From owner-freebsd-hackers  Sat Nov  1 09:59:06 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA29023
          for hackers-outgoing; Sat, 1 Nov 1997 09:59:06 -0800 (PST)
          (envelope-from owner-freebsd-hackers)
Received: from roguetrader.com (cold.org [206.81.134.103])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA29018
          for <freebsd-hackers@FreeBSD.ORG>; Sat, 1 Nov 1997 09:59:04 -0800 (PST)
          (envelope-from brandon@roguetrader.com)
Received: from localhost (brandon@localhost)
	by roguetrader.com (8.8.5/8.8.5) with SMTP id KAA12033;
	Sat, 1 Nov 1997 10:58:33 -0700 (MST)
Date: Sat, 1 Nov 1997 10:58:32 -0700 (MST)
From: Brandon Gillespie <brandon@roguetrader.com>
To: Niall Smart <njs3@doc.ic.ac.uk>
cc: freebsd-hackers@FreeBSD.ORG
Subject: Re: Suggested addition to /etc/security
In-Reply-To: <E0xRfGy-0003jZ-00@oak67.doc.ic.ac.uk>
Message-ID: <Pine.BSF.3.96.971101105141.11936A-100000@roguetrader.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Sat, 1 Nov 1997, Niall Smart wrote:
> On Oct 30, 10:18am, Brandon Gillespie wrote:
> } Subject: Suggested addition to /etc/security
> > I'm not sure if /etc/security is a good place for it, but I think it would
> > be a good idea to add this check (at least once a week) to somewhere:
> > 
> > -------------------------------------------------
> > echo "checking for invalid user or group ids:"
> > 
> > find / -nouser -nogroup
> > -------------------------------------------------
> 
> Shouldn't this be "find / -nouser -o -nogroup -print"?

Yeah, or even better:

files=`find / -nouser -o -nogroup -print`
ls -ldF $files

(this looks better than find / -nouser -o -nogroup -exec ls -ldF {} \;)

On the same note, what about adding a few checks of the syslog for things. 
I'm not sure if /etc/security is the right place for that or not.  I know
that 'newsyslog' has a note about adding that sortof functionality, but..
?  Just a simple: 

      fgrep 'BAD SU' /var/log/messages

Would suffice for su--the same could go for X failed login attempts on
other ports, etc.  We could get more complex and open rotated logfiles we
havn't checked yet (and note the last logfile to be checked--including the
dates). 

Is there interest in this, or is something better being worked on?  I
could easilly cruft up /etc/security, if there is interest, and I wont be
duplicating any work..

-Brandon Gillespie