setuid diffs in daily security run output

[Raimund Sacherer]

----- Original Message ----- 

> From: kpneal at pobox.com
> To: "Raimund Sacherer" <rs at logitravel.com>
> Cc: freebsd-questions at freebsd.org
> Sent: Wednesday, February 18, 2015 8:02:00 PM
> Subject: Re: setuid diffs in daily security run output

> On Wed, Feb 18, 2015 at 10:13:45AM +0100, Raimund Sacherer wrote:
> > Hello,
> >
> > This is one of our first FreeBSD servers we use, and I be rather safe than
> > sorry, we put in production a FreeBSD 10.0 system and it is running (in
> > production) a couple of weeks now. Reading the security run emails today i
> > noticed a lot of those:
> >
> > --- snip ---
> > - 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp
> > - 511 -r-sr-x--- 1 root operator 9880 Jan 16 22:40:33 2014 /sbin/mksnap_ffs
> > - 471 -r-sr-xr-x 1 root wheel 28024 Jan 16 22:40:34 2014 /sbin/ping
> > - 546 -r-sr-xr-x 1 root wheel 36496 Jan 16 22:40:34 2014 /sbin/ping6
> > - 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/poweroff
> > - 528 -r-sr-x--- 2 root operator 15656 Jan 16 22:40:34 2014 /sbin/shutdown
> > - 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/at
> > - 672 -r-sr-xr-x 4 root wheel 28528 Jan 16 22:41:00 2014 /usr/bin/atq
> > --- snip ---
> >
> > I did not see those messages before, but I do read normally those mails.

> > How come those messages are today in the security output? Are those
> > permissions correct? Should I be worried about an intruder?

> Is it possible someone modified or deleted the files that the security
> script uses to keep track of what files are setuid? If one of your other
> support people didn't know what something was they may have deleted it or
> otherwise messed with it.

Hello, 

I will check this out, thank you. Is there any way to make sure that these permissions are correct? Is there some place where the standard permissions for all those tools are documented? 

best
Ray