Solved freebsd-update IDS

[fernandel]

Today I ran freebsd-update IDS and I got:

Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 15.0-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
/etc/devfs.conf has SHA256 hash badebeb8bd94f3c6a57fff38e75919fb132863985e7d7800c787af15bd98f9f2, but should have SHA256 hash 25a0cf0cbc18d8b2a23190dd68316a83c778fbbc02f04445eef9a5031be7b062.
/etc/group has SHA256 hash 797b56cb455e3c13596daabacec1db10fce63027053663b60a6dfc3685635fae, but should have SHA256 hash a76791033e18dcb526c30a6417bdb31ef774649f84e7f4ca0e745549cb15729c.
/etc/hosts has SHA256 hash 89eb65219b87b67b495dbce427e6ae9cde60ec1d14ff5be1ed431e75cda40559, but should have SHA256 hash 336de0d20e14a6e526e147580ef5b0a7167a4ff4ebd788222d71e4c238e7ab2e.
/etc/login.access has SHA256 hash 4de7926deb40e143aeddb91d3491609f32116e706e2ce8c571ae36578495e901, but should have SHA256 hash 6a0d3514454467c35c8cd54509c30d9fa681f21434648034a7157933a01be0c9.
/etc/login.conf has SHA256 hash 0e4cab123fc28d5b8369912141362adf089b110b73486fa03f94f86dd07d9787, but should have SHA256 hash 8282f0c979204681553a5f95a2b6e3ff5234e21864f88142388f60f66c4aac29.
/etc/login.conf.db has SHA256 hash 7c65885c17c3ecc18a34463f8b483183599a72eed464194011e35f4e518ddd86, but should have SHA256 hash 52a089ce00eb38b27b5276929c0573d8b07252fcbd846cba14c68bad75d33039.
/etc/master.passwd has SHA256 hash 8897e64f40e6e3f9e861dac133ace0061c322e52fd3651bb58d7aa33a963580d, but should have SHA256 hash 55dfb5a41ebad44523b26cba443d94c3d55e0b39a32558f81a1d50fed964ec34.
/etc/newsyslog.conf has SHA256 hash 8f02d2de2a4a32f4ae648fc15a799e721f150cbdb4f6e74965a55c463467ea09, but should have SHA256 hash ae6618a3158b990fd40878e5bc63b216bdebc310455bf620154e64b44f403ea2.
/etc/passwd has SHA256 hash 243865ce18d54d259e6d2b58f97243ec12087b7fb54c73875733ff09e84fd724, but should have SHA256 hash 57d2a756f16439eb2bc13af8d4b0a958ccec88643c6246cfc00e5b0894417eec.
/etc/pkg/FreeBSD.conf has SHA256 hash 9035e3a03793e2fa07a0a81a6d94cac78e46fde8a84e42d4754c61f92228f490, but should have SHA256 hash ab261a3b84ffc11654ac0bafbb7d6b3f1b6afc30bfabab3bcff64259678eac26.
/etc/pwd.db has SHA256 hash 527ace8a0fc03791b249a29d736e76a0eff979cca9d21e69a6fd469a0e4949e9, but should have SHA256 hash bd30e09f6e06e4430bbb8fa20c4ed46babaec585d5580a92244c6a4227c5af56.
/etc/shells has SHA256 hash c50b95000bb4636f55e434607e5aeebbb527792c84b70a172ddb43a4eb6ea1f1, but should have SHA256 hash d4f435c3c24679f19609fcf0e78c473c85582cd0300ebcc0ac3088c34408cde4.
/etc/spwd.db has SHA256 hash d786c8580737c0fe5be2847083f71abf645d2311946077d88dec116826151687, but should have SHA256 hash 5b8454a1d288eef2ed215f2280ac5cf9e9197ac1d2a1e46a67ba38c2c0c370e7.
/etc/ssl/cert.pem has SHA256 hash 266d3087b83124ec96c5b15f593aaefaede6b89fc7572c05ea1101f7029a0fc8, but should have SHA256 hash da54fcf51354465573d8a84cdc9e5d35c2dd4b22a1cf2fc55ff9fcb754669349.
/etc/sysctl.conf has SHA256 hash 85f9044e41b74deda87fb9b2f469f57cdfb934dea14fa0d4b9491c9f6c02d519, but should have SHA256 hash 45f469e7a9b4eef887bab7b55397305043fe101e1d6ce6f7e23d758e72f56dc6.
/etc/syslog.conf has SHA256 hash a115145918435f65da06e58dc7fc70da205e79a8bdd3a6d7e80bf7ad4f0fc6f3, but should have SHA256 hash bccc776a96b65cb40f9a0752293d9abca7453a446f703027a1cf2e0ffb1df526.
/root has 0700 permissions, but should have 0750 permissions.
/root/.cshrc has SHA256 hash 9e394d6847de3694160243bc506c57e43755ea1d8b1cda88b895312300bf2da9, but should have SHA256 hash d1ba75d6e942aa2f17eb84061fe4edda1d17b9a9ab8e4e2ce3a19e650403b5d7.
/root/.profile has SHA256 hash f5afc1813e4b38d7e2cc26429f7d5931cb32647f1ed061e12f24c076ffbf3dac, but should have SHA256 hash 3f8f2a402ed4f114c317babcd655f47eefaf3d938fc9d5f935d9e379964e74df.
/root/.shrc has SHA256 hash fa471312b79e5632ac62513c03478be2398435c1ffba1757ff6a9d7db440d8e3, but should have SHA256 hash 134484e68f3a6c72134980d2d086fc884f5e2419c35f07b0ea4d2fab7e33a59a.
/var/run/wpa_supplicant has 0750 permissions, but should have 0755 permissions.
/var/unbound is owned by group id 0, but should be owned by group id 59.

