Date: Tue, 13 Nov 2001 17:27:26 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: John Baldwin <jhb@FreeBSD.org> Cc: Alexander Leidinger <Alexander@Leidinger.net>, current@FreeBSD.org, "Crist J. Clark" <cristjc@earthlink.net> Subject: Re: daily run output & passwd diff Message-ID: <Pine.NEB.3.96L.1011113172509.55075A-100000@fledge.watson.org> In-Reply-To: <XFMail.011113142247.jhb@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 13 Nov 2001, John Baldwin wrote: > > My temptation would actually be to ignore any commented lines in either > > file for the purposes of the diff. For the purposes of security checking, > > you care mostly about the uncommented lines. This would allow the script > > to exclude content when it didn't understand its semantics (and hence > > might risk revealing information it wasn't intended to). > > So if some (admittedly weird) sysadmin temporarily comments out a > password line then the next day we will broadcast that crypted password > in plaintext e-mail? Not sure I follow. I was suggesting that any line beginning with '#' be excluded from the diffing, since the script can't know if information in the comment is sensitive or not, and therefore can't censor it. I.e., the conceptual equivilent of: grep -v '^#' master.passwd > master.passwd.tmp grep -v '^#' master.passwd.bak > master.passwd.bak.tmp diff -u master.passwd.bak master.passwd If an entry was commented out, then uncommented, then both events would show up, just as removal/addition. I could be missing something, of course :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1011113172509.55075A-100000>