From owner-freebsd-current Wed Sep 5 17:39: 4 2001 Delivered-To: freebsd-current@freebsd.org Received: from mail5.mn.rr.com (fe5.rdc-kc.rr.com [24.94.163.52]) by hub.freebsd.org (Postfix) with ESMTP id EFCA037B406 for ; Wed, 5 Sep 2001 17:38:58 -0700 (PDT) Received: from morpheus.mn.rr.com ([65.25.196.137]) by mail5.mn.rr.com with Microsoft SMTPSVC(5.5.1877.537.53); Wed, 5 Sep 2001 19:38:58 -0500 Received: by morpheus.mn.rr.com (Postfix, from userid 1001) id 9B3D43451C; Mon, 3 Sep 2001 10:35:22 -0500 (CDT) Date: Mon, 3 Sep 2001 10:35:22 -0500 From: Damieon Stark To: current@freebsd.org Subject: new feature for /etc/security Message-ID: <20010903103522.A23496@morpheus.telemere.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Bu8it7iiRSEf40bY" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Bu8it7iiRSEf40bY Content-Type: multipart/mixed; boundary="JP+T4n/bALQSJXh8" Content-Disposition: inline --JP+T4n/bALQSJXh8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings all, In my local source tree, I have a small modification to /etc/security which I thought would be good to get in the base tree. The attached .diff allows /etc/security to keep a record of all non-device related files locat= ed in /dev. Many blackhat utilities, and practices include using the /dev directory as a location to create sniffer logs, suid binaries, and other ev= il. By keeping a database similar to /var/log/setuid.today, administrators can = be notified of any changes to /dev. The diff is against -current, however the functionality is unchanged between -stable and -current. Is a PR the best way to submit this type of change? I didn't think a PR was appropriate because I am not submitting a problem, so much as a small enhancement. Anybody see any huge holes in my logic? Thanks, visigoth --=20 Damieon Stark, CCSE Unix/Network Security Engineer currently seeking employment ___________________________________________________________________________= ___ Damieon Stark | Microsoft: Where do you want to go today? e: visigoth@securitycentric.com | Linux: Where do you want to go tommorow? p: 612.382.6945 | FreeBSD/Sun: Are you guys coming or what? pgp: 0xBE5D0C57 | http://www.sun.com/solaris - The . in .com pgp.mit.edu | http://www.freebsd.org - The power to serve! ---------------------------------------------------------------------------= --- --JP+T4n/bALQSJXh8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="security.diff" Content-Transfer-Encoding: quoted-printable --- security.old Sun Sep 2 19:07:07 2001 +++ security Sun Sep 2 19:59:29 2001 @@ -94,6 +94,27 @@ mv ${TMP} ${LOG}/setuid.today || rc=3D3 fi =20 +# Show any files in /dev which are not charactor, block +# device entries, or symlinks. + +find /dev -type f -or -type s -or -type p | xargs ls -al > ${TMP} + +if [ ! -f ${LOG}/devfiles.today ]; then + separator + echo "No ${LOG}/devfiles.today" + cp ${TMP} ${LOG}/devfiles.today || rc=3D3 +fi + +if ! cmp ${LOG}/devfiles.today ${TMP} >/dev/null; then + [ $rc -lt 1 ] && rc=3D1 + separator + echo "Checking for changes to non-device files in dev:" + diff -w ${LOG}/devfiles.today ${TMP} + mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3D3 + mv ${TMP} ${LOG}/devfiles.today || rc=3D3 +fi + + # Show changes in the way filesystems are mounted # [ -n "$ignore" ] && cmd=3D"egrep -v ${ignore#|}" || cmd=3Dcat --JP+T4n/bALQSJXh8-- --Bu8it7iiRSEf40bY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUBO5OVJ4A1oSe+XQxXAQEpLggAufBgEsw7Int9pikmFXIklPC/kvaEPBHk aFsUq6HXjkbea1Nluey1ST7eS9wA94eMgrixGA+qb0XAlNpVXTS+OjTTNFDTA0wy xpK5rDJJvrnYiqn099SBaooPNx8vK9DcNPHJpIikQsHtH7BLSfhT1sOLponEUtuV W8MUVhmGGWxTeQGoHzJPIY5GyMG244W8607/qF8dKxaoJrR1tltbcDFFwBnQJnHm wi7np6II/5VQlLSdebPBCmN/e6XrXWj0voOHofWHzzdwq9K03Q7BEAxaxBHLdGt9 Xm/BTkHFe42wX2JJQsGsfsM85v9kh2dxa6hZ4NfJlRBO/s4W4qtHjw== =ozRZ -----END PGP SIGNATURE----- --Bu8it7iiRSEf40bY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message