Greetings all,

        In my local source tree, I have a small modification to /etc/security
which I thought would be good to get in the base tree.  The attached .diff
allows /etc/security to keep a record of all non-device related files located
in /dev.  Many blackhat utilities, and practices include using the /dev
directory as a location to create sniffer logs, suid binaries, and other evil.
By keeping a database similar to /var/log/, administrators can be
notified of any changes to /dev.  The diff is against -current, however the
functionality is unchanged between -stable and -current.

        Is a PR the best way to submit this type of change?  I didn't think a
PR was appropriate because I am not submitting a problem, so much as a small

        Anybody see any huge holes in my logic?



Damieon Stark, CCSE
Unix/Network Security Engineer
currently seeking employment

        Damieon Stark           | Microsoft: Where do you want to go today?
e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow?
        p: 612.382.6945         | FreeBSD/Sun: Are you guys coming or what?
        pgp: 0xBE5D0C57         | - The . in .com             | - The power to serve!
--- security.old        Sun Sep  2 19:07:07 2001
+++ security    Sun Sep  2 19:59:29 2001
@@ -94,6 +94,27 @@
        mv ${TMP} ${LOG}/ || rc=3
+# Show any files in /dev which are not charactor, block
+# device entries, or symlinks.
+find /dev -type f -or -type s -or -type p | xargs ls -al > ${TMP}
+if [ ! -f ${LOG}/ ]; then
+       separator
+       echo "No ${LOG}/"
+       cp ${TMP} ${LOG}/ || rc=3
+if ! cmp ${LOG}/ ${TMP} >/dev/null; then
+       [ $rc -lt 1 ] && rc=1
+       separator
+       echo "Checking for changes to non-device files in dev:"
+       diff -w ${LOG}/ ${TMP}
+       mv ${LOG}/ ${LOG}/devfiles.yesterday || rc=3
+       mv ${TMP} ${LOG}/ || rc=3
 # Show changes in the way filesystems are mounted
 [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat

PGP signature

Reply via email to