[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: RPM Question
- Subject: [cobalt-security] Re: RPM Question
- From: Peter Frederick <pfred@xxxxxxxxx>
- Date: Fri, 02 May 2003 16:26:22 -0500
- Organization: Indiana Packers Corporation
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Fri, 02 May 2003 12:00:00 -0700, you wrote:
>From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Subject: RE: [cobalt-security] RPM Question
>Date: Fri, 2 May 2003 17:46:24 +0100
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>> After following some security discussions I added some rpm verify commands
>> to a script I run nightly that does some security checks (runs
>> chkrootkit0.40, files without owners, files with setuid.
>
>Fancy sharing the script?
See shell script at end - needs some minor tailoring - make sure the
directory for the logs are available (spool)
>
>> I get the following appearing:
>>
>> rpm -V net-tools
>> .M...... /usr/share/locale/de/LC_MESSAGES/net-tools.mo
>> .M...... /usr/share/locale/fr/LC_MESSAGES/net-tools.mo
>>
>> This is telling me there is a problem with Mode (includes permissions and
>> file type) of these two files (I think)
>
><snip>
>
>> Should I just do a chmod 644 on these two files or should I change the
>> package contents somehow? I haven't tampered with these files -
>> this is how
>> they came in as far as I can see.
>>
>> chmod 644 net-ttols.mo will make the 'rpm -V' happy.....
>>
>It looks to me as though these files are to do with the localisation we did,
>Will De Haan was the expert for that. I don't think it will cause a problem
>what you are proposing, especially as looking at the directory structure
>they are for French and German so probably not a concern for you in the US.
Hi Michael and other helpful people
On the Qube Forum - John from Sun posted this:
What you are seeing is common. You don't have to make any changes, just be
aware that you will see that output.
Since it appears that changing the mode to 644 will make the rpm -V errors
go away and it makes no material difference to the Qube itself I think I'll
just do the following and then I'll have no errors to look for in my
script:
chmod 644 /usr/share/locale/de/LC_MESSAGES/util-linux.mo
chmod 644 /usr/share/locale/fr/LC_MESSAGES/util-linux.mo
chmod 644 /usr/share/locale/ja/LC_MESSAGES/util-linux.mo
chmod 644 /usr/share/locale/de/LC_MESSAGES/net-tools.mo
chmod 644 /usr/share/locale/fr/LC_MESSAGES/net-tools.mo
>
>I have just rebuilt a Qube that was one of many that got hacked, after
>seeing a post from someone saying they rebuilt theirs patched it fully and
>it was hacked in 24hrs I was a bit concerned then I noticed the experimental
>Samba rpm.
>
>Odd that the one noticeable symptom of a hacked Qube in this instance was
>that Samba goes down and doesn't come back up I decided to install the rpm
>and then wait a few days to see if it gets hacked/falls over etc. So far 3
>days and no hack.
>
>Advice I would put that experimental rpm on it may save you some grief.
>
>Regards
>
>Gavin
>
>ps I have just noticed 3 new patches from Sun for the Qube on Bluelink, only
>one on the web page. I have installed the DNS and WGET with no issues but
>not the kernel - not quite brave enough for that today as I am nearly 600
>miles from the Qube <smile>
Here's the script. I've got a cron job that runs it every morning:
------------------------------------------------------------------------
:
# checksys - checkout system and mail results
#
# Created: January 2003
# Peter Frederick
#
# CUSTOMIZE THESE VARIABLES
#
BASED=/home/users/pfred
LOG=${BASED}/spool/checksys.log
OLOG=${BASED}/spool/chkrootkit.log
CRK=/home/users/tools/chkrootkit-0.40
THISHOST=`uname -n`
MAILTO=USERNAME@xxxxxxxxxx
cp /dev/null $OLOG
cat <<! >$LOG
`date` checksys V1.0 started
HOME Directory is ${BASED}
Logfile is ${LOG}
Chkrootkit installed in ${CRK}
!
cd ${CRK}
if [ ! -x chkrootkit ]
then
echo "Missing chkrootkit executable - Get Help" >>$LOG}
else
./chkrootkit >${OLOG}
#
# Some Analysis
#
cat <<! >>${LOG}
Analysis of Output:
!
for j in Warning INFECTED promisc
do
ERRORS=`grep -c "$j" ${OLOG}`
cat <<! >>${LOG}
Pattern -> '$j' = ${ERRORS}
!
case $ERRORS in
0)
#
# No details to show
;;
*)
cat <<! >>${LOG}
--------------------------------------------------
`grep "$j" ${OLOG}`
--------------------------------------------------
!
;;
esac
done
fi
cat <<! >>$LOG
Complete Log of chkrootkit is at ${OLOG}
Looking for Files without a valid owner:
find / -nouser -o -nogroup -exec ls -lF {} \;
!
find / -nouser -o -nogroup -exec ls -lF {} \; >>$LOG 2>/dev/null
cat <<! >>$LOG
Looking for All Programs with Setuid Bit (some maybe legitimate):
find / -type f -perm +6000 -exec ls -lF {} \;
!
find / -type f -perm +6000 -exec ls -lF {} \; >>$LOG 2>/dev/null
cat <<! >>$LOG
Verify Some Important Packages
rpm -V util-linux
`rpm -V util-linux`
rpm -V net-tools
`rpm -V net-tools`
rpm -V procps
`rpm -V procps`
!
cat <<! >>$LOG
Results of 'cat /proc/cpuinfo'
`cat /proc/cpuinfo`
File System Usage:
`df -h`
`date` checksys finished
!
# Email the log file to someone who is interested
cat ${LOG} | mail -s "LOG - ${THISHOST} checksys Log" $MAILTO
------------------------------------------------------------------------
Have Fun
Peter
PS Does anyone else have any other things that are work checking?
--
Peter Frederick
MIS Director, Indiana Packers Corp, Delphi IN
Phone: (765) 564-9705 Fax: (765) 564-3684
Work: pfred@xxxxxxxxx (Qube3 Professional running 6.4)
============================================================================
'Tis better to light one candle than to curse the darkness a thousand times!