setuid diffs in daily security run output

Raimund Sacherer rs at logitravel.com
Thu Feb 19 08:11:08 UTC 2015 

----- Original Message ----- 

> From: kpneal at pobox.com
> To: "Raimund Sacherer" <rs at logitravel.com>
> Cc: freebsd-questions at freebsd.org
> Sent: Wednesday, February 18, 2015 10:59:12 PM
> Subject: Re: setuid diffs in daily security run output

> On Wed, Feb 18, 2015 at 09:25:18PM +0100, Raimund Sacherer wrote:
> > ----- Original Message -----
> >
> > > From: kpneal at pobox.com
> > > To: "Raimund Sacherer" <rs at logitravel.com>
> > > Cc: freebsd-questions at freebsd.org
> > > Sent: Wednesday, February 18, 2015 8:02:00 PM
> > > Subject: Re: setuid diffs in daily security run output
> >
> > > On Wed, Feb 18, 2015 at 10:13:45AM +0100, Raimund Sacherer wrote:
> > > > Hello,
> > > >
> > > > This is one of our first FreeBSD servers we use, and I be rather safe
> > > > than
> > > > sorry, we put in production a FreeBSD 10.0 system and it is running (in
> > > > production) a couple of weeks now. Reading the security run emails
> > > > today i
> > > > noticed a lot of those:
> > > >
> > > > --- snip ---
> > > > - 587 -r-sr-xr-x 1 root wheel 19912 Jan 16 22:40:07 2014 /bin/rcp

> > > > --- snip ---
> > > >
> > > > I did not see those messages before, but I do read normally those
> > > > mails.
> >
> > > > How come those messages are today in the security output? Are those
> > > > permissions correct? Should I be worried about an intruder?
> >
> > > Is it possible someone modified or deleted the files that the security
> > > script uses to keep track of what files are setuid? If one of your other
> > > support people didn't know what something was they may have deleted it or
> > > otherwise messed with it.

> > I will check this out, thank you. Is there any way to make sure that these
> > permissions are correct? Is there some place where the standard
> > permissions for all those tools are documented?

> The 'mtree' utility is used to check, set, and compare permissions and
> ownerships of files. It can also be used to get hashes of files so you can
> see what files have actually changed. It creates and consumes basically a
> manifest of at least one file.

> On my system the base system manifest files are in /etc/mtree, but you can
> use the 'locate' command to find them if they've moved. You will also find
> them if you have /usr/src installed.

> The only thing mtree lacks is support for extended attributes.

Thank you very much! 

Best

More information about the freebsd-questions mailing list