Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Sep 2001 10:35:22 -0500
From:      Damieon Stark <visigoth@securitycentric.com>
To:        current@freebsd.org
Subject:   new feature for /etc/security
Message-ID:  <20010903103522.A23496@morpheus.telemere.net>

next in thread | raw e-mail | index | archive | help

--Bu8it7iiRSEf40bY
Content-Type: multipart/mixed; boundary="JP+T4n/bALQSJXh8"
Content-Disposition: inline


--JP+T4n/bALQSJXh8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Greetings all,

	In my local source tree, I have a small modification to /etc/security
which I thought would be good to get in the base tree.  The attached .diff
allows /etc/security to keep a record of all non-device related files locat=
ed
in /dev.  Many blackhat utilities, and practices include using the /dev
directory as a location to create sniffer logs, suid binaries, and other ev=
il.
By keeping a database similar to /var/log/setuid.today, administrators can =
be
notified of any changes to /dev.  The diff is against -current, however the
functionality is unchanged between -stable and -current.

	Is a PR the best way to submit this type of change?  I didn't think a
PR was appropriate because I am not submitting a problem, so much as a small
enhancement.

	Anybody see any huge holes in my logic?

Thanks,
visigoth

--=20

Damieon Stark, CCSE
Unix/Network Security Engineer
<plug>
currently seeking employment
</plug>

___________________________________________________________________________=
___
	Damieon Stark		| Microsoft: Where do you want to go today?
e: visigoth@securitycentric.com	| Linux: Where do you want to go tommorow?
	p: 612.382.6945		| FreeBSD/Sun: Are you guys coming or what?
	pgp: 0xBE5D0C57		| http://www.sun.com/solaris - The . in .com
	pgp.mit.edu		| http://www.freebsd.org - The power to serve!
---------------------------------------------------------------------------=
---

--JP+T4n/bALQSJXh8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="security.diff"
Content-Transfer-Encoding: quoted-printable

--- security.old	Sun Sep  2 19:07:07 2001
+++ security	Sun Sep  2 19:59:29 2001
@@ -94,6 +94,27 @@
 	mv ${TMP} ${LOG}/setuid.today || rc=3D3
 fi
=20
+# Show any files in /dev which are not charactor, block
+# device entries, or symlinks.
+
+find /dev -type f -or -type s -or -type p | xargs ls -al > ${TMP}
+
+if [ ! -f ${LOG}/devfiles.today ]; then
+	separator
+	echo "No ${LOG}/devfiles.today"
+	cp ${TMP} ${LOG}/devfiles.today || rc=3D3
+fi
+
+if ! cmp ${LOG}/devfiles.today ${TMP} >/dev/null; then
+	[ $rc -lt 1 ] && rc=3D1
+	separator
+	echo "Checking for changes to non-device files in dev:"
+	diff -w ${LOG}/devfiles.today ${TMP}
+	mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3D3
+	mv ${TMP} ${LOG}/devfiles.today || rc=3D3
+fi
+
+
 # Show changes in the way filesystems are mounted
 #
 [ -n "$ignore" ] && cmd=3D"egrep -v ${ignore#|}" || cmd=3Dcat

--JP+T4n/bALQSJXh8--

--Bu8it7iiRSEf40bY
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBO5OVJ4A1oSe+XQxXAQEpLggAufBgEsw7Int9pikmFXIklPC/kvaEPBHk
aFsUq6HXjkbea1Nluey1ST7eS9wA94eMgrixGA+qb0XAlNpVXTS+OjTTNFDTA0wy
xpK5rDJJvrnYiqn099SBaooPNx8vK9DcNPHJpIikQsHtH7BLSfhT1sOLponEUtuV
W8MUVhmGGWxTeQGoHzJPIY5GyMG244W8607/qF8dKxaoJrR1tltbcDFFwBnQJnHm
wi7np6II/5VQlLSdebPBCmN/e6XrXWj0voOHofWHzzdwq9K03Q7BEAxaxBHLdGt9
Xm/BTkHFe42wX2JJQsGsfsM85v9kh2dxa6hZ4NfJlRBO/s4W4qtHjw==
=ozRZ
-----END PGP SIGNATURE-----

--Bu8it7iiRSEf40bY--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010903103522.A23496>