Greetings all,

        I have had a small modification to /etc/security floating around in my
tree for a little while, and thought it would be best to submit it.  The
modifications allow the /etc/security script to keep daily track of changes to
all non char/block special files in /dev.  Many nefarious activities tend to 
occur in /dev due to the often cryptic file names, and the level of 
understanding of the average administrator.  I have seen boxen which have
large files in /dev due to sniffer/keylogger activities.  A daily database is
created in /var/log similar to /var/log/ and 
/var/log/setuid.yesterday. If I am way off my rocker, or somebody sees an
obvious way to improve the method, please let me know.

I realized this should be submitted when I got a report of the mod being used
to detect a rooted box...

The .diff is against -current, but should apply to -stable as well...

Thanks, and keep up all the wonderful work!


Damieon Stark, CCSE
Unix/Network Security Engineer
currently seeking employment

        Damieon Stark           | Microsoft: Where do you want to go today?
e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow?
        p: 612.382.6945         | FreeBSD/Sun: Are you guys coming or what?
        pgp: 0xBE5D0C57         | - The . in .com             | - The power to serve!
I'll see your DMCA and raise you a First Amendment.
--- security.old        Sun Sep  2 19:07:07 2001
+++ security    Sun Sep  2 19:59:29 2001
@@ -94,6 +94,27 @@
        mv ${TMP} ${LOG}/ || rc=3
+# Show any files in /dev which are not charactor, block
+# device entries, or symlinks.
+find /dev -type f -or -type s -or -type p | xargs ls -al > ${TMP}
+if [ ! -f ${LOG}/ ]; then
+       separator
+       echo "No ${LOG}/"
+       cp ${TMP} ${LOG}/ || rc=3
+if ! cmp ${LOG}/ ${TMP} >/dev/null; then
+       [ $rc -lt 1 ] && rc=1
+       separator
+       echo "Checking for changes to non-device files in dev:"
+       diff -w ${LOG}/ ${TMP}
+       mv ${LOG}/ ${LOG}/devfiles.yesterday || rc=3
+       mv ${TMP} ${LOG}/ || rc=3
 # Show changes in the way filesystems are mounted
 [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat

PGP signature

Reply via email to