Re: changed /dev/ttys is this normal?

From: Karsten W. Rohrbach (karsten@rohrbach.de)
Date: 08/29/01

• Next message: info@ptc.com: "Special Offer for SDRC Customers"
• Previous message: Peter Pentchev: "Re: changed /dev/ttys is this normal?"
• In reply to: Peter Pentchev: "Re: changed /dev/ttys is this normal?"
• Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: changed /dev/ttys is this normal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 29 Aug 2001 22:11:19 +0200
From: "Karsten W. Rohrbach" <karsten@rohrbach.de>
To: Peter Pentchev <roam@ringlet.net>

Peter Pentchev(roam@ringlet.net)@2001.08.29 17:11:25 +0000:
> ..but actually, it might be wise if Tripwire would warn you about
> changes in *anything* but the owner on terminal devices. Also,
> it would be wise to have it warn you for the appearance of *new*
> files looking like terminal devices. I've seen more than one
> rootkit which installed a setuid shell or a config file or whatever
> as /dev/ttySomething, or as a replacement for one of the higher-numbered
> tty devices (in the hope that those are reached only very rarely,
> and this would go unnoticed for quite some time).

i think it would make sense to monitor /dev for non-devnodes except the
MAKEDEV and MAKEDEV.local which should be monitored as plain file.

rohrbach@WM:datasink[/dev]139% find . -type f
./MAKEDEV.local
./MAKEDEV

to sum it up (4.3-STABLE):
2 files MAKEDEV/MAKEDEV.local
1 dir fd/ containing 64 chardevs
hundreds chardevs all the devnodes depending on config
some symlinks depending on audio config et al.
0 blockdevs
0 fifos
0 sockets

this could serve as a basis for a subtractive ruleset for monitoring /dev

cheers,
/k

-- 
> "I think pop music has done more for oral intercourse than anything else
> that has ever happened, and vice versa." --Frank Zappa
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• application/pgp-signature attachment: stored

• Next message: info@ptc.com: "Special Offer for SDRC Customers"
• Previous message: Peter Pentchev: "Re: changed /dev/ttys is this normal?"
• In reply to: Peter Pentchev: "Re: changed /dev/ttys is this normal?"
• Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: changed /dev/ttys is this normal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: changed /dev/ttys is this normal? ... >> I started using tripwire to monitor for changed files on my system. ... it might be wise if Tripwire would warn you about ... changes in *anything* but the owner on terminal devices. ... (FreeBSD-Security) Re: changed /dev/ttys is this normal? ... >>> I started using tripwire to monitor for changed files on my system. ... it might be wise if Tripwire would warn you about ... > changes in *anything* but the owner on terminal devices. ... (FreeBSD-Security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint