Investigating passwd, group and setuid diffs in status mails
Kenneth Bernholm
kenneth at bernholm.dk
Thu Aug 7 05:33:59 UTC 2014
I'm terribly sorry for the formatting failure in my initial mail. Obviously the cut and paste in my webmail client left out the newlines. Here's the data once more (hopefully more readable):
The daily run output mail:
Removing stale files from /var/preserve:
Cleaning out old system announcements:
Removing stale files from /var/rwho:
Backup passwd and group files:
zork passwd diffs:
34a35
> logcheck:(password):915:915::0:0:Logcheck system
account:/var/lib/logcheck:/usr/local/bin/bash
zork group diffs:
41a42,43
> ssmtp:*:916:
> logcheck:*:915:
Verifying group file syntax:
/etc/group is fine
Backing up mail aliases:
Disk status:
Filesystem Size Used Avail Capacity Mounted on
/dev/ada0p2 140G 25G 105G 19% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/da0p1 451G 22G 393G 5% /usbdisk
Network interface status:
Name Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs
Coll Drop
em0 1500 <Link#1> 90:e2:ba:6a:c0:dc 247366 0 0 227852 0
0 0
em0 1500 192.168.1.0 zork 239442 - - 226920 -
- -
lo0 16384 <Link#2> 0 0 0 0 0
0 0
lo0 16384 localhost ::1 0 - - 0 -
- -
lo0 16384 fe80::1%lo0 fe80::1 0 - - 0 -
- -
lo0 16384 your-net localhost 0 - - 0 -
- -
Local system status:
3:01AM up 22:21, 2 users, load averages: 0.24, 0.33, 0.25
Mail in local queue:
mailq: Mail queue is empty
Mail in submit queue:
mailq: Mail queue is empty
Security check:
(output mailed separately)
Checking for rejected mail hosts:
Backing up pkgng database:
-- End of daily output --
The daily security run output mail:
Checking setuid files and devices:
zork setuid diffs:
--- /var/log/setuid.today 2014-05-21 03:07:00.000000000 +0200
+++ /tmp/security.kNUKUHM3 2014-08-07 03:06:29.000000000 +0200
@@ -32,13 +32,15 @@
7704735 -r-sr-xr-x 6 root wheel 22376 Jan 16 23:41:02 2014 /usr/bin/ypchpass
7704735 -r-sr-xr-x 6 root wheel 22376 Jan 16 23:41:02 2014 /usr/bin/ypchsh
7704601 -r-sr-xr-x 2 root wheel 8296 Jan 16 23:41:09 2014 /usr/bin/yppasswd
-7791699 -r-xr-sr-x 1 root smmsp 676064 Jan 16 23:41:34 2014
/usr/libexec/sendmail/sendmail
+7791952 -r-xr-sr-x 1 root smmsp 676064 Jun 26 06:30:49 2014
/usr/libexec/sendmail/sendmail
7707857 -r-sr-xr-x 1 root wheel 32824 Jan 16 23:40:38 2014
/usr/libexec/ssh-keysign
7707853 -r-sr-xr-x 1 root wheel 6000 Jan 16 23:40:05 2014
/usr/libexec/ulog-helper
8268343 -r-sr-xr-x 1 root wheel 1819872 Apr 15 05:47:39 2014
/usr/local/bin/Xorg
+8269540 -rwxr-sr-x 1 root wheel 18064 Jun 26 06:34:34 2014
/usr/local/bin/lockfile
8266420 -rwxr-sr-x 1 root mail 11392 Apr 6 12:40:12 2014
/usr/local/bin/mutt_dotlock
8268183 -rwsr-xr-x 1 root wheel 20072 Apr 15 05:43:54 2014
/usr/local/bin/pkexec
-8268086 -rwsr-x--- 1 root messagebus 280784 Apr 15 05:41:41 2014
/usr/local/libexec/dbus-daemon-launch-helper
+8269542 -rwsr-sr-x 1 root wheel 98224 Jun 26 06:34:34 2014
/usr/local/bin/procmail
+8269658 -rwsr-x--- 1 root messagebus 270896 Jul 1 12:14:01 2014
/usr/local/libexec/dbus-daemon-launch-helper
8268207 -rwsr-xr-x 1 root wheel 12152 Apr 15 05:43:54 2014
