security run output
Hello list! I'm getting the messages below far one machine and I can't remeber how managed to do that. I want that for my other machines as well, but can not remeber how to activate it. Checking for a current audit database: Database created: Wed Oct 7 03:55:02 CEST 2009 Checking for packages with security vulnerabilities: ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: security run output
Date: Fri, 9 Oct 2009 13:31:56 +0200 From: be...@bah.homeip.net To: freebsd-questions@freebsd.org Subject: security run output Hello list! I'm getting the messages below far one machine and I can't remeber how managed to do that. I want that for my other machines as well, but can not remeber how to activate it. Checking for a current audit database: Database created: Wed Oct 7 03:55:02 CEST 2009 Checking for packages with security vulnerabilities: ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org that would most likely be the portaudit utility /usr/ports/ports-mgmt/portaudit ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security Run Output Setuid Differences
On Tue, Jun 05, 2007 at 04:11:24PM -0700, Peter Pluta wrote: mail.***.net setuid diffs: --- /var/log/setuid.today Mon May 21 03:02:30 2007 +++ /tmp/security.wq6BsVcrSun Jun 3 03:01:48 2007 @@ -20,7 +20,7 @@ 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 /usr/bin/yppasswd 71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 /usr/local/bin/screen 70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 /usr/local/sbin/lsof -73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop -73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue +71432 -rwxr-sr-x 1 root maildrop 142559 Jun 2 15:47:54 2007 /usr/local/sbin/postdrop +71433 -rwxr-sr-x 1 root maildrop 152477 Jun 2 15:47:54 2007 /usr/local/sbin/postqueue 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 /usr/sbin/mailwrapper 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 /usr/sbin/sliplogin I have some more, I'm starting to understand it a bit better. Basically the user:group id number has changed and the security run is letting me know. Good deal, but im still confused as to what the @@ -20,7 + 20,7 @@ and + - mean. Can anyone explain those? I'm curious, also why would yppasswd change to userid 2? I changed roots name yesterday, could that be the cause of it? Those are a normal part of the output of the diff(1) program that generates this. Basically, the script /etc/periodic/security/100.chksetuid makes a list of all setiud or setgid binaries. This list is compared with the previous list by the diff(1) program, which shows the differences. If you have a text file lying around, make a copy of it and change a couple of lines in the copy. Then do 'diff -u originalfile newfile' and you'll see how it works. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpaXqXRVHsG6.pgp Description: PGP signature
Re: Security Run Output Setuid Differences
Roland Smith wrote: On Mon, May 21, 2007 at 11:59:33AM -0700, PeterPluta wrote: snip Looks like you were portupgrading around with postfix, screen and xterm. The output is diff(1). See the man page for details, but it's basically showing you the difference between last night's directory listing, and that of the previous day. For more gory details, see the scripts in /etc/periodic/security, which are run every night from cron. Some of the ports you changed resulted in changes to setuid/setgid programs installed on the system. As a security- concious administrator, you should be interested in the programs on your system that have elevated privilidges, so this script is provided to give you a daily report on that. I see, so basically after reinstalling the default uid/gid of some programs changed? Is that a problem or anything? It's not a problem. It's just something that you should be aware of from a security standpoint. In this case you caused it because you upgraded some ports, which is OK. But if the size, date, ownership or permissions of a binary change without any apparent cause, it _could_ be the work of an intruder or rootkit trying to backdoor your system. That's why the system checks it. In /etc/defaults/periodic.conf you see which settings there are concerning security, and what the defaults are. If you want to disable some of them, put the settings in /etc/periodic.conf with a NO value instead of YES. But I would recommend to leave them as they are. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) mail.***.net setuid diffs: --- /var/log/setuid.today Mon May 21 03:02:30 2007 +++ /tmp/security.wq6BsVcr Sun Jun 3 03:01:48 2007 @@ -20,7 +20,7 @@ 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 /usr/bin/yppasswd 71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 /usr/local/bin/screen 70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 /usr/local/sbin/lsof -73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop -73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue +71432 -rwxr-sr-x 1 root maildrop 142559 Jun 2 15:47:54 2007 /usr/local/sbin/postdrop +71433 -rwxr-sr-x 1 root maildrop 152477 Jun 2 15:47:54 2007 /usr/local/sbin/postqueue 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 /usr/sbin/mailwrapper 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 /usr/sbin/sliplogin I have some more, I'm starting to understand it a bit better. Basically the user:group id number has changed and the security run is letting me know. Good deal, but im still confused as to what the @@ -20,7 + 20,7 @@ and + - mean. Can anyone explain those? I'm curious, also why would yppasswd change to userid 2? I changed roots name yesterday, could that be the cause of it? -- View this message in context: http://www.nabble.com/Security-Run-Output-Setuid-Differences-tf3792025.html#a10979516 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Security Run Output Questions
I see this quite regularly. What exactly is the http process doing? I'm guessing this is the master process stopping and restarting when I rotate logs or something. Can anyone confirm? There is usally more processes, 10-15 or more. kernel log messages: +++ /tmp/security.ioLB2PiJ Wed May 23 03:01:42 2007 +pid 30865 (httpd), uid 80: exited on signal 4 -- View this message in context: http://www.nabble.com/Security-Run-Output-Questions-tf3806074.html#a10771250 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Run Output Questions
