Greetings all,
I have had a small modification to /etc/security floating around in my
tree for a little while, and thought it would be best to submit it. The
modifications allow the /etc/security script to keep daily track of changes to
all non char/block special files in /dev. Many nefarious activities tend to
occur in /dev due to the often cryptic file names, and the level of
understanding of the average administrator. I have seen boxen which have
large files in /dev due to sniffer/keylogger activities. A daily database is
created in /var/log similar to /var/log/setuid.today and
/var/log/setuid.yesterday. If I am way off my rocker, or somebody sees an
obvious way to improve the method, please let me know.
I realized this should be submitted when I got a report of the mod being used
to detect a rooted box...
The .diff is against -current, but should apply to -stable as well...
Thanks, and keep up all the wonderful work!
visigoth
--
Damieon Stark, CCSE
Unix/Network Security Engineer
<plug>
currently seeking employment
</plug>
______________________________________________________________________________
Damieon Stark | Microsoft: Where do you want to go today?
e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow?
p: 612.382.6945 | FreeBSD/Sun: Are you guys coming or what?
pgp: 0xBE5D0C57 | http://www.sun.com/solaris - The . in .com
pgp.mit.edu | http://www.freebsd.org - The power to serve!
------------------------------------------------------------------------------
I'll see your DMCA and raise you a First Amendment.
http://www.anti-dmca.org
------------------------------------------------------------------------------
--- security.old Sun Sep 2 19:07:07 2001
+++ security Sun Sep 2 19:59:29 2001
@@ -94,6 +94,27 @@
mv ${TMP} ${LOG}/setuid.today || rc=3
fi
+# Show any files in /dev which are not charactor, block
+# device entries, or symlinks.
+
+find /dev -type f -or -type s -or -type p | xargs ls -al > ${TMP}
+
+if [ ! -f ${LOG}/devfiles.today ]; then
+ separator
+ echo "No ${LOG}/devfiles.today"
+ cp ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+if ! cmp ${LOG}/devfiles.today ${TMP} >/dev/null; then
+ [ $rc -lt 1 ] && rc=1
+ separator
+ echo "Checking for changes to non-device files in dev:"
+ diff -w ${LOG}/devfiles.today ${TMP}
+ mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3
+ mv ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+
# Show changes in the way filesystems are mounted
#
[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
PGP signature