has my 10.1-RELEASE system been compromised
Malcolm Herbert
freebsd.org at mjch.net
Thu Feb 26 20:52:21 UTC 2015
I'd also suggest you take a look at using mtree for tripwire-like
functionality into the future - its primary purpose is to be able to
take the specification for a directory tree and either report
differences or make the filesystem conform to the specification.
not sure whether it is used in the base FreeBSD system but it's
definitely part of NetBSD where it is used to confirm the permissions
and other metadata information for files from each of the release
tarballs and (iirc) runs once a week as part of normal system cron
mtree can also be turned on a directory tree to capture a specification
that matches it ... it is better than find in this instance for
comparing the state of a filesystem over time as it can be set to
calculate file digests by a variety of algorithms and produce output
that can be parsed and compared against later (which can be difficult
with the -ls output from find)
I also found a copy of it to run on Solaris to confirm that changes we
were making to our source only had the desired impacts to large
application data sets as part of our upgrade process
plus until I mentioned it here, it might have been obscure enough for
it not to be trojanned by a rootkit ... :)
Hope that helps,
Malcolm
--
Malcolm Herbert
mjch at mjch.net
More information about the freebsd-security
mailing list