new feature for /etc/security
Greetings all,
In my local source tree, I have a small modification to /etc/security
which I thought would be good to get in the base tree. The attached .diff
allows /etc/security to keep a record of all non-device related files located
in /dev. Many blackhat utilities, and practices include using the /dev
directory as a location to create sniffer logs, suid binaries, and other evil.
By keeping a database similar to /var/log/setuid.today, administrators can be
notified of any changes to /dev. The diff is against -current, however the
functionality is unchanged between -stable and -current.
Is a PR the best way to submit this type of change? I didn't think a
PR was appropriate because I am not submitting a problem, so much as a small
enhancement.
Anybody see any huge holes in my logic?
Thanks,
visigoth
--
Damieon Stark, CCSE
Unix/Network Security Engineer
plug
currently seeking employment
/plug
__
Damieon Stark | Microsoft: Where do you want to go today?
e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow?
p: 612.382.6945 | FreeBSD/Sun: Are you guys coming or what?
pgp: 0xBE5D0C57 | http://www.sun.com/solaris - The . in .com
pgp.mit.edu | http://www.freebsd.org - The power to serve!
--
--- security.oldSun Sep 2 19:07:07 2001
+++ securitySun Sep 2 19:59:29 2001
@@ -94,6 +94,27 @@
mv ${TMP} ${LOG}/setuid.today || rc=3
fi
+# Show any files in /dev which are not charactor, block
+# device entries, or symlinks.
+
+find /dev -type f -or -type s -or -type p | xargs ls -al ${TMP}
+
+if [ ! -f ${LOG}/devfiles.today ]; then
+ separator
+ echo No ${LOG}/devfiles.today
+ cp ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+if ! cmp ${LOG}/devfiles.today ${TMP} /dev/null; then
+ [ $rc -lt 1 ] rc=1
+ separator
+ echo Checking for changes to non-device files in dev:
+ diff -w ${LOG}/devfiles.today ${TMP}
+ mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3
+ mv ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+
# Show changes in the way filesystems are mounted
#
[ -n $ignore ] cmd=egrep -v ${ignore#|} || cmd=cat
PGP signature
new /etc/security mod
Greetings all,
I have had a small modification to /etc/security floating around in my
tree for a little while, and thought it would be best to submit it. The
modifications allow the /etc/security script to keep daily track of changes to
all non char/block special files in /dev. Many nefarious activities tend to
occur in /dev due to the often cryptic file names, and the level of
understanding of the average administrator. I have seen boxen which have
large files in /dev due to sniffer/keylogger activities. A daily database is
created in /var/log similar to /var/log/setuid.today and
/var/log/setuid.yesterday. If I am way off my rocker, or somebody sees an
obvious way to improve the method, please let me know.
I realized this should be submitted when I got a report of the mod being used
to detect a rooted box...
The .diff is against -current, but should apply to -stable as well...
Thanks, and keep up all the wonderful work!
visigoth
--
Damieon Stark, CCSE
Unix/Network Security Engineer
plug
currently seeking employment
/plug
__
Damieon Stark | Microsoft: Where do you want to go today?
e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow?
p: 612.382.6945 | FreeBSD/Sun: Are you guys coming or what?
pgp: 0xBE5D0C57 | http://www.sun.com/solaris - The . in .com
pgp.mit.edu | http://www.freebsd.org - The power to serve!
--
I'll see your DMCA and raise you a First Amendment.
http://www.anti-dmca.org
--
--- security.oldSun Sep 2 19:07:07 2001
+++ securitySun Sep 2 19:59:29 2001
@@ -94,6 +94,27 @@
mv ${TMP} ${LOG}/setuid.today || rc=3
fi
+# Show any files in /dev which are not charactor, block
+# device entries, or symlinks.
+
+find /dev -type f -or -type s -or -type p | xargs ls -al ${TMP}
+
+if [ ! -f ${LOG}/devfiles.today ]; then
+ separator
+ echo No ${LOG}/devfiles.today
+ cp ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+if ! cmp ${LOG}/devfiles.today ${TMP} /dev/null; then
+ [ $rc -lt 1 ] rc=1
+ separator
+ echo Checking for changes to non-device files in dev:
+ diff -w ${LOG}/devfiles.today ${TMP}
+ mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3
+ mv ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+
# Show changes in the way filesystems are mounted
#
[ -n $ignore ] cmd=egrep -v ${ignore#|} || cmd=cat
PGP signature
Re: new /etc/security mod
Man, I am having a _dumb_ day Didn't realize I had already sent off the original copy... Please disregard... -- Damieon Stark, CCSE Unix/Network Security Engineer plug currently seeking employment /plug __ Damieon Stark | Microsoft: Where do you want to go today? e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow? p: 612.382.6945 | FreeBSD/Sun: Are you guys coming or what? pgp: 0xBE5D0C57 | http://www.sun.com/solaris - The . in .com pgp.mit.edu | http://www.freebsd.org - The power to serve! -- I'll see your DMCA and raise you a First Amendment. http://www.anti-dmca.org -- PGP signature
Re: unified pwutil library - thoughts?