Should I do and how some corrections, please?

 

[RichardM]

Those look like files you would expect to be identified as having been changed from a bare install - you have added users, set up wireless, installed another shell, etc.

 

[ralphbsz]

The whole concept of blindly checking whether files or attributes have been modified and thinking it is an IDS is troubling.

For example, any system pretty much has to modify /etc/passwd, master.passwd and group, to create user accounts. Most users (including root) are expected to edit .cshrc or .shrc to their taste. The IDS functionality really should ignore those changes.

On the other hand, the fact that permissions/ownership for /root, /var/unbound and /var/run/wpa_supplicant have been changed are a bit troubling: it probably indicates that the settings in the shipping version are incorrect, which is more along the lines of a bug.

In between these extremes are a lot of file changes that can be validly changed, but may be somewhat unusual.

 

[mer]

This is a good topic; to me the takeaway is "understanding the answer from the question is important".

So the fact that the original command gave out "potential bad things" but then examining that output gives "interesting but a false positive". Not dismissing the output or question, but lets understand the meaning.

 

[hedwards]

The whole concept of blindly checking whether files or attributes have been modified and thinking it is an IDS is troubling.

For example, any system pretty much has to modify /etc/passwd, master.passwd and group, to create user accounts. Most users (including root) are expected to edit .cshrc or .shrc to their taste. The IDS functionality really should ignore those changes.

On the other hand, the fact that permissions/ownership for /root, /var/unbound and /var/run/wpa_supplicant have been changed are a bit troubling: it probably indicates that the settings in the shipping version are incorrect, which is more along the lines of a bug.

In between these extremes are a lot of file changes that can be validly changed, but may be somewhat unusual.

The point is that they've changed from the default and you can do your own investigation if that's not expected. There are other tools like tripwire and mtree that can give you something that you check before making changes and then log the changes.

One of the really helpful thing about using the IDS is that if you're about to do a reinstall, you can run it and it will help narrow things down so you are less likely to miss files that need to be transferred. You'll still want complete system backups, but if the files in the covered directories haven't changed, then you probably don't need to manually transfer them or have some provision for recreating them.