[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: setuid changes



* Micah Anderson (micah@riseup.net) [010921 10:23]:
> I was thinking it would be nice to see what sort of new setuid
> programs show up on my box each day... then I noticed that these are
> already being logged in /var/log/setuid.today and
> /var/log/setuid.yesterday. What makes these? It appears they come from
> /etc/cron.daily/standard which runs /usr/sbin/checksecurity. 
> 
> But, what is the point of logging these each day into
> /var/log/setuid.changes if nobody sees them? Why doesn't this list get
> emailed to root? Am I missing something?

Well, maybe root should go see them? I don't mean to be snotty about it,
but surely you concede that there is a point to logging and not emailing
something; surely you have other logs on your system which are not
emailed to root?

As root, it's best to be vigilant and actively inspect your system
rather than just wait for alerts to come to you. That's not to say that
alerts aren't helpful, and that it probably would be nice to send these
to root. You should be able to get that effect by simply adding it to
the cron job. You'd just need to add a line that says "cat
/var/log/setuid.changes", as stdout from the cron job gets mailed to its
owner (root).

-- 
Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgp4iJn5eGm9R.pgp
Description: PGP signature


Reply to: