has my 10.1-RELEASE system been compromised
Mark Felder
feld at FreeBSD.org
Thu Feb 26 20:58:09 UTC 2015
On Thu, Feb 26, 2015, at 14:52, Malcolm Herbert wrote:
> I'd also suggest you take a look at using mtree for tripwire-like
> functionality into the future - its primary purpose is to be able to
> take the specification for a directory tree and either report
> differences or make the filesystem conform to the specification.
>
> not sure whether it is used in the base FreeBSD system but it's
> definitely part of NetBSD where it is used to confirm the permissions
> and other metadata information for files from each of the release
> tarballs and (iirc) runs once a week as part of normal system cron
>
> mtree can also be turned on a directory tree to capture a specification
> that matches it ... it is better than find in this instance for
> comparing the state of a filesystem over time as it can be set to
> calculate file digests by a variety of algorithms and produce output
> that can be parsed and compared against later (which can be difficult
> with the -ls output from find)
>
> I also found a copy of it to run on Solaris to confirm that changes we
> were making to our source only had the desired impacts to large
> application data sets as part of our upgrade process
>
> plus until I mentioned it here, it might have been obscure enough for
> it not to be trojanned by a rootkit ... :)
mtree is a really handy tool. I especially love it for large changes
like changing the UIDs and GIDs for a lot of accounts. If you take an
mtree dump, change the UIDs and GIDs, and re-apply the mtree dump it
will quickly fix the permissions across your server because it stores
the user and group names, not the IDs.
I wish mtree was readily available on Linux.
More information about the freebsd-security
mailing list