In the last episode (May 23), PeterPluta said: I see this quite regularly. What exactly is the http process doing? I'm guessing this is the master process stopping and restarting when I rotate logs or something. Can anyone confirm? There is usally more processes, 10-15 or more. kernel log messages: +++ /tmp/security.ioLB2PiJWed May 23 03:01:42 2007 +pid 30865 (httpd), uid 80: exited on signal 4 It's crashing :) 4 SIGILL create core imageillegal instruction -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Run Output Questions
On Wed, May 23, 2007 at 12:40:19PM -0700, PeterPluta wrote: I see this quite regularly. What exactly is the http process doing? I'm guessing this is the master process stopping and restarting when I rotate logs or something. Can anyone confirm? There is usally more processes, 10-15 or more. kernel log messages: +++ /tmp/security.ioLB2PiJWed May 23 03:01:42 2007 +pid 30865 (httpd), uid 80: exited on signal 4 According to signal(3), signal 4 is SIGILL; illegal instruction. Not sure what triggers that. Maybe a stack overflow bug that writes a bogus value to a return address? Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpkhw8noG6Vu.pgp Description: PGP signature
Re: Security Run Output Questions
Dan Nelson wrote: In the last episode (May 23), PeterPluta said: I see this quite regularly. What exactly is the http process doing? I'm guessing this is the master process stopping and restarting when I rotate logs or something. Can anyone confirm? There is usally more processes, 10-15 or more. kernel log messages: +++ /tmp/security.ioLB2PiJ Wed May 23 03:01:42 2007 +pid 30865 (httpd), uid 80: exited on signal 4 It's crashing :) 4 SIGILL create core imageillegal instruction -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Ahh I see, so this isn't a good thing. I'm running Apahe with mod_php. I don't see why it would be crashing, unless one of the web apps is buggy. -- View this message in context: http://www.nabble.com/Security-Run-Output-Questions-tf3806074.html#a10772295 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Run Output Questions
Roland Smith wrote: On Wed, May 23, 2007 at 12:40:19PM -0700, PeterPluta wrote: I see this quite regularly. What exactly is the http process doing? I'm guessing this is the master process stopping and restarting when I rotate logs or something. Can anyone confirm? There is usally more processes, 10-15 or more. kernel log messages: +++ /tmp/security.ioLB2PiJ Wed May 23 03:01:42 2007 +pid 30865 (httpd), uid 80: exited on signal 4 According to signal(3), signal 4 is SIGILL; illegal instruction. Not sure what triggers that. Maybe a stack overflow bug that writes a bogus value to a return address? Roland Are you running CURRENT and did you update to GCC 4.2 and install httpd lately? If so, you need to read a few threads on the current@ list pertaining to GCC 4.2 written in the past 1-2 weeks. -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Security Run Output Setuid Differences
I did a lot of port hacking yesterday. By that I mean screwing up and redoing lots of things. Anyway, I woke up today to find this email in my inbox. Checking setuid files and devices: mail.placidpublishing.net setuid diffs: --- /var/log/setuid.today Fri May 18 03:02:47 2007 +++ /tmp/security.207RUJmY Mon May 21 03:02:30 2007 @@ -3,7 +3,6 @@ 70745 -r-sr-xr-x 1 root wheel 21792 Jul 30 16:19:55 2006 /sbin/ping 70746 -r-sr-xr-x 1 root wheel 28660 Jul 30 16:19:55 2006 /sbin/ping6 70721 -r-sr-x--- 1 root operator 10148 Jul 30 16:19:56 2006 /sbin/shutdown -165583 -rws--x--x 1 root wheel 268432 Apr 14 14:05:10 2007 /usr/X11R6/bin/xterm 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chfn 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chpass 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chsh @@ -19,9 +18,9 @@ 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/ypchpass 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/ypchsh 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 /usr/bin/yppasswd -72750 -rwsr-xr-x 1 root wheel 285580 Nov 2 01:21:29 2006 /usr/local/bin/screen -71569 -rwxr-sr-x 1 root kmem 112708 Feb 3 17:17:26 2007 /usr/local/sbin/lsof -71923 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop -71924 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue +71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 /usr/local/bin/screen +70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 /usr/local/sbin/lsof +73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop +73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 /usr/sbin/mailwrapper 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 /usr/sbin/sliplogin What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ stuff. Also, why did this all of a sudden appear? -- View this message in context: http://www.nabble.com/Security-Run-Output-Setuid-Differences-tf3792025.html#a10724342 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Run Output Setuid Differences
On Mon, 21 May 2007 11:34:25 -0700 (PDT) PeterPluta [EMAIL PROTECTED] wrote: I did a lot of port hacking yesterday. By that I mean screwing up and redoing lots of things. Anyway, I woke up today to find this email in my inbox. Checking setuid files and devices: mail.placidpublishing.net setuid diffs: --- /var/log/setuid.today Fri May 18 03:02:47 2007 +++ /tmp/security.207RUJmYMon May 21 03:02:30 2007 @@ -3,7 +3,6 @@ 70745 -r-sr-xr-x 1 root wheel 21792 Jul 30 16:19:55 2006 /sbin/ping 70746 -r-sr-xr-x 1 root wheel 28660 Jul 30 16:19:55 2006 /sbin/ping6 70721 -r-sr-x--- 1 root operator 10148 Jul 30 16:19:56 2006 /sbin/shutdown -165583 -rws--x--x 1 root wheel 268432 Apr 14 14:05:10 2007 /usr/X11R6/bin/xterm 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chfn 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chpass 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chsh @@ -19,9 +18,9 @@ 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/ypchpass 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/ypchsh 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 /usr/bin/yppasswd -72750 -rwsr-xr-x 1 root wheel 285580 Nov 2 01:21:29 2006 /usr/local/bin/screen -71569 -rwxr-sr-x 1 root kmem 112708 Feb 3 17:17:26 2007 /usr/local/sbin/lsof -71923 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop -71924 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue +71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 /usr/local/bin/screen +70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 /usr/local/sbin/lsof +73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop +73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 /usr/sbin/mailwrapper 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 /usr/sbin/sliplogin What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ stuff. Also, why did this all of a sudden appear? Looks like you were portupgrading around with postfix, screen and xterm. The output is diff(1). See the man page for details, but it's basically showing you the difference between last night's directory listing, and that of the previous day. For more gory details, see the scripts in /etc/periodic/security, which are run every night from cron. Some of the ports you changed resulted in changes to setuid/setgid programs installed on the system. As a security- concious administrator, you should be interested in the programs on your system that have elevated privilidges, so this script is provided to give you a daily report on that. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Run Output Setuid Differences
