Re: Weard security report
Hi Sven, sven falempin wrote on Wed, Nov 06, 2013 at 10:24:53AM -0500: Running security(8): == /var/db/cloud.json diffs (-OLD +NEW) == --- /dev/null Fri Oct 25 01:30:33 2013 +++ /var/db/cloud.json Thu Oct 17 17:21:15 2013 Previous security: == /var/db/cloud.json diffs (-OLD +NEW) == --- /var/backups/var_db_cloud.json.current Sat Jul 27 01:30:11 2013 +++ /var/db/cloud.json Wed Aug 7 16:28:55 2013 /dev/null !!!??? What possibly could happened ?? Is this possible if a reboot occur while the daily is running (i guess no but...) ? Actually, yes. The copying is done with File::Copy::copy. If you look into /usr/libdata/perl5/File/Copy.pm, the function copy() does: open $to_h, , $to So the file is first truncated, then written to, non-atomically. In principle, if the security script gets killed right after truncating the file, before writing any data into it, i would expect the next security(8) run tun compare against /dev/null in backup_if_changed() because the code says: my $last = -s $current ? $current : '/dev/null'; But it's a narrow race to end up with an empty $current. PS: Is that possible to keep more than one backup in /var/backup ? That's trivial to implement, see below, the question is whether we want it... Yours, Ingo Index: security === RCS file: /cvs/src/libexec/security/security,v retrieving revision 1.23 diff -u -p -r1.23 security --- security21 Mar 2013 09:37:37 - 1.23 +++ security16 Nov 2013 23:54:42 - @@ -755,6 +755,12 @@ sub backup_if_changed { diff $last, $orig or return; if (-s $current) { + for (my $next = 5; $next; --$next) { + my $prev = $next - 1 || ''; + next unless -s $backup$prev; + copy $backup$prev, $backup$next; + chown 0, 0, $backup$next; + } copy $current, $backup; chown 0, 0, $backup; }
Weard security report
Hello, I love daily scripts and used it to follow some activity on server(s) One of my server got this entry: Running security(8): == /var/db/cloud.json diffs (-OLD +NEW) == --- /dev/null Fri Oct 25 01:30:33 2013 +++ /var/db/cloud.json Thu Oct 17 17:21:15 2013 [...] Previous security: == /var/db/cloud.json diffs (-OLD +NEW) == --- /var/backups/var_db_cloud.json.current Sat Jul 27 01:30:11 2013 +++ /var/db/cloud.json Wed Aug 7 16:28:55 2013 [..] /dev/null !!!??? What possibly could happened ?? PS: Is that possible to keep more than one backup in /var/backup ? -- - () ascii ribbon campaign - against html e-mail /\
Re: Weard security report
On Wed, November 6, 2013 19:24, sven falempin wrote: Hello, Hi I love daily scripts and used it to follow some activity on server(s) One of my server got this entry: Running security(8): == /var/db/cloud.json diffs (-OLD +NEW) == --- /dev/null Fri Oct 25 01:30:33 2013 +++ /var/db/cloud.json Thu Oct 17 17:21:15 2013 [...] Previous security: == /var/db/cloud.json diffs (-OLD +NEW) == --- /var/backups/var_db_cloud.json.current Sat Jul 27 01:30:11 2013 +++ /var/db/cloud.json Wed Aug 7 16:28:55 2013 [..] /dev/null !!!??? What possibly could happened ?? /dev/null tells that cloud.json in newly created file, so it's diffed against /dev/null. PS: Is that possible to keep more than one backup in /var/backup ?
Re: Weard security report
On Wed, Nov 06, 2013 at 10:24:53AM -0500, sven falempin wrote: == /var/db/cloud.json diffs (-OLD +NEW) == --- /dev/null Fri Oct 25 01:30:33 2013 +++ /var/db/cloud.json Thu Oct 17 17:21:15 2013 This just means that the file was created as opposed to empty. Joerg
Re: Weard security report
Joerg Sonnenberger jo...@britannica.bec.de wrote: On Wed, Nov 06, 2013 at 10:24:53AM -0500, sven falempin wrote: == /var/db/cloud.json diffs (-OLD +NEW) == --- /dev/null Fri Oct 25 01:30:33 2013 +++ /var/db/cloud.json Thu Oct 17 17:21:15 2013 This just means that the file was created as opposed to empty. Joerg But if his previous security run indicated there was one, I suspect he lost the one in / var/backup somewhere on the way. Repartitioning? /Alexander
Re: Weard security report
On Wed, Nov 6, 2013 at 11:43 AM, Alexander Hall alexan...@beard.se wrote: Joerg Sonnenberger jo...@britannica.bec.de wrote: On Wed, Nov 06, 2013 at 10:24:53AM -0500, sven falempin wrote: == /var/db/cloud.json diffs (-OLD +NEW) == --- /dev/null Fri Oct 25 01:30:33 2013 +++ /var/db/cloud.json Thu Oct 17 17:21:15 2013 This just means that the file was created as opposed to empty. Joerg But if his previous security run indicated there was one, I suspect he lost the one in / var/backup somewhere on the way. Repartitioning? /Alexander Sorry i didn't add this info in the first mail. First thing i checked , Only one partition :-( Is this possible if a reboot occur while the daily is running (i guess no but...) ? -- - () ascii ribbon campaign - against html e-mail /\
Re: Weard security report
http://sans.org/ English Version (PDF) http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201311_en.pdf English Version (.epub -- tablets only) http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201311_eneb.epub Translations Archives http://www.securingthehuman.org/ouch In addition, we have a new video of the month: Encryption. Encryption is often emphasized as one of the key methods to secure data, yet many people do not understand what it is or how it works. This video explains encryption using simple and easy to understand terms. http://www.securingthehuman.org/resources/ncsam Thanks! Lance Spitzner Training Director, SANS Securing The Human Program Mobile: +1.708.557.6006 Skype/Twitter: lspitzner Blog: www.securingthehuman.org/blog To change your subscription information please visit https://www.sans.org/account/subscriptions. SANS Institute, 8120 Woodmont Ave., Suite 205, Bethesda, MD 20814-2743 -BEGIN PGP SIGNATURE- iD8DBQFSemK/+LUG5KFpTkYRAoZ9AKCKX3PlafenVTPyPQWV0IKeBLUQXwCfdmpF lg2Gf3qsxI5YaDkMzPrdwaI= =khCV -END PGP SIGNATURE- On Thu, 7/11/13, sven falempin sven.falem...@gmail.com wrote: Subject: Re: Weard security report To: tech@openbsd.org tech@openbsd.org Received: Thursday, 7 November, 2013, 3:49 AM On Wed, Nov 6, 2013 at 11:43 AM, Alexander Hall alexan...@beard.se wrote: Joerg Sonnenberger jo...@britannica.bec.de wrote: On Wed, Nov 06, 2013 at 10:24:53AM -0500, sven falempin wrote: == /var/db/cloud.json diffs (-OLD +NEW) == --- /dev/null Fri Oct 25 01:30:33 2013 +++ /var/db/cloud.json Thu Oct 17 17:21:15 2013 This just means that the file was created as opposed to empty. Joerg But if his previous security run indicated there was one, I suspect he lost the one in / var/backup somewhere on the way. Repartitioning? /Alexander Sorry i didn't add this info in the first mail. First thing i checked , Only one partition :-( Is this possible if a reboot occur while the daily is running (i guess no but...) ? -- - () ascii ribbon campaign - against html e-mail /\