Hi Joachim, hi Yurij,
Joachim Schipper wrote on Sat, May 16, 2009 at 01:23:20PM +0200:
> On Fri, May 15, 2009 at 10:39:06PM +0500, Yuriy Grishin wrote:
>> I've installed OpenBSD 4.5 on my home gateway.
>> Random pids and critical files permission are really cool.
>> I just confused a little bit because I haven't found any way
>> to check the vulnerabilities of my configuration.
>> Are there any?
> This is not what you are asking for, but security(8) will run nightly
> and check various files. This detects unsophisticated intruders and -
> more importantly - makes it easy to spot and fix misconfigurations.
But be aware of this:
$ man security | tail -n 7
BUGS
The name of this script may provide a false sense of security.
There are perhaps an infinite number of ways the system can be
compromised without this script noticing.
> Of course, it can be extended with your own critical files, if desired.
Actually, security(8), in contrast to daily(8)/weekly/monthly, does not
support security.local additions right now. I don't see a pressing need
to implement that hook, either; it would be easy enough, though, just
adding the two lines
next_part "Running /etc/security.local:"
run_script "security.local"
at the very end of /etc/security does the trick.
Apart from that, i would recommend against locally modifying the script
/etc/security itself. You can use daily.local for local additions.
Of course, you can also add files to the changelist(5).
Perhaps the latter is what you were hinting at.
Yours,
Ingo