Bill Moran wrote: On Mon, 21 May 2007 11:34:25 -0700 (PDT) PeterPluta [EMAIL PROTECTED] wrote: I did a lot of port hacking yesterday. By that I mean screwing up and redoing lots of things. Anyway, I woke up today to find this email in my inbox. Checking setuid files and devices: mail.placidpublishing.net setuid diffs: --- /var/log/setuid.todayFri May 18 03:02:47 2007 +++ /tmp/security.207RUJmY Mon May 21 03:02:30 2007 @@ -3,7 +3,6 @@ 70745 -r-sr-xr-x 1 root wheel 21792 Jul 30 16:19:55 2006 /sbin/ping 70746 -r-sr-xr-x 1 root wheel 28660 Jul 30 16:19:55 2006 /sbin/ping6 70721 -r-sr-x--- 1 root operator 10148 Jul 30 16:19:56 2006 /sbin/shutdown -165583 -rws--x--x 1 root wheel 268432 Apr 14 14:05:10 2007 /usr/X11R6/bin/xterm 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chfn 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chpass 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/chsh @@ -19,9 +18,9 @@ 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/ypchpass 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 /usr/bin/ypchsh 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 /usr/bin/yppasswd -72750 -rwsr-xr-x 1 root wheel 285580 Nov 2 01:21:29 2006 /usr/local/bin/screen -71569 -rwxr-sr-x 1 root kmem 112708 Feb 3 17:17:26 2007 /usr/local/sbin/lsof -71923 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop -71924 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue +71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 /usr/local/bin/screen +70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 /usr/local/sbin/lsof +73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop +73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 /usr/sbin/mailwrapper 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 /usr/sbin/sliplogin What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ stuff. Also, why did this all of a sudden appear? Looks like you were portupgrading around with postfix, screen and xterm. The output is diff(1). See the man page for details, but it's basically showing you the difference between last night's directory listing, and that of the previous day. For more gory details, see the scripts in /etc/periodic/security, which are run every night from cron. Some of the ports you changed resulted in changes to setuid/setgid programs installed on the system. As a security- concious administrator, you should be interested in the programs on your system that have elevated privilidges, so this script is provided to give you a daily report on that. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] I see, so basically after reinstalling the default uid/gid of some programs changed? Is that a problem or anything? -- View this message in context: http://www.nabble.com/Security-Run-Output-Setuid-Differences-tf3792025.html#a10724835 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Run Output Setuid Differences
On Mon, May 21, 2007 at 11:59:33AM -0700, PeterPluta wrote: snip Looks like you were portupgrading around with postfix, screen and xterm. The output is diff(1). See the man page for details, but it's basically showing you the difference between last night's directory listing, and that of the previous day. For more gory details, see the scripts in /etc/periodic/security, which are run every night from cron. Some of the ports you changed resulted in changes to setuid/setgid programs installed on the system. As a security- concious administrator, you should be interested in the programs on your system that have elevated privilidges, so this script is provided to give you a daily report on that. I see, so basically after reinstalling the default uid/gid of some programs changed? Is that a problem or anything? It's not a problem. It's just something that you should be aware of from a security standpoint. In this case you caused it because you upgraded some ports, which is OK. But if the size, date, ownership or permissions of a binary change without any apparent cause, it _could_ be the work of an intruder or rootkit trying to backdoor your system. That's why the system checks it. In /etc/defaults/periodic.conf you see which settings there are concerning security, and what the defaults are. If you want to disable some of them, put the settings in /etc/periodic.conf with a NO value instead of YES. But I would recommend to leave them as they are. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgp97mviUg63t.pgp Description: PGP signature
Re: weird messages in daily security run output mails
Jan L. Nauta schrieb: [...] +NMI 2ISAN MI ISA 38, EIS3A8, E0I +S +A 0 +2N2NMMII I SAIS A 38, E3I8S, AEI S0A NMI ISA 38, EISA 0 kernel trap +19 with interrupts disabled NMI ISA 28, EISA 0 NMI 2INSAM I ISA 28, +EISA2 08 [...] g_vfs_done():mirror/gm0s1f[READ(offset=356486479872, length=16384)]error [...] That looks like a hardware error. If you don't already have an assumption I would try to find the broken hardware by testing the hard disks separately, e.g. by reading the entire disk and watching the log: dd if=/dev/da0 of=/dev/zero bs=64k and tail -f /var/log/messages. Regards Björn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
weird messages in daily security run output mails
Hi, SMP FreeBSD 6.2-RELEASE (i386), latest version via freebsd-update, on a PentiumD based server with two ide drives running under gmirror. Recently I've been getting the following messages in my daily security run output mails: SNIP +NMI INSAM I IS2A 8, EISA 20 +8, +22NMIN MISI AI SA 38,3 8,E IESAIS A0 +NMI2 NIMSIA ISA 28,2 8EI, SEA I0S +A 0 +NMI ISA N2M8I, ISEIA SA 0 +28, EISA 0 +NMI 2ISAN MI ISA 38, EIS3A8, E0I +S +A 0 +2N2NMMII I SAIS A 38, E3I8S, AEI S0A NMI ISA 38, EISA 0 kernel trap +19 with interrupts disabled NMI ISA 28, EISA 0 NMI 2INSAM I ISA 28, +EISA2 08 /SNIP Sometimes with message like this embedded: SNIP g_vfs_done():mirror/gm0s1f[READ(offset=356486479872, length=16384)]error = 5 /SNIP By now the mail is about 40K. Does anybody have an idea what this means and what's causing it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
