Re: Fw: lothlorien.nagual.nl security run output
On 30 Aug nicky wrote: > In your message you state, "Begin forwarded message [some Xorg update > warnings deleted]:" > > Isn't it so that in your message, lines 3 to 12 are just port related > binaries? (i assume xorg related). Meaning that ping/ping6, etc aren't > updated at all. At least i don't see the +/- signs infront of your > ping/ping6 ones. You are absolutely right. I'm blushing, I really am. Jee, I totally missed the + / - signs. I overlooked and worried about the 'wrong' files. It was Xorg that was updated. Just like you have done and seen ;-) Thanks for the response. Remains one question (too me): what program would be best to have as a system integraty checker? Shamhein, Osiris or what? -- dick -- http://nagual.nl/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.1 +++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fw: lothlorien.nagual.nl security run output
My guess is that there is nothing to be worried about, however i could be wrong. Let me explain.. This morning i received the same kind of message in my security run output (yesterday i've updated all my ports): Checking setuid files and devices: nlp setuid diffs: --- /var/log/setuid.today Fri Aug 25 08:12:19 2006 +++ /tmp/security.Ia2whJjb Wed Aug 30 08:15:56 2006 @@ -3,8 +3,8 @@ 49434 -r-sr-xr-x 1 root wheel 23648 Aug 22 11:05:26 2006 /sbin/ping 49435 -r-sr-xr-x 1 root wheel 31924 Aug 22 11:05:26 2006 /sbin/ping6 49448 -r-sr-x--- 1 root operator 10308 Aug 22 11:05:27 2006 /sbin/shutdown -7795756 -rws--x--x 1 root wheel 2069783 Aug 24 09:17:07 2006 /usr/X11R6/bin/Xorg -7795717 -rws--x--x 1 root wheel 303748 Aug 24 09:03:51 2006 /usr/X11R6/bin/xterm +7795722 -rws--x--x 1 root wheel 2069783 Aug 29 13:08:10 2006 /usr/X11R6/bin/Xorg +7796599 -rws--x--x 1 root wheel 305764 Aug 29 12:57:30 2006 /usr/X11R6/bin/xterm 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/at 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/atq 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/atrm If i look at my message, i see that lines between 3 to 8 have been changed. After a manual diff between /var/log/setuid.today/yesterday i only get the xorg related lines. Which is correct, since i remember seeing some xorg ports being updated. In your message you state, "Begin forwarded message [some Xorg update warnings deleted]:" Isn't it so that in your message, lines 3 to 12 are just port related binaries? (i assume xorg related). Meaning that ping/ping6, etc aren't updated at all. At least i don't see the +/- signs infront of your ping/ping6 ones. My guess. Greets. Nick dick hoogendijk wrote: I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? Begin forwarded message [some Xorg update warnings deleted]: Checking setuid files and devices: Checking setuid files and devices: lothlorien.nagual.nl setuid diffs: --- /var/log/setuid.today Mon Aug 14 03:03:25 2006 +++ /tmp/security.aJbHsCR6 Sun Aug 27 03:03:22 2006 @@ -3,12 +3,12 @@ 23637 -r-sr-xr-x 1 root wheel 21792 May 12 21:47:15 2006 /sbin/ping 23638 -r-sr-xr-x 1 root wheel 28660 May 12 21:47:15 2006 /sbin/ping6 23651 -r-sr-x--- 1 root operator 10148 May 12 21:47:17 2006 /sbin/shutdown 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/at 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atq 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atrm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fw: lothlorien.nagual.nl security run output
On 28 Aug David Robillard wrote: > Did you reinstall the entire OS _before_ you installed Osiris? Did you > find out why your SUID files had changed in the first place? No. I did a "diff" with the same files on other freebsd-6.1 machines which I'm absolutely certain are not compromised. The files where exactly the same. I use the same port collections and always portupgrade the machines at the same time. So I'm quite sure it must have been some software packages that changed the suid bit. It's too much work to find out exactly which ones, given the fact it's not that important after all. > If not, then your base Osiris database might contain already > compromised software. Which makes Osiris useless... I know.. > >Use the default configuration for this OS (yes/no) yes > > >>> configuration (default.freebsd) has been pushed > > > >Nothing happens.. (as it seems..) > I had the same problem with FreeBSD 5.3 and then moved to 6.1 which > cleared this problem. I suspect it has to do with network timeouts that > have been changed via sysctl.conf(5). Have you done any modifications to > your sysctl.conf file? I run 6.1 so it's weird that nothing happens.. I did not change a thing in sysctl.conf except for some hw.snd settings. They can't be blamed I suppose ;-) Maybe you have some clues. -- dick -- http://nagual.nl/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.1 +++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fw: lothlorien.nagual.nl security run output
I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? What ports have you updated? You can check if any of them has installed new files in /sbin by running `pkg_info -L your_updated_port-version`. See the -L option of pkg_info(1) in the man page http://www.freebsd.org/cgi/man.cgi?query=pkg_info&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html You can also consider installing a Host Based Integrity Monitoring software. I use Osiris which is quite simple to setup and administer. It's already in the ports as security/osiris which you can get there: http://www.freebsd.org/cgi/url.cgi?ports/security/osiris/pkg-descr. Of course, don't install osiris on a machine which you're not sure if it has been tampered with, it would defeat the purpose... You can also take a look at other integrity checking software such as Samhain, Tripwire or aide. Regards, David -- David Robillard UNIX systems administrator & Oracle DBA CISSP, RHCE & Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fw: lothlorien.nagual.nl security run output
dick hoogendijk wrote: I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? If you didn't do an installworld or any other upgrade, then something is wrong. They could be trojaned as part of a breakin, you you could be experiencing disk corruption. Begin forwarded message [some Xorg update warnings deleted]: Checking setuid files and devices: Checking setuid files and devices: lothlorien.nagual.nl setuid diffs: --- /var/log/setuid.today Mon Aug 14 03:03:25 2006 +++ /tmp/security.aJbHsCR6 Sun Aug 27 03:03:22 2006 @@ -3,12 +3,12 @@ 23637 -r-sr-xr-x 1 root wheel 21792 May 12 21:47:15 2006 /sbin/ping 23638 -r-sr-xr-x 1 root wheel 28660 May 12 21:47:15 2006 /sbin/ping6 23651 -r-sr-x--- 1 root operator 10148 May 12 21:47:17 2006 /sbin/shutdown 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/at 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atq 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atrm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fw: lothlorien.nagual.nl security run output
I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? Begin forwarded message [some Xorg update warnings deleted]: Checking setuid files and devices: Checking setuid files and devices: lothlorien.nagual.nl setuid diffs: --- /var/log/setuid.today Mon Aug 14 03:03:25 2006 +++ /tmp/security.aJbHsCR6 Sun Aug 27 03:03:22 2006 @@ -3,12 +3,12 @@ 23637 -r-sr-xr-x 1 root wheel 21792 May 12 21:47:15 2006 /sbin/ping 23638 -r-sr-xr-x 1 root wheel 28660 May 12 21:47:15 2006 /sbin/ping6 23651 -r-sr-x--- 1 root operator 10148 May 12 21:47:17 2006 /sbin/shutdown 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/at 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atq 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atrm -- dick -- http://nagual.nl/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.1 +++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"