From owner-freebsd-questions@FreeBSD.ORG Thu Feb 19 08:11:08 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8D04D357 for ; Thu, 19 Feb 2015 08:11:08 +0000 (UTC) Received: from formentor.toolfactory.net (pina.toolfactory.net [213.97.158.39]) by mx1.freebsd.org (Postfix) with ESMTP id ECC6EE06 for ; Thu, 19 Feb 2015 08:11:07 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by formentor.toolfactory.net (Postfix) with ESMTP id 4279E177B31 for ; Thu, 19 Feb 2015 09:11:06 +0100 (CET) Received: from formentor.toolfactory.net ([127.0.0.1]) by localhost (formentor.toolfactory.net [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id zDEcbQjwMyqo for ; Thu, 19 Feb 2015 09:11:05 +0100 (CET) Received: from localhost (localhost.localdomain [127.0.0.1]) by formentor.toolfactory.net (Postfix) with ESMTP id 36706177B38 for ; Thu, 19 Feb 2015 09:11:05 +0100 (CET) X-Virus-Scanned: amavisd-new at logpmzimmta01v.toolfactory.net Received: from formentor.toolfactory.net ([127.0.0.1]) by localhost (formentor.toolfactory.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id i5MThDkhh0Y0 for ; Thu, 19 Feb 2015 09:11:05 +0100 (CET) Received: from xorrigo.toolfactory.net (unknown [192.168.2.210]) by formentor.toolfactory.net (Postfix) with ESMTP id 15493177B31 for ; Thu, 19 Feb 2015 09:11:05 +0100 (CET) Date: Thu, 19 Feb 2015 09:11:22 +0100 (CET) From: Raimund Sacherer Reply-To: Raimund Sacherer To: freebsd-questions@freebsd.org Message-ID: <920286937.89617878.1424333482970.JavaMail.zimbra@logitravel.com> In-Reply-To: <20150218215912.GB267@neutralgood.org> References: <1630133808.88787292.1424250372563.JavaMail.zimbra@logitravel.com> <535737942.88794111.1424250825035.JavaMail.zimbra@logitravel.com> <20150218190200.GD26575@neutralgood.org> <28505455.89479949.1424291118283.JavaMail.zimbra@logitravel.com> <20150218215912.GB267@neutralgood.org> Subject: Re: setuid diffs in daily security run output MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [192.168.2.213] X-Mailer: Zimbra 8.0.8_GA_6184 (ZimbraWebClient - SAF7 (Mac)/8.0.8_GA_6184) Thread-Topic: setuid diffs in daily security run output Thread-Index: tvN2AOOJJS3OkZq5PsYIKeqZni/ABQ== X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2015 08:11:08 -0000 ----- Original Message ----- > From: kpneal@pobox.com > To: "Raimund Sacherer" > Cc: freebsd-questions@freebsd.org > Sent: Wednesday, February 18, 2015 10:59:12 PM > Subject: Re: setuid diffs in daily security run output > On Wed, Feb 18, 2015 at 09:25:18PM +0100, Raimund Sacherer wrote: > > ----- Original Message ----- > > > > > From: kpneal@pobox.com > > > To: "Raimund Sacherer" > > > Cc: freebsd-questions@freebsd.org > > > Sent: Wednesday, February 18, 2015 8:02:00 PM > > > Subject: Re: setuid diffs in daily security run output > > > > > On Wed, Feb 18, 2015 at 10:13:45AM +0100, Raimund Sacherer wrote: > > > > Hello, > > > > > > > > This is one of our first FreeBSD servers we use, and I be rather safe > > > > than > > > > sorry, we put in production a FreeBSD 10.0 system and it is running (in > > > > production) a couple of weeks now. Reading the security run emails > > > > today i > > > > noticed a lot of those: > > > > > > > > --- snip --- > > > > - 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp > > > > --- snip --- > > > > > > > > I did not see those messages before, but I do read normally those > > > > mails. > > > > > > How come those messages are today in the security output? Are those > > > > permissions correct? Should I be worried about an intruder? > > > > > Is it possible someone modified or deleted the files that the security > > > script uses to keep track of what files are setuid? If one of your other > > > support people didn't know what something was they may have deleted it or > > > otherwise messed with it. > > I will check this out, thank you. Is there any way to make sure that these > > permissions are correct? Is there some place where the standard > > permissions for all those tools are documented? > The 'mtree' utility is used to check, set, and compare permissions and > ownerships of files. It can also be used to get hashes of files so you can > see what files have actually changed. It creates and consumes basically a > manifest of at least one file. > On my system the base system manifest files are in /etc/mtree, but you can > use the 'locate' command to find them if they've moved. You will also find > them if you have /usr/src installed. > The only thing mtree lacks is support for extended attributes. Thank you very much! Best