weird messages in daily security run output mails
Hi, SMP FreeBSD 6.2-RELEASE (i386), latest version via freebsd-update, on a PentiumD based server with two ide drives running under gmirror. Recently I've been getting the following messages in my daily security run output mails: SNIP +NMI INSAM I IS2A 8, EISA 20 +8, +22NMIN MISI AI SA 38,3 8,E IESAIS A0 +NMI2 NIMSIA ISA 28,2 8EI, SEA I0S +A 0 +NMI ISA N2M8I, ISEIA SA 0 +28, EISA 0 +NMI 2ISAN MI ISA 38, EIS3A8, E0I +S +A 0 +2N2NMMII I SAIS A 38, E3I8S, AEI S0A NMI ISA 38, EISA 0 kernel trap +19 with interrupts disabled NMI ISA 28, EISA 0 NMI 2INSAM I ISA 28, +EISA2 08 /SNIP Sometimes with message like this embedded: SNIP g_vfs_done():mirror/gm0s1f[READ(offset=356486479872, length=16384)]error = 5 /SNIP By now the mail is about 40K. Does anybody have an idea what this means and what's causing it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fw: lothlorien.nagual.nl security run output
My guess is that there is nothing to be worried about, however i could be wrong. Let me explain.. This morning i received the same kind of message in my security run output (yesterday i've updated all my ports): Checking setuid files and devices: nlp setuid diffs: --- /var/log/setuid.today Fri Aug 25 08:12:19 2006 +++ /tmp/security.Ia2whJjb Wed Aug 30 08:15:56 2006 @@ -3,8 +3,8 @@ 49434 -r-sr-xr-x 1 root wheel 23648 Aug 22 11:05:26 2006 /sbin/ping 49435 -r-sr-xr-x 1 root wheel 31924 Aug 22 11:05:26 2006 /sbin/ping6 49448 -r-sr-x--- 1 root operator 10308 Aug 22 11:05:27 2006 /sbin/shutdown -7795756 -rws--x--x 1 root wheel 2069783 Aug 24 09:17:07 2006 /usr/X11R6/bin/Xorg -7795717 -rws--x--x 1 root wheel 303748 Aug 24 09:03:51 2006 /usr/X11R6/bin/xterm +7795722 -rws--x--x 1 root wheel 2069783 Aug 29 13:08:10 2006 /usr/X11R6/bin/Xorg +7796599 -rws--x--x 1 root wheel 305764 Aug 29 12:57:30 2006 /usr/X11R6/bin/xterm 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/at 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/atq 1625095 -r-sr-xr-x 4 root wheel 22260 Aug 22 11:05:50 2006 /usr/bin/atrm If i look at my message, i see that lines between 3 to 8 have been changed. After a manual diff between /var/log/setuid.today/yesterday i only get the xorg related lines. Which is correct, since i remember seeing some xorg ports being updated. In your message you state, Begin forwarded message [some Xorg update warnings deleted]: Isn't it so that in your message, lines 3 to 12 are just port related binaries? (i assume xorg related). Meaning that ping/ping6, etc aren't updated at all. At least i don't see the +/- signs infront of your ping/ping6 ones. My guess. Greets. Nick dick hoogendijk wrote: I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? Begin forwarded message [some Xorg update warnings deleted]: Checking setuid files and devices: Checking setuid files and devices: lothlorien.nagual.nl setuid diffs: --- /var/log/setuid.today Mon Aug 14 03:03:25 2006 +++ /tmp/security.aJbHsCR6 Sun Aug 27 03:03:22 2006 @@ -3,12 +3,12 @@ 23637 -r-sr-xr-x 1 root wheel 21792 May 12 21:47:15 2006 /sbin/ping 23638 -r-sr-xr-x 1 root wheel 28660 May 12 21:47:15 2006 /sbin/ping6 23651 -r-sr-x--- 1 root operator 10148 May 12 21:47:17 2006 /sbin/shutdown 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/at 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atq 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atrm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fw: lothlorien.nagual.nl security run output
On 30 Aug nicky wrote: In your message you state, Begin forwarded message [some Xorg update warnings deleted]: Isn't it so that in your message, lines 3 to 12 are just port related binaries? (i assume xorg related). Meaning that ping/ping6, etc aren't updated at all. At least i don't see the +/- signs infront of your ping/ping6 ones. You are absolutely right. I'm blushing, I really am. Jee, I totally missed the + / - signs. I overlooked and worried about the 'wrong' files. It was Xorg that was updated. Just like you have done and seen ;-) Thanks for the response. Remains one question (too me): what program would be best to have as a system integraty checker? Shamhein, Osiris or what? -- dick -- http://nagual.nl/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.1 +++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fw: lothlorien.nagual.nl security run output
On 28 Aug David Robillard wrote: Did you reinstall the entire OS _before_ you installed Osiris? Did you find out why your SUID files had changed in the first place? No. I did a diff with the same files on other freebsd-6.1 machines which I'm absolutely certain are not compromised. The files where exactly the same. I use the same port collections and always portupgrade the machines at the same time. So I'm quite sure it must have been some software packages that changed the suid bit. It's too much work to find out exactly which ones, given the fact it's not that important after all. If not, then your base Osiris database might contain already compromised software. Which makes Osiris useless... I know.. Use the default configuration for this OS (yes/no) yes configuration (default.freebsd) has been pushed Nothing happens.. (as it seems..) I had the same problem with FreeBSD 5.3 and then moved to 6.1 which cleared this problem. I suspect it has to do with network timeouts that have been changed via sysctl.conf(5). Have you done any modifications to your sysctl.conf file? I run 6.1 so it's weird that nothing happens.. I did not change a thing in sysctl.conf except for some hw.snd settings. They can't be blamed I suppose ;-) Maybe you have some clues. -- dick -- http://nagual.nl/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.1 +++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fw: lothlorien.nagual.nl security run output
