Fw: lothlorien.nagual.nl security run output

David Robillard david.robillard at gmail.com
Mon Aug 28 15:11:43 UTC 2006


> I'm a little worried after reading the security output this morning.
> It seems some files [ping, ping6, shutdown, at, atq and atrm] have
> setuid diffs. I really don't know why this could have happened.
> I updated some ports yesterday, but I don't think any port writes
> in /sbin (?)
>
> Could someboddy advice me on what can have happened?

What ports have you updated? You can check if any of them has
installed new files in /sbin by running `pkg_info -L
your_updated_port-version`. See the -L option of pkg_info(1) in the
man page http://www.freebsd.org/cgi/man.cgi?query=pkg_info&apropos=0&sektion=0&manpath=FreeBSD+6.1-RELEASE&format=html

You can also consider installing a Host Based Integrity Monitoring
software. I use Osiris which is quite simple to setup and administer.
It's already in the ports as security/osiris which you can get there:
http://www.freebsd.org/cgi/url.cgi?ports/security/osiris/pkg-descr.

Of course, don't install osiris on a machine which you're not sure if
it has been tampered with, it would defeat the purpose... You can also
take a look at other integrity checking software such as Samhain,
Tripwire or aide.

Regards,

David
-- 
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122


More information about the freebsd-questions mailing list