daily security run output - Checking setuid
Lowell at Be-Well.Ilk.Org
Tue Apr 19 23:15:58 UTC 2016
Ernie Luzar <luzar722 at gmail.com> writes:
> Matthew Seaman wrote:
>> On 2016/04/19 13:23, Ernie Luzar wrote:
>>> This morning the "daily security run output" lists a lot of files under
>>> the heading of Checking setuid files & devices. I have never seen this
>>> What does this mean?
>>> Has my system been breached?
>>> Where is the "daily security run output" documented?
>> The output usually shows any changes to the lists of setuid or setgid
>> files on your system. Take note of the leading '+' or '-' characters in
>> that output. Suddenly adding one or a few new setuid files is
>> suspicious. Adding write permissions to those files is frequently
>> suspicious. However adding or removing /lots/ of setuid or setgid files
>> all at once is more likely to be down to operator error.
>> The daily script depends on keeping a list of all the known setuid /
>> setgid files in (by default) /var/log/setuid.today and
>> /var/log/setuid.yesterday. If one or both of those files get deleted or
>> modified, or that partition fills up while the security/100.chksetuid
>> script is running, you'll get spurious output.
>> Setuid programs are often viewed as a security problem by inexperienced
>> administrators, and some even go as far as turning off the setuid
>> functionality. That, however, is one of those mistakes you only make
>> once. Properly implemented, setuid and setgid *improves* your system
>> security, and it's necessary for the system to function normally.
> Thank you Matthew for your reply. I am well aware of the security
> concerns of fies showing up on this report. My problem is I can not
> find any documentation describing what the meaning of the report
> columns are.
> Like what does the leading + or - characters really mean.
> If the changing of the setuid or setgid caused the file to show up on
> the report, how do I know what they were before and what they are now?
> I sure don't see anything labeled setuid or setgid on the report.
> Here is some of the report I got as example.
> 570967 -r-sr-xr-x 6 root wheel 18320 Mar 24 23:52:23 2016 /usr/bin/ypchpass
> 570967 -r-sr-xr-x 6 root wheel 18320 Mar 24 23:52:23 2016 /usr/bin/ypchsh
> 571182 -r-sr-xr-x 2 root wheel 6516 Mar 24 23:52:27 2016 /usr/bin/yppasswd
> - 804930 -r-sr-xr-x 1 root wheel 18912 Mar 24 23:51:54 2016 /usr/jails/sharedfs/bin/rcp
> - 805128 -r-sr-xr-- 1 root operator 7716 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/mksnap_ffs
> - 805089 -r-sr-xr-x 1 root wheel 25700 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/ping
> - 805082 -r-sr-xr-x 1 root wheel 33836 Mar 24 23:52:06 2016 /usr/jails/sharedfs/sbin/ping6
> - 805062 -r-sr-xr-- 2 root operator 10952 Mar 24 23:52:07 2016 /usr/jails/sharedfs/sbin/poweroff
> - 805062 -r-sr-xr-- 2 root operator 10952 Mar 24 23:52:07 2016 /usr/jails/sharedfs/sbin/shutdown
> - 804915 -r-sr-xr-x 4 root wheel 23312 Mar 24 23:52:22 2016 /usr/jails/sharedfs/usr/bin/at
> - 804915 -r-sr-xr-x 4 root wheel 23312 Mar 24 23:52:22 2016 /usr/jails/sharedfs/usr/bin/atq
It's a diff(1) of the output of 'ls -liTd' of these files from the
previous day to the present day. The leading '-' tells you that these
are all files that have either been removed since yesterday or are still
present but no longer have their setuid bit set.
Many system administrators will find this intuitive, but those who don't
will figure it out by looking at /etc/periodic/security/ and determining
that the 100.chksetuid script is the one that checks setuid settings.
More information about the freebsd-questions