I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? What ports have you updated? You can check if any of them has installed new files in /sbin by running `pkg_info -L your_updated_port-version`. See the -L option of pkg_info(1) in the man page http://www.freebsd.org/cgi/man.cgi?query=pkg_infoapropos=0sektion=0manpath=FreeBSD+6.1-RELEASEformat=html You can also consider installing a Host Based Integrity Monitoring software. I use Osiris which is quite simple to setup and administer. It's already in the ports as security/osiris which you can get there: http://www.freebsd.org/cgi/url.cgi?ports/security/osiris/pkg-descr. Of course, don't install osiris on a machine which you're not sure if it has been tampered with, it would defeat the purpose... You can also take a look at other integrity checking software such as Samhain, Tripwire or aide. Regards, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Fw: lothlorien.nagual.nl security run output
I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? Begin forwarded message [some Xorg update warnings deleted]: Checking setuid files and devices: Checking setuid files and devices: lothlorien.nagual.nl setuid diffs: --- /var/log/setuid.today Mon Aug 14 03:03:25 2006 +++ /tmp/security.aJbHsCR6 Sun Aug 27 03:03:22 2006 @@ -3,12 +3,12 @@ 23637 -r-sr-xr-x 1 root wheel 21792 May 12 21:47:15 2006 /sbin/ping 23638 -r-sr-xr-x 1 root wheel 28660 May 12 21:47:15 2006 /sbin/ping6 23651 -r-sr-x--- 1 root operator 10148 May 12 21:47:17 2006 /sbin/shutdown 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/at 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atq 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atrm -- dick -- http://nagual.nl/ -- PGP/GnuPG key: F86289CE ++ Running FreeBSD 6.1 +++ The Power to Serve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Fw: lothlorien.nagual.nl security run output
dick hoogendijk wrote: I'm a little worried after reading the security output this morning. It seems some files [ping, ping6, shutdown, at, atq and atrm] have setuid diffs. I really don't know why this could have happened. I updated some ports yesterday, but I don't think any port writes in /sbin (?) Could someboddy advice me on what can have happened? If you didn't do an installworld or any other upgrade, then something is wrong. They could be trojaned as part of a breakin, you you could be experiencing disk corruption. Begin forwarded message [some Xorg update warnings deleted]: Checking setuid files and devices: Checking setuid files and devices: lothlorien.nagual.nl setuid diffs: --- /var/log/setuid.today Mon Aug 14 03:03:25 2006 +++ /tmp/security.aJbHsCR6 Sun Aug 27 03:03:22 2006 @@ -3,12 +3,12 @@ 23637 -r-sr-xr-x 1 root wheel 21792 May 12 21:47:15 2006 /sbin/ping 23638 -r-sr-xr-x 1 root wheel 28660 May 12 21:47:15 2006 /sbin/ping6 23651 -r-sr-x--- 1 root operator 10148 May 12 21:47:17 2006 /sbin/shutdown 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/at 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atq 7042059 -r-sr-xr-x 4 root wheel 20948 May 12 21:48:10 2006 /usr/bin/atrm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Security Run Output E-mail
On 7/20/06, PATRICK CARTER [EMAIL PROTECTED] wrote: I'm relatively ne to FreeBSD (~6 months of usage) and I have been administering my own system for approximately the last 2 months. Recently my system has received many ssh login attempts on standard user accounts as someone has been attempting to break into my system. I usually read the Security Run Output e-mails to see if the attacker(s) had made any headway, and took necessary precautions (limiting ssh logins etc). However, last week (after it seemed that the attacks had let up somewhat) I stopped receiving the e-mails (as well as the daily run output e-mails). I still read the auth.log file to see login information and it did not appear as though anyone had successfully managed to break into the system. Today the both sets of e-mails started again and I received the e-mails for today and yesterday (I am still missing 5 days worth and one weekly run output). I was wondering if anyone might know how to ensure that I continue to receive these e-mails without interrupti on. If it matters (and I suspect it does) I have all my root e-mails aliased to a locked, nologin dummy account that forwards e-mail to my account, my boss' account, and retains a copy in the dummy account (.forward was not working to forward root's mail). Root's mail client is set to read the dummy account inbox as well as anything that somehow winds up in the regular root mailbox. This setup worked fine until the e-mails stopped last week (none of the listed accounts received the e-mail). Any advice would be greatly appreciated. those script kiddies do let up sometimes you know :D , using brute force i guess, as long as your user's passwords aren't dictionary words then you have nothing to worry. and also set the Allowusers directive allowing only admins. HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Security Run Output E-mail
I'm relatively ne to FreeBSD (~6 months of usage) and I have been administering my own system for approximately the last 2 months. Recently my system has received many ssh login attempts on standard user accounts as someone has been attempting to break into my system. I usually read the Security Run Output e-mails to see if the attacker(s) had made any headway, and took necessary precautions (limiting ssh logins etc). However, last week (after it seemed that the attacks had let up somewhat) I stopped receiving the e-mails (as well as the daily run output e-mails). I still read the auth.log file to see login information and it did not appear as though anyone had successfully managed to break into the system. Today the both sets of e-mails started again and I received the e-mails for today and yesterday (I am still missing 5 days worth and one weekly run output). I was wondering if anyone might know how to ensure that I continue to receive these e-mails without interrupti on. If it matters (and I suspect it does) I have all my root e-mails aliased to a locked, nologin dummy account that forwards e-mail to my account, my boss' account, and retains a copy in the dummy account (.forward was not working to forward root's mail). Root's mail client is set to read the dummy account inbox as well as anything that somehow winds up in the regular root mailbox. This setup worked fine until the e-mails stopped last week (none of the listed accounts received the e-mail). Any advice would be greatly appreciated. --Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Security Run Output
