diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2001-03-25 04:50:28 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2001-03-25 04:50:28 +0000 |
| commit | 71f54acd4d406b096d469b942d0c48c0d9e90c04 (patch) | |
| tree | ce539935b97db7e01d82593d10d58d96a3ff46aa /etc | |
| parent | 145e771b05c0e349389e8bdc82366967729e5f03 (diff) | |
Don't provide diffs of sensitive files like ssh host keys. Instead,
just save the md5 checksums so we can still determine when something
change. Entries in /etc/changelist that are prefixed with a '+'
will only have their md5 checksums saved, not the actual files.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/changelist | 12 | ||||
| -rw-r--r-- | etc/security | 28 |
2 files changed, 35 insertions, 5 deletions
diff --git a/etc/changelist b/etc/changelist index 8f06c12a574..96e2aeaef8d 100644 --- a/etc/changelist +++ b/etc/changelist @@ -1,7 +1,11 @@ -# $OpenBSD: changelist,v 1.14 2000/06/18 22:58:42 todd Exp $ +# $OpenBSD: changelist,v 1.15 2001/03/25 04:50:27 millert Exp $ # # List of files which the security script backs up and checks # for modifications. +# +# Files prefixed with a '+' will have their md5 checksums stored, +# not the actual files. +# /etc/Distfile /etc/bootparams @@ -65,9 +69,11 @@ /etc/shosts.equiv /etc/slip.hosts /etc/slip.login -/etc/ssh_host_dsa_key ++/etc/ssh_host_dsa_key /etc/ssh_host_dsa_key.pub -/etc/ssh_host_key ++/etc/ssh_host_rsa_key +/etc/ssh_host_rsa_key.pub ++/etc/ssh_host_key /etc/ssh_host_key.pub /etc/sshd_config /etc/syslog.conf diff --git a/etc/security b/etc/security index 202f5d9feff..67619302570 100644 --- a/etc/security +++ b/etc/security @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: security,v 1.45 2001/03/16 15:38:13 millert Exp $ +# $OpenBSD: security,v 1.46 2001/03/25 04:50:27 millert Exp $ # from: @(#)security 8.1 (Berkeley) 6/9/93 # @@ -641,7 +641,7 @@ _fnchg() { echo "$1" | sed 's/^\///;s/\//_/g' } if [ -s /etc/changelist ] ; then - for file in `egrep -v "^#|$MP" /etc/changelist`; do + for file in `egrep -v "^(#|\+|$MP)" /etc/changelist`; do CUR=/var/backups/$(_fnchg "$file").current BACK=/var/backups/$(_fnchg "$file").backup if [ -s $file -a ! -d $file ] ; then @@ -660,4 +660,28 @@ if [ -s /etc/changelist ] ; then fi fi done + for file in `egrep "^\+" /etc/changelist`; do + file="${file#+}" + CUR=/var/backups/$(_fnchg "$file").current.md5 + BACK=/var/backups/$(_fnchg "$file").backup.md5 + if [ -s $file -a ! -d $file ] ; then + MD5_NEW=`md5 $file | sed 's/^.* //'` + if [ -s $CUR ] ; then + MD5_OLD="`cat $CUR`" + if [ "$MD5_NEW" != "$MD5_OLD" ]; then + echo "\n======\n${file} MD5 checksums\n======" + echo "OLD: $MD5_OLD" + echo "NEW: $MD5_NEW" + cp -p $CUR $BACK + echo $MD5_NEW > $CUR + chown root.wheel $CUR $BACK + chmod 600 $CUR + fi + else + echo $MD5_NEW > $CUR + chown root.wheel $CUR + chmod 600 $CUR + fi + fi + done fi |