Date: Mon, 3 Sep 2001 10:35:22 -0500 From: Damieon Stark <visigoth@securitycentric.com> To: current@freebsd.org Subject: new feature for /etc/security Message-ID: <20010903103522.A23496@morpheus.telemere.net>
next in thread | raw e-mail | index | archive | help
--Bu8it7iiRSEf40bY Content-Type: multipart/mixed; boundary="JP+T4n/bALQSJXh8" Content-Disposition: inline --JP+T4n/bALQSJXh8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings all, In my local source tree, I have a small modification to /etc/security which I thought would be good to get in the base tree. The attached .diff allows /etc/security to keep a record of all non-device related files locat= ed in /dev. Many blackhat utilities, and practices include using the /dev directory as a location to create sniffer logs, suid binaries, and other ev= il. By keeping a database similar to /var/log/setuid.today, administrators can = be notified of any changes to /dev. The diff is against -current, however the functionality is unchanged between -stable and -current. Is a PR the best way to submit this type of change? I didn't think a PR was appropriate because I am not submitting a problem, so much as a small enhancement. Anybody see any huge holes in my logic? Thanks, visigoth --=20 Damieon Stark, CCSE Unix/Network Security Engineer <plug> currently seeking employment </plug> ___________________________________________________________________________= ___ Damieon Stark | Microsoft: Where do you want to go today? e: visigoth@securitycentric.com | Linux: Where do you want to go tommorow? p: 612.382.6945 | FreeBSD/Sun: Are you guys coming or what? pgp: 0xBE5D0C57 | http://www.sun.com/solaris - The . in .com pgp.mit.edu | http://www.freebsd.org - The power to serve! ---------------------------------------------------------------------------= --- --JP+T4n/bALQSJXh8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="security.diff" Content-Transfer-Encoding: quoted-printable --- security.old Sun Sep 2 19:07:07 2001 +++ security Sun Sep 2 19:59:29 2001 @@ -94,6 +94,27 @@ mv ${TMP} ${LOG}/setuid.today || rc=3D3 fi =20 +# Show any files in /dev which are not charactor, block +# device entries, or symlinks. + +find /dev -type f -or -type s -or -type p | xargs ls -al > ${TMP} + +if [ ! -f ${LOG}/devfiles.today ]; then + separator + echo "No ${LOG}/devfiles.today" + cp ${TMP} ${LOG}/devfiles.today || rc=3D3 +fi + +if ! cmp ${LOG}/devfiles.today ${TMP} >/dev/null; then + [ $rc -lt 1 ] && rc=3D1 + separator + echo "Checking for changes to non-device files in dev:" + diff -w ${LOG}/devfiles.today ${TMP} + mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3D3 + mv ${TMP} ${LOG}/devfiles.today || rc=3D3 +fi + + # Show changes in the way filesystems are mounted # [ -n "$ignore" ] && cmd=3D"egrep -v ${ignore#|}" || cmd=3Dcat --JP+T4n/bALQSJXh8-- --Bu8it7iiRSEf40bY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBO5OVJ4A1oSe+XQxXAQEpLggAufBgEsw7Int9pikmFXIklPC/kvaEPBHk aFsUq6HXjkbea1Nluey1ST7eS9wA94eMgrixGA+qb0XAlNpVXTS+OjTTNFDTA0wy xpK5rDJJvrnYiqn099SBaooPNx8vK9DcNPHJpIikQsHtH7BLSfhT1sOLponEUtuV W8MUVhmGGWxTeQGoHzJPIY5GyMG244W8607/qF8dKxaoJrR1tltbcDFFwBnQJnHm wi7np6II/5VQlLSdebPBCmN/e6XrXWj0voOHofWHzzdwq9K03Q7BEAxaxBHLdGt9 Xm/BTkHFe42wX2JJQsGsfsM85v9kh2dxa6hZ4NfJlRBO/s4W4qtHjw== =ozRZ -----END PGP SIGNATURE----- --Bu8it7iiRSEf40bY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010903103522.A23496>