10.6. Automated Auditing Scripts

 < Day Day Up > 

Both FreeBSD and OpenBSD ship with auditing scripts that run daily through cron. Unlike the automated log monitoring tools discussed previously, these scripts examine various aspects of the filesystem. They notify administrators about the state of the system, notice changes in certain files, back up critical configuration files, and so on. The specific mechanisms behind these automated auditing scripts are vastly different in the two operating systems, however, and we must treat them independently.

10.6.1. OpenBSD's Security Script

OpenBSD runs the /etc/security script from the /etc/daily script, which runs every day, of course. The security(8) script performs numerous checks of files throughout the system including seeking out syntax errors in password and group files, checking various dotfiles in users' home directories, checking permissions throughout the filesystem, and even auditing changes to files. Most of this behavior is preconfigured and can only be adjusted by changing /etc/security directly. This is typically not recommended.

Still, there are two ways in which you can affect what the security script will do for you. First, whenever you install applications that have important configuration files you should consider adding these files to /etc/changelist. The security script detects and reports content changes for every file listed in changelist(5). This helps keep you aware of configuration changes transpiring on your system.

Second, permission changes to files are closely audited against /etc/mtree/special and any other files in /etc/mtree with a .secure extension. These additional files may be created by using mtree(8) as follows:

# sudo mtree -cx -pdir -kcksum,gid,mode,nlink,size,link,time,uid \   > /etc/mtree/dir.secure % sudo chown root:wheel dir.secure % sudo chmod 600 dir.secure

Creating .secure mtree files for file hierarchies containing chrooted services and important configuration files is a good idea. When you are done creating these mtree files and adjusting /etc/changelist, you may want to make them all immutable.

Please remember, however, that the security script, changelist file, and mTRee files are not the definitive answer for filesystem auditing, nor do they keep your system secure. The security script and associated files merely provide a small sanity check on a daily basis so that you, the administrator, can have an idea of what is changing on your system. There are innumerable ways in which your system could be compromised without the security script ever raising a red flag.

10.6.2. FreeBSD's Periodic Scripts

The periodic(8) utility runs scripts located in a specific directory. By default, /etc/crontab on FreeBSD systems run periodic with three arguments: daily, weekly, and monthly. Each of these arguments corresponds to a directory within /etc/periodic that contains scripts to run when periodic is run.

The behavior of the periodic system of scripts is controlled from periodic.conf(5). It's in this file, that you may place directives that will affect which script will and will not run, and under what circumstances they will provide output. This flexibility is very important: most administrators who don't configure periodic.conf to provide only important output ignore all mail from root on a regular basis. Who can blame them? With default values, the signal-to-noise ratio from the periodic scripts is very high.

Take a moment to examine the default configuration for periodic in /etc/defaults/periodic.conf. In most cases, you want to copy blocks of text into /etc/periodic.conf and set success, info, and other verbose notifications to NO, while retaining notifications for errors and bad configuration. Example 10-8 provides a reasonable (and fairly quiet) default configuration for periodic.

Example 10-8. Sample /etc/periodic.conf
daily_show_success="NO"                 # scripts returning 0 daily_show_info="NO"                    # scripts returning 1 daily_show_badconfig="YES"              # scripts returning 2 weekly_show_success="NO"                # scripts returning 0 weekly_show_info="NO"                   # scripts returning 1 weekly_show_badconfig="YES"             # scripts returning 2 monthly_show_success="NO"               # scripts returning 0 monthly_show_info="NO"                  # scripts returning 1 monthly_show_badconfig="YES"            # scripts returning 2 daily_status_security_inline="YES"      # reduces number of messages daily_clean_disks_verbose="NO"          # Mention files deleted daily_clean_tmps_verbose="NO"           # Mention files deleted daily_clean_preserve_verbose="NO"       # Mention files deleted

Of course, additional options may be relevant in your environment. The settings in the periodic.conf provided in Example 10-8 should at the very least reduce the informational mail you receive. Once you have periodic configured to only notify you for important events, you will find it far more useful.

     < Day Day Up > 


    Mastering FreeBSD and OpenBSD Security
    Practical Guide to Software Quality Management (Artech House Computing Library)
    ISBN: 596006268
    EAN: 2147483647
    Year: 2003
    Pages: 142
    Authors: John W. Horch

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net