Hey all... So, by the fact that I got _no_ replies I must surmise that either my message didn't get posted (confirmed posting with archive), or people didn't read it, or _nobody_ thinks it is a good idea ;) but if nobody thinks it is a good idea, I _think_ I would have gotten some flames/feedback. Here goes again... Below is the message I sent about a unified libpwutil, and possibly integrating it into FreeBSD. _ANY_ feedback, positive or negitive would be appreciated as it will help to validate my existance ;) On Sun, Jun 24, 2001 at 09:05:41PM -0500, Damieon Stark wrote: Hey all, Ok, so my thinking goes a little like this: having chpass, vipw, passwd, rpc.yppasswdd et. al. using the same functions (pw_copy, pw_temp, pw_init...) and then, in order to update the database calling a function which does nothing more than execl(pwd_mkdb) and exit seems kinda silly. For a couple of my projects, having a BSD approved way of modifying the master.passwd/spwd.db would have been _very_ nice, so I have created libpwutil. This new lib could be used to (staticly) link all the afore mentioned command line utils, and create a more central way to manage password changes, as well as creating a reasonably nice C interface to changing passwords. If I am way off my rocker, please let me know. I've also created a _new_ pw_mkdb function which does NOT use execl or system. If this sounds like something that people are interested in, I would be happy to work up some doccumentation, and submit it for inclusion/port-dom as well as patches to chpass and crew if people think it is a good idea. Just _looking_ at the Makefiles for things like chpass brought on the urge to make a change... ;) Also, future support for things like NIS+/LDAP could (possibly) be more easily developed. visigoth P.S. the lib will be BSD licenced, NOT GPL'd ;) Visigoth -- Damieon Stark, CCSE Unix/Network Security Engineer plug currently seeking employment /plug __ Damieon Stark | Microsoft: Where do you want to go today? e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow? p: 612.382.6945 | FreeBSD: Are you guys comming or what? pgp: 0xBE5D0C57 | pgp.mit.edu | http://www.freebsd.org - The power to serve! -- PGP signature
unified pwutil library - thoughts?
Hey all, Ok, so my thinking goes a little like this: having chpass, vipw, passwd, rpc.yppasswdd et. al. using the same functions (pw_copy, pw_temp, pw_init...) and then, in order to update the database calling a function which does nothing more than execl(pwd_mkdb) and exit seems kinda silly. For a couple of my projects, having a BSD approved way of modifying the master.passwd/spwd.db would have been _very_ nice, so I have created libpwutil. This new lib could be used to (staticly) link all the afore mentioned command line utils, and create a more central way to manage password changes, as well as creating a reasonably nice C interface to changing passwords. If I am way off my rocker, please let me know. I've also created a _new_ pw_mkdb function which does NOT use execl or system. If this sounds like something that people are interested in, I would be happy to work up some doccumentation, and submit it for inclusion/port-dom as well as patches to chpass and crew if people think it is a good idea. Just _looking_ at the Makefiles for things like chpass brought on the urge to make a change... ;) Also, future support for things like NIS+/LDAP could (possibly) be more easily developed. visigoth P.S. the lib will be BSD licenced, NOT GPL'd ;) -- Damieon Stark, CCSE Unix/Network Security Engineer plug currently seeking employment /plug __ Damieon Stark | Microsoft: Where do you want to go today? e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow? p: 612.382.6945 | FreeBSD: Are you guys comming or what? pgp: 0xBE5D0C57 | http://www.freebsd.org - The power to serve! -- PGP signature
That des nolinks thang..
Could somebody repost the flag intended for make.conf to keep the des libs from taking over libcrypt's links? Wrote it down, deleted it, lost the paper, and comenced feeling dumb ;) Thanks for all of the hard work everybody! Damieon Stark To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
