date: Sat, 5 Oct 2002 13:48:51 -0700 (PDT) From: Holt Grendal Subject: Daily Security Output to check GID 0 To: security@freebsd.org Cc: stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Would it be possible for someone to get whoever runs the periodic system in freebsd to somehow add a facility that runs in the daily scripts to check users with GID 0 aswell as users with UID 0? Like we have now, only get GID 0 also?: # 300.chkuid0 daily_status_security_chkuid0_enable="YES" I've recently had a machine where some users got ahold of another login who was in /etc/group and got to root and then changed their user groups to 0 and I didnt notice untill checking the master.passwd file line by line. The output would have caught it the day it happened. Would this be possible? TIA Holt __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message