The daily security email to root all ways lists a count of blocked packets if you have one of the three firewall activated. So what you are seeing is informational and nothing to be concerned about unless you did not active the ipfilter firewall. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bryan Curl Sent: Tuesday, April 25, 2006 6:18 PM To: freebsd-questions Subject: Security Run Output I get this or similar message in my Security Run Output every day. Is it something to be concerned with? lnut.bc.net ipf denied packets: +++ /tmp/security.FsPOiq0v Fri Apr 21 03:03:51 2006 +1 @4 block out log first quick on dc0 all +47571 @14 block in log first quick on dc0 all -- -- Bryan bc3910 'at' gmail 'dot' com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Security Run Output
I get this or similar message in my Security Run Output every day. Is it something to be concerned with? lnut.bc.net ipf denied packets: +++ /tmp/security.FsPOiq0v Fri Apr 21 03:03:51 2006 +1 @4 block out log first quick on dc0 all +47571 @14 block in log first quick on dc0 all -- -- Bryan bc3910 'at' gmail 'dot' com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Trouble reading the nightly security run output report
OK, so every night the default install of FreeBSD generates a security run output report for IPF denied packets. Here is a sample report; 221143 @2 block out log quick on dc0 from any to any head 15 92733 @2 block in log quick on dc0 from any to any head 10 20 @8 block in log quick on dc0 from 10.0.0.0/8 to any group 10 That's it. I am looking at this and trying to figure out if it is useful and just what are those numbers for? I have IPF creating a log entry for all of the dropped packets, but when I look at the logs I can't match those numbers at all. In fact, if I do a 'wc -l' on the log file I get a count of 10,780 lines. If I take into account the log entries that have a consecutive count logged I come up with 11,422. Not even close the numbers listed above. So just what does this report mean and is there a better tool to run that would give me a nightly report of total drops and perhaps the top ten offenders and why? Thanks Tim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: daily security run output messages
On Sunday, 5 December 2004 at 11:33:23 -0500, Lowell Gilbert wrote: Kjell Midtseter [EMAIL PROTECTED] writes: List members! My daily security run output contains lots of kernel log messages like the following: Connection attempt to UDP 10.0.0.10:1099 from 217.13.4.21:53 Connection attempt to UDP 10.0.0.10:3204 from 193.75.75.193:53 -- What are the significanse of these messages? My ipf firewall contains: # domain name servers (dns) pass in quick on rl0 proto udp from 217.13.4.21/32 to any port = 53 keep state -- Should I make any changes to my firewall settings? Looks like a NAT problem; is your 10.0.0.10 address supposed to be visible to the ISP's DNS server? The ISP's DNS server should not be able to see my 10.0.0.10 address. I am talking to my ISP through a Cisco 677i modem. The modem IP is 10.0.0.1 NATing can not be turned off (?) in the modem. My R4.10 firewall talks to the modem using IP 10.0.0.10 and the firewall is doing NAT also. My internal network is in the 192.168.1.nn range. Regards from Kjell -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: daily security run output messages
Kjell Midtseter [EMAIL PROTECTED] writes: List members! My daily security run output contains lots of kernel log messages like the following: Connection attempt to UDP 10.0.0.10:1099 from 217.13.4.21:53 Connection attempt to UDP 10.0.0.10:3204 from 193.75.75.193:53 -- What are the significanse of these messages? My ipf firewall contains: # domain name servers (dns) pass in quick on rl0 proto udp from 217.13.4.21/32 to any port = 53 keep state -- Should I make any changes to my firewall settings? Looks like a NAT problem; is your 10.0.0.10 address supposed to be visible to the ISP's DNS server? -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
daily security run output messages
List members! My daily security run output contains lots of kernel log messages like the following: Connection attempt to UDP 10.0.0.10:1099 from 217.13.4.21:53 Connection attempt to UDP 10.0.0.10:3204 from 193.75.75.193:53 -- What are the significanse of these messages? My ipf firewall contains: # domain name servers (dns) pass in quick on rl0 proto udp from 217.13.4.21/32 to any port = 53 keep state -- Should I make any changes to my firewall settings? Regards from Kjell ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
GEOM: create disk during runtime? (security run output)
Hello, I'm hoping somebody on this list can shed some light on this. My boss sent me a copy of his daily cron security run output, which contained this: localhost.local kernel log messages: GEOM: create disk ad0 dp=0xc6b77d60 GEOM: create disk cd0 dp=0xc69a8600 We're all running FreeBSD 5.2.1-p12. I've seen the GEOM: create disk messages plenty of times on boot and in my dmesg's, but never really paid much attention to them, since I don't really understand how GEOM works or how to interpret these kinds of messages. But I don't recall ever seeing it in a security run cronjob. My first question is why is this happening during a security run cronjob? If this system is already booted and running, why is GEOM creating disks? My second question is is this something bad? Is it a red flag? The only reasonable (and non-threatening) answer I could come up with is maybe it's because the machine went into or came out of suspend mode near the time the cronjob ran. (APM) The bottom line is I don't really know anything about GEOM, and would like to know what this means so preventative action can be taken if necessary. Thanks for any info, Duane ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
security run output question (GEOM: create disk)
Hello, Does anybody know what this means when I see this in a daily security run output?: locahost.local kernel log messages: GEOM: create disk ad0 dp=0xc6b77d60 GEOM: create disk cd0 dp=0xc69a8600 I don't recall ever seeing this in my daily outputs, but my boss sent me an email with this and he wants to know what it means. If I do a 'dmesg' on my computer, I also get: GEOM: create disk ad0 dp=0xc6b63160 GEOM: create disk cd0 dp=0xc6983e00 What does this mean, and what does it mean when it shows up in the security run output? Thanks for any info. -Duane ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Strange kernel log message from security run output
