Subject: Re: Adding /usr/local to daily security audit
To: Jeff_W <jgw@tx0.org>
From: Stefan 'Kaishakunin' Schumacher <stefan@net-tex.de>
List: netbsd-users
Date: 06/29/2007 10:06:56
--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Also sprach Jeff_W (jgw@tx0.org)
> "Stefan 'Kaishakunin' Schumacher" <stefan@net-tex.de> wrote:
=20
> > Mtree uses the databases (which are plain text files) in /etc/mtree/.
> > If you want to add /usr/local to the list of hierarchies to check, do
> > sth. like:
> >
> > # mtree -L -c -K sha1,rmd160,gid,uid,mode -p /usr/local > \
>      /etc/usrlocal.secure
>=20
> How does the system know it's now supposed to check /usr/local during its
> daily security audit?  Don't you need to add/create entries in
> /etc/mtree/special or /etc/mtree/special.local ?  That was the impression
> I got from security.conf(5).

The man page is a bit unclear in that section. The skript itself
(/etc/security) runs a loop over all files in /etc/mtree/*.secure,
see line 781 (for file in /etc/mtree/*.secure; do). So any database
following the pattern of /etc/mtree/*.secure will be checked.=20
=20
> > To do a manual check, run:
> > # mtree -L -p /usr/local -f /etc/usrlocal.secure
>=20
> I guess this could be added to /etc/security.local as an alternative
> to cron.  Thing is, I really only care about the a few of the files
> under /usr/local - binaries and config files mainly.  For instance,
> I've built Pike, the programming language, which has a whole lot of
> modules and libraries under /usr/local/pike/7.6.112/ .  I'd rather
> not worry about most of that stuff, just the four Pike executables
> and maybe the core modules.  It looks like that's what the "special"
> files are for, no?

/etc/mtree/special is required by the check_changelist option of
security.conf.


I do manual checking of some directorie via cron. You can use the
mtree option "-X mtree.exclude" to ignore files/dirs listed in
mtree.exclude. So if you want to ignore  /usr/local/pike/7.6.112/,
just add it to mtree.exclude and run=20

 mtree -L -c -K sha1,rmd160,gid,uid,mode -p /usr/local \
 -X  mtree.exclude > mtree.database

and via cron:
  mtree -L -p /usr/local -f mtree.database -X  mtree.exclude




--=20
PGP FPR: CF74 D5F2 4871 3E5C FFFE  0130 11F4 C41E B3FB AE33
http://www.net-tex.de                                =20
http://www.cryptomancer.de
--=20
Worum haben die Menschen von Kindesbeinen an gebetet, wovon haben sie getr=
=E4umt,
womit haben sie sich gequ=E4lt? Da=DF irgendeiner ihnen ein f=FCr allemal s=
age, was das
Gl=FCck ist, und sie mit einer Kette an dieses Gl=FCck schmiede. Und ist di=
es nicht=20
gerade das, was wir tun? Der uralte Traum vom Paradies ...
Jewgenij Iwanowitsch Samjatin, =BBWir=AB

--ew6BAiZeqk4r7MaW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)

iD8DBQFGhL2fEfTEHrP7rjMRApHjAKCW29lhrqFNl7FTT6O05ZRUt7CIQACfSOML
LzYzh3Sa61+Gj88t40V17ng=
=jvuy
-----END PGP SIGNATURE-----

--ew6BAiZeqk4r7MaW--