Date: Thu, 19 Feb 2015 09:11:22 +0100 (CET) From: Raimund Sacherer <rs@logitravel.com> To: freebsd-questions@freebsd.org Subject: Re: setuid diffs in daily security run output Message-ID: <920286937.89617878.1424333482970.JavaMail.zimbra@logitravel.com> In-Reply-To: <20150218215912.GB267@neutralgood.org> References: <1630133808.88787292.1424250372563.JavaMail.zimbra@logitravel.com> <535737942.88794111.1424250825035.JavaMail.zimbra@logitravel.com> <20150218190200.GD26575@neutralgood.org> <28505455.89479949.1424291118283.JavaMail.zimbra@logitravel.com> <20150218215912.GB267@neutralgood.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- > From: kpneal@pobox.com > To: "Raimund Sacherer" <rs@logitravel.com> > Cc: freebsd-questions@freebsd.org > Sent: Wednesday, February 18, 2015 10:59:12 PM > Subject: Re: setuid diffs in daily security run output > On Wed, Feb 18, 2015 at 09:25:18PM +0100, Raimund Sacherer wrote: > > ----- Original Message ----- > > > > > From: kpneal@pobox.com > > > To: "Raimund Sacherer" <rs@logitravel.com> > > > Cc: freebsd-questions@freebsd.org > > > Sent: Wednesday, February 18, 2015 8:02:00 PM > > > Subject: Re: setuid diffs in daily security run output > > > > > On Wed, Feb 18, 2015 at 10:13:45AM +0100, Raimund Sacherer wrote: > > > > Hello, > > > > > > > > This is one of our first FreeBSD servers we use, and I be rather safe > > > > than > > > > sorry, we put in production a FreeBSD 10.0 system and it is running (in > > > > production) a couple of weeks now. Reading the security run emails > > > > today i > > > > noticed a lot of those: > > > > > > > > --- snip --- > > > > - 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp > > > > --- snip --- > > > > > > > > I did not see those messages before, but I do read normally those > > > > mails. > > > > > > How come those messages are today in the security output? Are those > > > > permissions correct? Should I be worried about an intruder? > > > > > Is it possible someone modified or deleted the files that the security > > > script uses to keep track of what files are setuid? If one of your other > > > support people didn't know what something was they may have deleted it or > > > otherwise messed with it. > > I will check this out, thank you. Is there any way to make sure that these > > permissions are correct? Is there some place where the standard > > permissions for all those tools are documented? > The 'mtree' utility is used to check, set, and compare permissions and > ownerships of files. It can also be used to get hashes of files so you can > see what files have actually changed. It creates and consumes basically a > manifest of at least one file. > On my system the base system manifest files are in /etc/mtree, but you can > use the 'locate' command to find them if they've moved. You will also find > them if you have /usr/src installed. > The only thing mtree lacks is support for extended attributes. Thank you very much! Best
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?920286937.89617878.1424333482970.JavaMail.zimbra>