Browse Source

Don't provide diffs of sensitive files like ssh host keys. Instead,

just save the md5 checksums so we can still determine when something
change.  Entries in /etc/changelist that are prefixed with a '+'
will only have their md5 checksums saved, not the actual files.
OPENBSD_2_9
millert 24 years ago
parent
commit
678f2ac821
2 changed files with 35 additions and 5 deletions
  1. +9
    -3
      src/etc/changelist
  2. +26
    -2
      src/etc/security

+ 9
- 3
src/etc/changelist View File

@ -1,7 +1,11 @@
# $OpenBSD: changelist,v 1.14 2000/06/18 22:58:42 todd Exp $
# $OpenBSD: changelist,v 1.15 2001/03/25 04:50:27 millert Exp $
# #
# List of files which the security script backs up and checks # List of files which the security script backs up and checks
# for modifications. # for modifications.
#
# Files prefixed with a '+' will have their md5 checksums stored,
# not the actual files.
#
/etc/Distfile /etc/Distfile
/etc/bootparams /etc/bootparams
@ -65,9 +69,11 @@
/etc/shosts.equiv /etc/shosts.equiv
/etc/slip.hosts /etc/slip.hosts
/etc/slip.login /etc/slip.login
/etc/ssh_host_dsa_key
+/etc/ssh_host_dsa_key
/etc/ssh_host_dsa_key.pub /etc/ssh_host_dsa_key.pub
/etc/ssh_host_key
+/etc/ssh_host_rsa_key
/etc/ssh_host_rsa_key.pub
+/etc/ssh_host_key
/etc/ssh_host_key.pub /etc/ssh_host_key.pub
/etc/sshd_config /etc/sshd_config
/etc/syslog.conf /etc/syslog.conf


+ 26
- 2
src/etc/security View File

@ -1,6 +1,6 @@
#!/bin/sh - #!/bin/sh -
# #
# $OpenBSD: security,v 1.45 2001/03/16 15:38:13 millert Exp $
# $OpenBSD: security,v 1.46 2001/03/25 04:50:27 millert Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93 # from: @(#)security 8.1 (Berkeley) 6/9/93
# #
@ -641,7 +641,7 @@ _fnchg() {
echo "$1" | sed 's/^\///;s/\//_/g' echo "$1" | sed 's/^\///;s/\//_/g'
} }
if [ -s /etc/changelist ] ; then if [ -s /etc/changelist ] ; then
for file in `egrep -v "^#|$MP" /etc/changelist`; do
for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do
CUR=/var/backups/$(_fnchg "$file").current CUR=/var/backups/$(_fnchg "$file").current
BACK=/var/backups/$(_fnchg "$file").backup BACK=/var/backups/$(_fnchg "$file").backup
if [ -s $file -a ! -d $file ] ; then if [ -s $file -a ! -d $file ] ; then
@ -660,4 +660,28 @@ if [ -s /etc/changelist ] ; then
fi fi
fi fi
done done
for file in `egrep "^\+" /etc/changelist`; do
file="${file#+}"
CUR=/var/backups/$(_fnchg "$file").current.md5
BACK=/var/backups/$(_fnchg "$file").backup.md5
if [ -s $file -a ! -d $file ] ; then
MD5_NEW=`md5 $file | sed 's/^.* //'`
if [ -s $CUR ] ; then
MD5_OLD="`cat $CUR`"
if [ "$MD5_NEW" != "$MD5_OLD" ]; then
echo "\n======\n${file} MD5 checksums\n======"
echo "OLD: $MD5_OLD"
echo "NEW: $MD5_NEW"
cp -p $CUR $BACK
echo $MD5_NEW > $CUR
chown root.wheel $CUR $BACK
chmod 600 $CUR
fi
else
echo $MD5_NEW > $CUR
chown root.wheel $CUR
chmod 600 $CUR
fi
fi
done
fi fi

Loading…
Cancel
Save