Greetings all,
In my local source tree, I have a small modification to /etc/security
which I thought would be good to get in the base tree. The attached .diff
allows /etc/security to keep a record of all non-device related files located
in /dev. Many blackhat utilities, and practices include using the /dev
directory as a location to create sniffer logs, suid binaries, and other evil.
By keeping a database similar to /var/log/setuid.today, administrators can be
notified of any changes to /dev. The diff is against -current, however the
functionality is unchanged between -stable and -current.
Is a PR the best way to submit this type of change? I didn't think a
PR was appropriate because I am not submitting a problem, so much as a small
enhancement.
Anybody see any huge holes in my logic?
Thanks,
visigoth
--
Damieon Stark, CCSE
Unix/Network Security Engineer
plug
currently seeking employment
/plug
__
Damieon Stark | Microsoft: Where do you want to go today?
e: [EMAIL PROTECTED] | Linux: Where do you want to go tommorow?
p: 612.382.6945 | FreeBSD/Sun: Are you guys coming or what?
pgp: 0xBE5D0C57 | http://www.sun.com/solaris - The . in .com
pgp.mit.edu | http://www.freebsd.org - The power to serve!
--
--- security.oldSun Sep 2 19:07:07 2001
+++ securitySun Sep 2 19:59:29 2001
@@ -94,6 +94,27 @@
mv ${TMP} ${LOG}/setuid.today || rc=3
fi
+# Show any files in /dev which are not charactor, block
+# device entries, or symlinks.
+
+find /dev -type f -or -type s -or -type p | xargs ls -al ${TMP}
+
+if [ ! -f ${LOG}/devfiles.today ]; then
+ separator
+ echo No ${LOG}/devfiles.today
+ cp ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+if ! cmp ${LOG}/devfiles.today ${TMP} /dev/null; then
+ [ $rc -lt 1 ] rc=1
+ separator
+ echo Checking for changes to non-device files in dev:
+ diff -w ${LOG}/devfiles.today ${TMP}
+ mv ${LOG}/devfiles.today ${LOG}/devfiles.yesterday || rc=3
+ mv ${TMP} ${LOG}/devfiles.today || rc=3
+fi
+
+
# Show changes in the way filesystems are mounted
#
[ -n $ignore ] cmd=egrep -v ${ignore#|} || cmd=cat
PGP signature