daily security run output - Checking setuid
Ernie Luzar
luzar722 at gmail.com
Tue Apr 19 21:57:42 UTC 2016
Matthew Seaman wrote:
> On 2016/04/19 13:23, Ernie Luzar wrote:
>> This morning the "daily security run output" lists a lot of files under
>> the heading of Checking setuid files & devices. I have never seen this
>> before.
>>
>> What does this mean?
>> Has my system been breached?
>> Where is the "daily security run output" documented?
>
> The output usually shows any changes to the lists of setuid or setgid
> files on your system. Take note of the leading '+' or '-' characters in
> that output. Suddenly adding one or a few new setuid files is
> suspicious. Adding write permissions to those files is frequently
> suspicious. However adding or removing /lots/ of setuid or setgid files
> all at once is more likely to be down to operator error.
>
> The daily script depends on keeping a list of all the known setuid /
> setgid files in (by default) /var/log/setuid.today and
> /var/log/setuid.yesterday. If one or both of those files get deleted or
> modified, or that partition fills up while the security/100.chksetuid
> script is running, you'll get spurious output.
>
> Setuid programs are often viewed as a security problem by inexperienced
> administrators, and some even go as far as turning off the setuid
> functionality. That, however, is one of those mistakes you only make
> once. Properly implemented, setuid and setgid *improves* your system
> security, and it's necessary for the system to function normally.
>
> Cheers,
>
> Matthew
>
Thank you Matthew for your reply. I am well aware of the security
concerns of fies showing up on this report. My problem is I can not find
any documentation describing what the meaning of the report columns are.
Like what does the leading + or - characters really mean.
If the changing of the setuid or setgid caused the file to show up on
the report, how do I know what they were before and what they are now?
I sure don't see anything labeled setuid or setgid on the report. Here
is some of the report I got as example.
570967 -r-sr-xr-x 6 root wheel 18320 Mar 24 23:52:23 2016
/usr/bin/ypchpass
570967 -r-sr-xr-x 6 root wheel 18320 Mar 24 23:52:23 2016
/usr/bin/ypchsh
571182 -r-sr-xr-x 2 root wheel 6516 Mar 24 23:52:27 2016
/usr/bin/yppasswd
- 804930 -r-sr-xr-x 1 root wheel 18912 Mar 24 23:51:54 2016
/usr/jails/sharedfs/bin/rcp
- 805128 -r-sr-xr-- 1 root operator 7716 Mar 24 23:52:06 2016
/usr/jails/sharedfs/sbin/mksnap_ffs
- 805089 -r-sr-xr-x 1 root wheel 25700 Mar 24 23:52:06 2016
/usr/jails/sharedfs/sbin/ping
- 805082 -r-sr-xr-x 1 root wheel 33836 Mar 24 23:52:06 2016
/usr/jails/sharedfs/sbin/ping6
- 805062 -r-sr-xr-- 2 root operator 10952 Mar 24 23:52:07 2016
/usr/jails/sharedfs/sbin/poweroff
- 805062 -r-sr-xr-- 2 root operator 10952 Mar 24 23:52:07 2016
/usr/jails/sharedfs/sbin/shutdown
- 804915 -r-sr-xr-x 4 root wheel 23312 Mar 24 23:52:22 2016
/usr/jails/sharedfs/usr/bin/at
- 804915 -r-sr-xr-x 4 root wheel 23312 Mar 24 23:52:22 2016
/usr/jails/sharedfs/usr/bin/atq
Thanks for any help.
More information about the freebsd-questions
mailing list