netbsd-help: Re: insecurity output showing unimportant changes

Subject: Re: insecurity output showing unimportant changes
To: None <netbsd-help@netbsd.org>
From: Thierry Lacoste <th.lacoste@wanadoo.fr>
List: netbsd-help
Date: 03/19/2006 18:43:39

On Sunday 19 March 2006 17:27, Jukka Salmi wrote:
> Thierry Lacoste --> netbsd-help (2006-03-19 13:25:10 +0100):
> > I have this kind of insecurity output:
> > ======
> > /etc/resolv.conf diffs (OLD < > NEW)
> > ======
> > --- /var/backups//etc/resolv.conf.current       2006-03-18
> > 02:17:53.000000000 +0000
> > +++ /etc/resolv.conf    2006-03-19 00:26:59.000000000 +0000
> > @@ -1,4 +1,4 @@
> > -# Created by dhclient at: Fri Mar 17 23:17:47 CET 2006
> > +# Created by dhclient at: Sun Mar 19 01:26:59 CET 2006
> >  search miage.univ-paris12.fr
> >  nameserver 194.214.13.2
> >  nameserver 194.214.13.3
> >
> > Following http://readlist.com/lists/netbsd.org/current-users/0/743.html
> >
> > # tail -1 /etc/security.conf
> > diff_options=-u -I '^# Created by dhclient.*'
> > # sh /etc/security
> > -I: not found
> >
> > Putting the diff options between quotes
> >
> > # tail -1 /etc/security.conf
> > diff_options="-u -I '^# Created by dhclient.*'"
> > # sh /etc/security
> > diff: extra operand `dhclient.*''
> >
> > AFAICS there is a problem with the spaces in the regular expression.
> >
> > # diff -u -I '^# Created by dhclient.*' \
> >
> > > /etc/resolv.conf /var/backups/etc/resolv.conf.current
> >
> > # diff $diff_options \
> >
> > > /etc/resolv.conf /var/backups/etc/resolv.conf.current
> >
> > diff: extra operand `dhclient.*''
> > diff: Try `diff --help' for more information.
> >
> > The words "Created" and "by" are respectively taken for the first
> > and second argument to diff.
> >
> > What did I miss?
> > What are the options to prevent unimportant changes to show up
> > in insecurity output ?
>
> I don't know what is considered to be the "correct solution", but
> calling `eval diff $diff_options ...' instead of `diff $diff_options'
> from /etc/security should work around this problem.
>
>
> HTH, Jukka
Hmm, I'd rather avoid hacking /etc/security.
Same feeling about the idea of hacking /sbin/dhclient-script
to prevent it from writing the comment in /etc/resolv.conf.

Up until now, my prefered option is to put
diff_options="-u -I '^#.*'"
in /etc/security.conf

Better ideas?

Thierry.