Subject: Re: Adding /usr/local to daily security audit
To: None <stefan@net-tex.de>
From: Jeff_W <jgw@tx0.org>
List: netbsd-users
Date: 06/29/2007 00:47:33
"Stefan 'Kaishakunin' Schumacher" <stefan@net-tex.de> wrote:

> Also sprach Jeff_W (jgw@tx0.org)
> > Is there an easy way? Mainly just want to check the binaries, libraries
> > and config files under /usr/local.  Doesn't need to be at the same level
> > as the default /usr/pkg audit, maybe just daily checks of
> > /usr/local/{bin,etc,libexec}, log diffs and generate/check checksums.  As
> > near as I can tell I'd probably need to create something in
> > /etc/security.local and maybe a permissions category under /etc/mtree/.
> > But I'm not sure.  Maybe there's an easier way.  Didn't see anything that
> > seemed relevant on netbsd.org; maybe someone knows of other online
> > resources that cover this topic?
>
> As far as I understood, you want to check the integrity of files
> residing under /usr/local. 
>
> You can use mtree(8) to check the integrity, it creates a database of
> files and their attributes, including checksums. 
>
> To do automatic checking, enable "run_security=YES" in /etc/daily.conf
> and "check_mtree=YES" in /etc/security.conf, if they aren't enabled
> already. 


Yup - those are the defaults in /etc/defaults/[daily|security].conf


> Mtree uses the databases (which are plain text files) in /etc/mtree/.
> If you want to add /usr/local to the list of hierarchies to check, do
> sth. like:
>
> # mtree -L -c -K sha1,rmd160,gid,uid,mode -p /usr/local > \
     /etc/usrlocal.secure

How does the system know it's now supposed to check /usr/local during its
daily security audit?  Don't you need to add/create entries in
/etc/mtree/special or /etc/mtree/special.local ?  That was the impression
I got from security.conf(5).


> To do a manual check, run:
> # mtree -L -p /usr/local -f /etc/usrlocal.secure

I guess this could be added to /etc/security.local as an alternative
to cron.  Thing is, I really only care about the a few of the files
under /usr/local - binaries and config files mainly.  For instance,
I've built Pike, the programming language, which has a whole lot of
modules and libraries under /usr/local/pike/7.6.112/ .  I'd rather
not worry about most of that stuff, just the four Pike executables
and maybe the core modules.  It looks like that's what the "special"
files are for, no?

-Jeff