new /etc/security mod

Wed, 05 Sep 2001 17:31:50 -0700 

Greetings all,

        I have had a small modification to /etc/security floating around in my
tree for a little while, and thought it would be best to submit it.  The
modifications allow the /etc/security script to keep daily track of changes to
all non char/block special files in /dev.  Many nefarious activities tend to 
occur in /dev due to the often cryptic file names, and the level of 
understanding of the average administrator.  I have seen boxen which have
large files in /dev due to sniffer/keylogger activities.  A daily database is
created in /var/log similar to /var/log/setuid.today and 
/var/log/setuid.yesterday. If I am way off my rocker, or somebody sees an
obvious way to improve the method, please let me know.

I realized this should be submitted when I got a report of the mod being used
to detect a rooted box...

The .diff is against -current, but should apply to -stable as well...

Thanks, and keep up all the wonderful work!
visigoth

-- 

Damieon Stark, CCSE
Unix/Network Security Engineer
<plug>
currently seeking employment
</plug>

______________________________________________________________________________
        Damieon Stark           | Microsoft: Where do you want to go today?
e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow?
        p: 612.382.6945         | FreeBSD/Sun: Are you guys coming or what?
        pgp: 0xBE5D0C57         | http://www.sun.com/solaris - The . in .com
        pgp.mit.edu             | http://www.freebsd.org - The power to serve!
------------------------------------------------------------------------------
I'll see your DMCA and raise you a First Amendment.
http://www.anti-dmca.org
------------------------------------------------------------------------------

--- security.old        Sun Sep  2 19:07:07 2001
+++ security    Sun Sep  2 19:59:29 2001
@@ -94,6 +94,27 @@
        mv ${TMP} ${LOG}/setuid.today || rc=3
 fi
 
+# Show any files in /dev which are not charactor, block
+# device entries, or symlinks.
+
+find /dev -type f -or -type s -or -type p | xargs ls -al > ${TMP}
+
+if [ ! -f ${LOG}/devfiles.today ]; then
+       separator
+       echo "No ${LOG}/devfiles.today"
+       cp ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+if ! cmp ${LOG}/devfiles.today ${TMP} >/dev/null; then
+       [ $rc -lt 1 ] && rc=1
+       separator
+       echo "Checking for changes to non-device files in dev:"
+       diff -w ${LOG}/devfiles.today ${TMP}
+       mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3
+       mv ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+
 # Show changes in the way filesystems are mounted
 #
 [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat

PGP signature

Reply via email to