Re: Weard security report

2013-11-16 Thread Ingo Schwarze 
Hi Sven,

sven falempin wrote on Wed, Nov 06, 2013 at 10:24:53AM -0500:

 Running security(8):
 ==
 /var/db/cloud.json diffs (-OLD  +NEW)
 ==
 --- /dev/null   Fri Oct 25 01:30:33 2013
 +++ /var/db/cloud.json  Thu Oct 17 17:21:15 2013
 
 Previous security:
 ==
 /var/db/cloud.json diffs (-OLD  +NEW)
 ==
 --- /var/backups/var_db_cloud.json.current  Sat Jul 27 01:30:11 2013
 +++ /var/db/cloud.json  Wed Aug  7 16:28:55 2013
 
 /dev/null !!!???
 What possibly could happened ??

 Is this possible if a reboot occur while the daily is running
 (i guess no but...) ?

Actually, yes.

The copying is done with File::Copy::copy.
If you look into /usr/libdata/perl5/File/Copy.pm,
the function copy() does:  open $to_h, , $to
So the file is first truncated, then written to, non-atomically.

In principle, if the security script gets killed right after
truncating the file, before writing any data into it,
i would expect the next security(8) run tun compare against /dev/null
in backup_if_changed() because the code says:
  my $last = -s $current ? $current : '/dev/null';

But it's a narrow race to end up with an empty $current.

 PS:
 Is that possible to keep more than one backup in /var/backup ?

That's trivial to implement, see below, the question is whether
we want it...

Yours,
  Ingo


Index: security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.23
diff -u -p -r1.23 security
--- security21 Mar 2013 09:37:37 -  1.23
+++ security16 Nov 2013 23:54:42 -
@@ -755,6 +755,12 @@ sub backup_if_changed {
diff $last, $orig or return;
 
if (-s $current) {
+   for (my $next = 5; $next; --$next) {
+   my $prev = $next - 1 || '';
+   next unless -s $backup$prev;
+   copy $backup$prev, $backup$next;
+   chown 0, 0, $backup$next;
+   }
copy $current, $backup;
chown 0, 0, $backup;
}

Weard security report

2013-11-06 Thread sven falempin 
Hello,

I love daily scripts and used it to follow some
activity on server(s)

One of my server got this entry:

Running security(8):

==
/var/db/cloud.json diffs (-OLD  +NEW)
==
--- /dev/null   Fri Oct 25 01:30:33 2013
+++ /var/db/cloud.json  Thu Oct 17 17:21:15 2013

[...]

Previous security:

==
/var/db/cloud.json diffs (-OLD  +NEW)
==
--- /var/backups/var_db_cloud.json.current  Sat Jul 27 01:30:11 2013
+++ /var/db/cloud.json  Wed Aug  7 16:28:55 2013

[..]


/dev/null !!!???
What possibly could happened ??

PS:
Is that possible to keep more than one backup in /var/backup ?



-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Weard security report

2013-11-06 Thread Kirill Bychkov 
On Wed, November 6, 2013 19:24, sven falempin wrote:
 Hello,


Hi
 I love daily scripts and used it to follow some
 activity on server(s)

 One of my server got this entry:

 Running security(8):

 ==
 /var/db/cloud.json diffs (-OLD  +NEW)
 ==
 --- /dev/null   Fri Oct 25 01:30:33 2013
 +++ /var/db/cloud.json  Thu Oct 17 17:21:15 2013

 [...]

 Previous security:

 ==
 /var/db/cloud.json diffs (-OLD  +NEW)
 ==
 --- /var/backups/var_db_cloud.json.current  Sat Jul 27 01:30:11 2013
 +++ /var/db/cloud.json  Wed Aug  7 16:28:55 2013

 [..]


 /dev/null !!!???
 What possibly could happened ??


/dev/null tells that cloud.json in newly created file, so it's diffed against
/dev/null.

 PS:
 Is that possible to keep more than one backup in /var/backup ?

Re: Weard security report

2013-11-06 Thread Joerg Sonnenberger 
On Wed, Nov 06, 2013 at 10:24:53AM -0500, sven falempin wrote:
 ==
 /var/db/cloud.json diffs (-OLD  +NEW)
 ==
 --- /dev/null   Fri Oct 25 01:30:33 2013
 +++ /var/db/cloud.json  Thu Oct 17 17:21:15 2013

This just means that the file was created as opposed to empty.

