From 678f2ac821eb5a328248923619a1fc89aa744574 Mon Sep 17 00:00:00 2001 From: millert <> Date: Sun, 25 Mar 2001 04:50:27 +0000 Subject: [PATCH] Don't provide diffs of sensitive files like ssh host keys. Instead, just save the md5 checksums so we can still determine when something change. Entries in /etc/changelist that are prefixed with a '+' will only have their md5 checksums saved, not the actual files. --- src/etc/changelist | 12 +++++++++--- src/etc/security | 28 ++++++++++++++++++++++++++-- 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/src/etc/changelist b/src/etc/changelist index 8f06c12a..96e2aeae 100644 --- a/src/etc/changelist +++ b/src/etc/changelist @@ -1,7 +1,11 @@ -# $OpenBSD: changelist,v 1.14 2000/06/18 22:58:42 todd Exp $ +# $OpenBSD: changelist,v 1.15 2001/03/25 04:50:27 millert Exp $ # # List of files which the security script backs up and checks # for modifications. +# +# Files prefixed with a '+' will have their md5 checksums stored, +# not the actual files. +# /etc/Distfile /etc/bootparams @@ -65,9 +69,11 @@ /etc/shosts.equiv /etc/slip.hosts /etc/slip.login -/etc/ssh_host_dsa_key ++/etc/ssh_host_dsa_key /etc/ssh_host_dsa_key.pub -/etc/ssh_host_key ++/etc/ssh_host_rsa_key +/etc/ssh_host_rsa_key.pub ++/etc/ssh_host_key /etc/ssh_host_key.pub /etc/sshd_config /etc/syslog.conf diff --git a/src/etc/security b/src/etc/security index 202f5d9f..67619302 100644 --- a/src/etc/security +++ b/src/etc/security @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: security,v 1.45 2001/03/16 15:38:13 millert Exp $ +# $OpenBSD: security,v 1.46 2001/03/25 04:50:27 millert Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 # @@ -641,7 +641,7 @@ _fnchg() { echo "$1" | sed 's/^\///;s/\//_/g' } if [ -s /etc/changelist ] ; then - for file in `egrep -v "^#|$MP" /etc/changelist`; do + for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do CUR=/var/backups/$(_fnchg "$file").current BACK=/var/backups/$(_fnchg "$file").backup if [ -s $file -a ! -d $file ] ; then @@ -660,4 +660,28 @@ if [ -s /etc/changelist ] ; then fi fi done + for file in `egrep "^\+" /etc/changelist`; do + file="${file#+}" + CUR=/var/backups/$(_fnchg "$file").current.md5 + BACK=/var/backups/$(_fnchg "$file").backup.md5 + if [ -s $file -a ! -d $file ] ; then + MD5_NEW=`md5 $file | sed 's/^.* //'` + if [ -s $CUR ] ; then + MD5_OLD="`cat $CUR`" + if [ "$MD5_NEW" != "$MD5_OLD" ]; then + echo "\n======\n${file} MD5 checksums\n======" + echo "OLD: $MD5_OLD" + echo "NEW: $MD5_NEW" + cp -p $CUR $BACK + echo $MD5_NEW > $CUR + chown root.wheel $CUR $BACK + chmod 600 $CUR + fi + else + echo $MD5_NEW > $CUR + chown root.wheel $CUR + chmod 600 $CUR + fi + fi + done fi