/usr/local/libexec/polkit-agent-helper-1
8268125 -rwxr-sr-x 1 root polkit 19736 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-explicit-grant-helper
8268126 -rwxr-sr-x 1 root polkit 17712 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-grant-helper
@@ -47,6 +49,7 @@
8268129 -rwsr-xr-x 1 root wheel 8472 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-resolve-exe-helper
8268130 -rwxr-sr-x 1 root polkit 21328 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-revoke-helper
8268131 -rwsr-xr-x 1 root polkit 22032 Apr 15 05:42:07 2014
/usr/local/libexec/polkit-set-default-helper
+8269530 -r-xr-sr-x 1 root ssmtp 32360 Jun 25 10:26:12 2014
/usr/local/sbin/ssmtp
7707669 -r-sr-sr-x 2 root authpf 24160 Jan 16 23:41:18 2014 /usr/sbin/authpf
7707669 -r-sr-sr-x 2 root authpf 24160 Jan 16 23:41:18 2014
/usr/sbin/authpf-noip
7707607 -r-xr-sr-x 1 root daemon 55584 Jan 16 23:41:27 2014 /usr/sbin/lpc
Checking negative group permissions:
Checking for uids of 0:
root 0
toor 0
Checking for passwordless accounts:
Checking login.conf permissions:
zork kernel log messages:
+++ /tmp/security.GuJvYr8G 2014-08-07 03:11:32.000000000 +0200
+FreeBSD 10.0-RELEASE-p6 #0: Tue Jun 24 07:47:37 UTC 2014
+vgapci0: <VGA-compatible display> port 0x2220-0x2227 mem
0xf0100000-0xf017ffff,0xe0000000-0xefffffff,0xf0000000-0xf00fffff irq 16 at device
2.0 on pci0
+em0: <Intel(R) PRO/1000 Network Connection 7.3.8> port 0x2100-0x211f mem
0xf0180000-0xf019ffff,0xf01a4000-0xf01a4fff irq 19 at device 25.0 on pci0
+uhci0: <Intel 82801I (ICH9) USB controller> port 0x2120-0x213f irq 20 at device
26.0 on pci0
+uhci1: <Intel 82801I (ICH9) USB controller> port 0x2140-0x215f irq 21 at device
26.1 on pci0
+uhci2: <Intel 82801I (ICH9) USB controller> port 0x2160-0x217f irq 22 at device
26.2 on pci0
+uhci3: <Intel 82801I (ICH9) USB controller> port 0x2180-0x219f irq 20 at device
29.0 on pci0
+uhci4: <Intel 82801I (ICH9) USB controller> port 0x21a0-0x21bf irq 21 at device
29.1 on pci0
+em0: <Intel(R) PRO/1000 Legacy Network Connection 1.0.6> port 0x1100-0x113f mem
0xf0200000-0xf021ffff,0xf0220000-0xf023ffff irq 20 at device 4.0 on pci7
+em0: Ethernet address: 90:e2:ba:6a:c0:dc
+atapci0: <Intel ICH9 SATA300 controller> port
0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x21e0-0x21ef,0x21f0-0x21ff irq 18 at device
31.2 on pci0
+atapci1: <Intel ICH9 SATA300 controller> port
0x2238-0x223f,0x2250-0x2253,0x2240-0x2247,0x2254-0x2257,0x2200-0x220f,0x2210-0x221f
irq 18 at device 31.5 on pci0
+Timecounter "TSC-low" frequency 1163772879 Hz quality 1000
+ugen3.2: <Western Digital> at usbus3
+ugen1.2: <Logitech> at usbus1
+ukbd0: <Logitech USB Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1
+ums0: <Logitech USB Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1
+uhid0: <Logitech USB Receiver, class 0/0, rev 2.00/12.01, addr 2> on usbus1
zork login failures:
zork refused connections:
Checking for packages with security vulnerabilities:
dbus-1.8.4
firefox-30.0_1,1
nss-3.16
-- End of security output --
More information about the freebsd-questions
mailing list