Joerg

Re: Weard security report

2013-11-06 Thread Alexander Hall 


Joerg Sonnenberger jo...@britannica.bec.de wrote:
On Wed, Nov 06, 2013 at 10:24:53AM -0500, sven falempin wrote:
 ==
 /var/db/cloud.json diffs (-OLD  +NEW)
 ==
 --- /dev/null   Fri Oct 25 01:30:33 2013
 +++ /var/db/cloud.json  Thu Oct 17 17:21:15 2013

This just means that the file was created as opposed to empty.

Joerg

But if his previous security run indicated there was one, I suspect he lost the 
one in / var/backup somewhere on the way. Repartitioning?

/Alexander

Re: Weard security report

2013-11-06 Thread sven falempin 
On Wed, Nov 6, 2013 at 11:43 AM, Alexander Hall alexan...@beard.se wrote:



 Joerg Sonnenberger jo...@britannica.bec.de wrote:
 On Wed, Nov 06, 2013 at 10:24:53AM -0500, sven falempin wrote:
  ==
  /var/db/cloud.json diffs (-OLD  +NEW)
  ==
  --- /dev/null   Fri Oct 25 01:30:33 2013
  +++ /var/db/cloud.json  Thu Oct 17 17:21:15 2013
 
 This just means that the file was created as opposed to empty.
 
 Joerg

 But if his previous security run indicated there was one, I suspect he
 lost the one in / var/backup somewhere on the way. Repartitioning?

 /Alexander


Sorry i didn't add this info in the first mail.
First thing i checked , Only one partition :-(

Is this possible if a reboot occur while the daily is running (i guess no
but...) ?


-- 
-
() ascii ribbon campaign - against html e-mail
/\

Re: Weard security report

2013-11-06 Thread Rajneesh N. Shetty 
http://sans.org/

English Version (PDF)
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201311_en.pdf

English Version (.epub -- tablets only)
http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201311_eneb.epub

Translations  Archives
http://www.securingthehuman.org/ouch


In addition, we have a new video of the month: Encryption.  Encryption
is often emphasized as one of the key methods to secure data, yet many
people do not understand what it is or how it works.  This video
explains encryption using simple and easy to understand terms.
http://www.securingthehuman.org/resources/ncsam

Thanks!

Lance Spitzner
Training Director, SANS Securing The Human Program
Mobile: +1.708.557.6006
Skype/Twitter: lspitzner
Blog: www.securingthehuman.org/blog


To change your subscription information please visit
https://www.sans.org/account/subscriptions.

SANS Institute, 8120 Woodmont Ave., Suite 205, Bethesda, MD 20814-2743

-BEGIN PGP SIGNATURE-

iD8DBQFSemK/+LUG5KFpTkYRAoZ9AKCKX3PlafenVTPyPQWV0IKeBLUQXwCfdmpF
lg2Gf3qsxI5YaDkMzPrdwaI=
=khCV
-END PGP SIGNATURE-


On Thu, 7/11/13, sven falempin sven.falem...@gmail.com wrote:

 Subject: Re: Weard security report
 To: tech@openbsd.org tech@openbsd.org
 Received: Thursday, 7 November, 2013, 3:49 AM
 
 On Wed, Nov 6, 2013 at 11:43 AM,
 Alexander Hall alexan...@beard.se
 wrote:
 
 
 
  Joerg Sonnenberger jo...@britannica.bec.de
 wrote:
  On Wed, Nov 06, 2013 at 10:24:53AM -0500, sven
 falempin wrote:
   ==
   /var/db/cloud.json diffs (-OLD  +NEW)
   ==
   --- /dev/null   Fri Oct 25
 01:30:33 2013
   +++ /var/db/cloud.json      Thu
 Oct 17 17:21:15 2013
  
  This just means that the file was created as
 opposed to empty.
  
  Joerg
 
  But if his previous security run indicated there was
 one, I suspect he
  lost the one in / var/backup somewhere on the way.
 Repartitioning?
 
  /Alexander
 
 
 Sorry i didn't add this info in the first mail.
 First thing i checked , Only one partition :-(
 
 Is this possible if a reboot occur while the daily is
 running (i guess no
 but...) ?
 
 
 -- 
 
-
 () ascii ribbon campaign - against html e-mail
 /\