[fqdn] kernel log messages: 'M-[M-c^_M-'M-ZM-c^_M-KM-ZM-c^_M-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-^M-+^ZM-|M-,^P=M^MCM-ZM-c^_M-3M-*M-b^_M-KM-ZM-c^_M-gM-ZM-c^_^SM-M-c^_M-'M-ZM-c^_M-KM-ZM-c^_^HM^_M-ZM-c^_^HM-/M-ZM-c^_M-JM-)M-b^_M-'[EMAIL PROTECTED]'[EMAIL PROTECTED] 9M-c^_M-x8M-c^_M^PM- [EMAIL PROTECTED]@[EMAIL PROTECTED] M-b^_?M-M-c^_M-,[EMAIL PROTECTED]([EMAIL PROTECTED]@[EMAIL PROTECTED]' [EMAIL PROTECTED]([EMAIL PROTECTED]/M-c^_^DM-+^H^Z^BM-b^_fM-+^HH^YM-c^_'^_M-b^_p^_M-b^_M-^_M-b^_k M-b^_M-,)M-c^_M^?'^_M-b^_p^_M-b^_M-^_M-b^_k M-b^_M-t/M-c^_M-dM-b^_ ]M-b^_^B^AM-8M-]M-c^_KOM-b^_lOM-b^_M^JOM-b^_M-0OM-b^_KOM-b^_lOM-b^_M^JOM-b^_M-0OM-b^_M-FYM-b^_M-XYM-b^_M-jYM-b^_ZM-b^_M^?M-S[M-b^_M-b^_M-#M-b^_^BM-,M-]M-c^_Copyright (c) 1992-2004 The FreeBSD Project. What is FreeBSD 4.10-STABLE trying to tell me? I've added IPF to my kernel. -- Regards, Charles. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange kernel log message from security run output
This junk is normally seen in dmesg if you used the interactive kernel configurator at the last boot. On Wed, 1 Sep 2004, Charles M. Gerungan wrote: [fqdn] kernel log messages: 'M-[M-c^_M-'M-ZM-c^_M-KM-ZM-c^_M-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-,^P=M^MM-^M-+^ZM-|M-,^P=M^MCM-ZM-c^_M-3M-*M-b^_M-KM-ZM-c^_M-gM-ZM-c^_^SM-M-c^_M-'M-ZM-c^_M-KM-ZM-c^_^HM^_M-ZM-c^_^HM-/M-ZM-c^_M-JM-)M-b^_M-'[EMAIL PROTECTED]'[EMAIL PROTECTED] 9M-c^_M-x8M-c^_M^PM- [EMAIL PROTECTED]@[EMAIL PROTECTED] M-b^_?M-M-c^_M-,[EMAIL PROTECTED]([EMAIL PROTECTED]@[EMAIL PROTECTED]' [EMAIL PROTECTED]([EMAIL PROTECTED]/M-c^_^DM-+^H^Z^BM-b^_fM-+^HH^YM-c^_'^_M-b^_p^_M-b^_M-^_M-b^_k M-b^_M-,)M-c^_M^?'^_M-b^_p^_M-b^_M-^_M-b^_k M-b^_M-t/M-c^_M-dM-b^_ ]M-b^_^B^AM-8M-]M-c^_KOM-b^_lOM-b^_M^JOM-b^_M-0OM-b^_KOM-b^_lOM-b^_M^JOM-b^_M-0OM-b^_M-FYM-b^_M-XYM-b^_M-jYM-b^_ZM-b^_M^?M-S[M-b^_M-b^_M-#M-b^_^BM-,M-]M-c^_Copyright (c) 1992-2004 The FreeBSD Project. What is FreeBSD 4.10-STABLE trying to tell me? I've added IPF to my kernel. -- Regards, Charles. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
security run output
*This message was transferred with a trial version of CommuniGate(tm) Pro* First time I've ever seen this: server.tcslea.org kernel log messages: ffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE (one long line - sorry for the wrapping) It appears to be CPU related, but in what context? Is it something I need to investigate, and if so, how? Thanks, Chris _ Email harvesters eat this: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security run output
On Sat, Aug 14, 2004 at 07:57:58AM -0500, Chris wrote: *This message was transferred with a trial version of CommuniGate(tm) Pro* First time I've ever seen this: server.tcslea.org kernel log messages: ffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE (one long line - sorry for the wrapping) It appears to be CPU related, but in what context? Is it something I need to investigate, and if so, how? No -- that's entirely harmless. If you look at /var/run/dmesg.boot, you see that it's just part of the normal kernel output during boot. Specifically it's a list of the capabilities of your CPU. What's happened is that the message buffer has somehow got truncated at the beginning, and you're seeing just the end of that particular line. For some reason, the daily security script thinks it's significant kernel output, but it isn't really. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgphM77iTjKFM.pgp Description: PGP signature
Re[2]: security run output
*This message was transferred with a trial version of CommuniGate(tm) Pro* ... MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE No -- that's entirely harmless. If you look at /var/run/dmesg.boot, you see that it's just part of the normal kernel output during boot. Specifically it's a list of the capabilities of your CPU. What's happened is that the message buffer has somehow got truncated at the beginning, and you're seeing just the end of that particular line. For some reason, the daily security script thinks it's significant kernel output, but it isn't really. Odd, because I haven't booted in awhile. This just showed up out of the blue this one time, and has never shown up before. Thanks for the info, though. Chris _ Email harvesters eat this: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
security run output
*This message was transferred with a trial version of CommuniGate(tm) Pro* When I get my nightly email from the security run output it normally has about the last 20 lines or less from the /var/log/messages. Is there a way to increase that to about the last 50 lines? Thanks, Chris _ Email harvesters eat this: [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: security run output
Chris wrote: When I get my nightly email from the security run output it normally has about the last 20 lines or less from the /var/log/messages. Is there a way to increase that to about the last 50 lines? Thanks, Chris Hmm, I don't think that it's necessarily true that /etc/periodic is sending you the last 20 or so lines ... it's only sending kernel notifications, which in the case of most setups of syslog.conf, are *also* logged to /var/log/messages, hence some confusion here. So, one good question in return would be, are you sure that you're not seeing all you want in your periodic output? You can take a look at the manpages and source for periodic(8) and friends to learn a little more... I'm in no way an expert --- it could be possible that an expert could modify the periodic.sh script to do what you want; but in your case, I'd think that you could create a small script to do what you want and run it nightly from your personal crontab. Something like what's below. HTH, Kevin Kinsey --- #/bin/sh # mailmessages.sh --- mail yesterday's /var/log/messages output to root... yday=`date -v -1d +%b %d` grep $yday /var/log/messages | mail -s Contents of /var/log/messages root ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re[2]: security run output
*This message was transferred with a trial version of CommuniGate(tm) Pro*
Hmm, I found:
/etc/periodic/security/700.kernelmsg
which seems to be what generates the information I was talking about in the email. So
I guess you were correct that it's not from /var/log/messages after all.
Having said that, I don't have any idea if there is something in that small script
that I could change to increase the number of lines it puts into the email. It's a
bourne shell script, it appears:
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
. /etc/periodic/security/security.functions
rc=0
case $daily_status_security_kernelmsg_enable in
[Yy][Ee][Ss])
dmesg 2/dev/null |
check_diff new_only dmesg - ${host} kernel log messages:
rc=$?;;
*) rc=0;;
esac
exit $rc
And thanks for that script - I'll give it a try.
