daily security run output - Checking setuid

Ernie Luzar luzar722 at gmail.com
Tue Apr 19 21:57:42 UTC 2016


Matthew Seaman wrote:
> On 2016/04/19 13:23, Ernie Luzar wrote:
>> This morning the "daily security run output" lists a lot of files under
>> the heading of Checking setuid files & devices. I have never seen this
>> before.
>>
>> What does this mean?
>> Has my system been breached?
>> Where is the "daily security run output" documented?
> 
> The output usually shows any changes to the lists of setuid or setgid
> files on your system.  Take note of the leading '+' or '-' characters in
> that output.  Suddenly adding one or a few new setuid files is
> suspicious.  Adding write permissions to those files is frequently
> suspicious.  However adding or removing /lots/ of setuid or setgid files
> all at once is more likely to be down to operator error.
> 
> The daily script depends on keeping a list of all the known setuid /
> setgid files in (by default) /var/log/setuid.today and
> /var/log/setuid.yesterday.  If one or both of those files get deleted or
> modified, or that partition fills up while the security/100.chksetuid
> script is running, you'll get spurious output.
> 
> Setuid programs are often viewed as a security problem by inexperienced
> administrators, and some even go as far as turning off the setuid
> functionality.  That, however, is one of those mistakes you only make
> once.  Properly implemented, setuid and setgid *improves* your system
> security, and it's necessary for the system to function normally.
> 
> 	Cheers,
> 
> 	Matthew
> 
Thank you Matthew for your reply. I am well aware of the security 
concerns of fies showing up on this report. My problem is I can not find 
any documentation describing what the meaning of the report columns are.

Like what does the leading + or - characters really mean.

If the changing of the setuid or setgid caused the file to show up on 
the report, how do I know what they were before and what they are now?
I sure don't see anything labeled setuid or setgid on the report.  Here 
is some of the report I got as example.

  570967 -r-sr-xr-x  6 root  wheel      18320 Mar 24 23:52:23 2016 
/usr/bin/ypchpass
   570967 -r-sr-xr-x  6 root  wheel      18320 Mar 24 23:52:23 2016 
/usr/bin/ypchsh
   571182 -r-sr-xr-x  2 root  wheel       6516 Mar 24 23:52:27 2016 
/usr/bin/yppasswd
- 804930 -r-sr-xr-x  1 root  wheel      18912 Mar 24 23:51:54 2016 
/usr/jails/sharedfs/bin/rcp
- 805128 -r-sr-xr--  1 root  operator    7716 Mar 24 23:52:06 2016 
/usr/jails/sharedfs/sbin/mksnap_ffs
- 805089 -r-sr-xr-x  1 root  wheel      25700 Mar 24 23:52:06 2016 
/usr/jails/sharedfs/sbin/ping
- 805082 -r-sr-xr-x  1 root  wheel      33836 Mar 24 23:52:06 2016 
/usr/jails/sharedfs/sbin/ping6
- 805062 -r-sr-xr--  2 root  operator   10952 Mar 24 23:52:07 2016 
/usr/jails/sharedfs/sbin/poweroff
- 805062 -r-sr-xr--  2 root  operator   10952 Mar 24 23:52:07 2016 
/usr/jails/sharedfs/sbin/shutdown
- 804915 -r-sr-xr-x  4 root  wheel      23312 Mar 24 23:52:22 2016 
/usr/jails/sharedfs/usr/bin/at
- 804915 -r-sr-xr-x  4 root  wheel      23312 Mar 24 23:52:22 2016 
/usr/jails/sharedfs/usr/bin/atq


Thanks for any help.


More information about the freebsd-questions mailing list