Re: setuid changes

To: Vineet Kumar <debian-security@virtual.doorstop.net>
Cc: debian-security@lists.debian.org
Subject: Re: setuid changes
From: "Oyvind A. Holm" <sunny@ba.no>
Date: Sat, 22 Sep 2001 14:43:18 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.40.0109221423260.3198-100000@sunba>
In-reply-to: <[🔎] 20010921133531.D17892@doorstop.net>

On 2001-09-21 13:35 Vineet Kumar wrote:

> * Micah Anderson (micah@riseup.net) [010921 10:23]:
>
> > I was thinking it would be nice to see what sort of new setuid
> > programs show up on my box each day... then I noticed that these
> > are already being logged in /var/log/setuid.today and
> > /var/log/setuid.yesterday. What makes these? It appears they come from
> > /etc/cron.daily/standard which runs /usr/sbin/checksecurity.
> >
> > But, what is the point of logging these each day into
> > /var/log/setuid.changes if nobody sees them? Why doesn't this list
> > get emailed to root? Am I missing something?
>
> Well, maybe root should go see them? I don't mean to be snotty about
> it, but surely you concede that there is a point to logging and not
> emailing something; surely you have other logs on your system which
> are not emailed to root?
>
> As root, it's best to be vigilant and actively inspect your system
> rather than just wait for alerts to come to you.

Yes, inspecting logs is very important to catch up on suspicious events
which may be intruding attempts. One of the big probles however, is the
big quantity of logging which makes important information to disappear
among all the trivial events. One example is the choice of addressing
mail to root to some ordinary user so messages won't go unnoticed. I
just had to switch that feature off. All kind of trivial events
(logging of /var/spool/messages etc) filled up my mailbox, things like
key generation by ssh and minor kernel messages. I am tempted to create
some kind of perl script which skips all the non-important info and
leave all other in place. A script root can run which pulls out info
from /var/log/* and other logs around the system.

Especially now in these wormy times when the httpd error_log overflows
with "file not found" messages. A couple of days ago there were 154.000
hits by those IIS worms around the net on my server in ONE DAY. There
is indeed a need for filtering out some kind of information or at least
have the choice of lowering the message generation by various programs.

Greetings from Norway,
Øyvind

+===================================================================+
| OpenPGP: 0xAD19826C 2000-01-24 Oyvind A. Holm <sunny256@mail.com> |
| Fingerprint: EAE5 DCA0 0626 5DAA 72F8  0435 2E2B E476 AD19 826C   |
+=========== 2 + 2 = 5 for extremely large values of 2. ============+

Reply to:

Follow-Ups:
- Re: setuid changes
  - From: Chris Boyle <chrisb@wincoll.ac.uk>

References:
- Re: setuid changes
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>

Prev by Date: Re: password expire and sshd doesn't allow ppl to change it
Next by Date: Re: setuid changes
Previous by thread: Re: setuid changes
Next by thread: Re: setuid changes
Index(es):
- Date
- Thread