Chris
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
FW: What is this? (security run output)
All, I'm really curious as to what this is, what causes it, and how to fix it. Thanks, -- Troy Settle Pulaski Networks http://www.psknet.com 540.994.4254 ~ 866.477.5638 Pulaski Chamber 2002 Small Business Of The Year -Original Message- From: Charlie Root [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 3:01 AM To: [EMAIL PROTECTED] Subject: kennedy.psknet.com security run output Checking setuid files and devices: Checking for uids of 0: root 0 toor 0 Checking for passwordless accounts: kennedy.psknet.com kernel log messages: M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P M-^PM-^PM-^PM-^PM-^P kennedy.psknet.com login failures: kennedy.psknet.com refused connections: -- End of security output -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pooh.ASARian.org security run output (lots of wrong arpmessages)
Fuzzy [EMAIL PROTECTED] wrote: Is there any way to convince the kernel not to log these incorrect arp messages? currently we have... net.link.ether.inet.log_arp_wrong_iface: 1 Is there a different sysctl or variable for rc.conf to stop it from logging incorrect information? Indeed there is but only in 5.0 or greater I believe. It's called: net.link.ether.inet.log_arp_movements -- HTH John. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pooh.ASARian.org security run output (lots of wrong arpmessages)
John Murphy [EMAIL PROTECTED] writes: Fuzzy [EMAIL PROTECTED] wrote: Is there any way to convince the kernel not to log these incorrect arp messages? currently we have... net.link.ether.inet.log_arp_wrong_iface: 1 Is there a different sysctl or variable for rc.conf to stop it from logging incorrect information? Indeed there is but only in 5.0 or greater I believe. It's called: net.link.ether.inet.log_arp_movements Actually, both of those are available in -STABLE. However, it's usually better to fix the source of the address changes, if it's under your control. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: daily /security run output via periodic - stopped
we have 4 servers running, each sends daily and security run output email each day around 3am. Recently one of them stopped sending these messages. In looking at the periodic.conf and associated directories, I don't see any problems or changes that I am aware of. There are no enrties in cron for it, but then again there aren't any entries in the functional servers either. Is it possible we have disabled something by accident which could stop this one server from sending these messages? double checked everything just after sending... periodic.conf was missing. (doh!) Dave ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: daily /security run output via periodic - stopped
On Fri, Jul 04, 2003 at 08:48:24AM -0400, Dave [Hawk-Systems] wrote: we have 4 servers running, each sends daily and security run output email each day around 3am. Recently one of them stopped sending these messages. In looking at the periodic.conf and associated directories, I don't see any problems or changes that I am aware of. There are no enrties in cron for it, but then again there aren't any entries in the functional servers either. Is it possible we have disabled something by accident which could stop this one server from sending these messages? double checked everything just after sending... periodic.conf was missing. (doh!) ... but that's OK, as the periodic system will just run using the default settings from /etc/defaults/periodic.conf -- note the instructions in that file: /etc/periodic.conf should contain only those entries you want to be different to the default values. As for how the periodic scripts get run each night: they are run as cron jobs, but out of the system crontab in /etc/crontab. That's a slightly different animal which lives in a parallel universe to the normal per-user crontabs, which are stored in /var/cron/tabs and generally accessed via crontab(1). As for the missing mail, did you check the client mailqueue? # mailq -Ac or look at the contents of /var/spool/clientmqueue. If the messages are held up there, you should investigate what happened to the sendmail msp queue-runner process which the system will run by default so long as 'sendmail_enable=YES' or 'sendmail_enable=NO' is in /etc/rc.conf. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
RE: daily /security run output via periodic - stopped
On Fri, Jul 04, 2003 at 08:48:24AM -0400, Dave [Hawk-Systems] wrote: we have 4 servers running, each sends daily and security run output email each day around 3am. Recently one of them stopped sending these messages. In looking at the periodic.conf and associated directories, I don't see any problems or changes that I am aware of. There are no enrties in cron for it, but then again there aren't any entries in the functional servers either. Is it possible we have disabled something by accident which could stop this one server from sending these messages? double checked everything just after sending... periodic.conf was missing. (doh!) ... but that's OK, as the periodic system will just run using the default settings from /etc/defaults/periodic.conf -- note the instructions in that file: /etc/periodic.conf should contain only those entries you want to be different to the default values. and the different values were where each of the reports should be emailed to. As for how the periodic scripts get run each night: they are run as cron jobs, but out of the system crontab in /etc/crontab. That's a slightly different animal which lives in a parallel universe to the normal per-user crontabs, which are stored in /var/cron/tabs and generally accessed via crontab(1). that I didn't know, but do now. Thanks As for the missing mail, did you check the client mailqueue? probably dunped into whatever the default is... root? Thanks Dave ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Security Run Output E-Mails
Hey folks, I'm wondering if you can help me. I have a basic knowledge on UNIX and freebsd, and together with the advice of some friends, resources on the internet and an absolutely ridiculous amount of toil and sweat, i've managed to put together a somewhat secure firewall/gateway machine. Now, at regular intervals, e-mails are sent to me by the machine... HOST.DOMAIN.TLD security run output HOST.DOMAIN.TLD daily run output HOST.DOMAIN.TLD weekly run output HOST.DOMAIN.TLD monthly run output Now, I receive these e-mail regularly at differing times each day (as appropriate). For example, the security and the daily ones are sent a couple of minutes after 03:00am in the morning. The weekly one is sent a couple of minutes after 04:00am. The monthly one... 05:00am. What i want to know is *where* are these script execution times defined? If I want to change the monthly run output script to run at 05:30am (for example), where would I go? Thanks for your time. Jazz ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Sending 'security run output' to another email address
Hi folks.. I've got FreeBSD 4.7 running as my router to the net from local systems. I am wanting the output from 'security run output' to be sent to my isp email address. The problem is that it's sending the mail to me but bouncing because it's sending from FBSD.npgcable.com which fails the dns lookup the isp uses. I tried masqerading as just npgcable.com and that sorta works.. I now get the bounced emails to this address.. I aliased root to admin account and admin account to my address here. Is there a way to tell it to NOT use From: [EMAIL PROTECTED] ? To just use From: [EMAIL PROTECTED] Or maybe another way all together to get it to mail me here on my local net from the router with out going through the ISP? I am useing the advice from the handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mail.html which is only halfway working. Thanks for any further advice :) WillyB To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
