# SETUID diffs in nightly root email



## ProServ (Jan 2, 2020)

Hi, nightly root mail is always showing setuid differences. Just not sure what this means. Is something changing the values of the files below?
Thanks for your help.

```
setuid diffs:
--- /var/log/setuid.today    2019-12-31 03:13:12.276701000 -0500
+++ /tmp/security.b0dNNiwi    2020-01-02 03:16:37.985560000 -0500
@@ -1,49 +1,6 @@
-  561823 -r-sr-xr-x  1 root  wheel        21224 Oct  2 20:17:44 2019 /bin/rcp
-  321108 -r-sr-xr--  1 root  operator     10784 Oct  2 20:17:51 2019 /sbin/mksnap_ffs
-  321126 -r-sr-xr-x  1 root  wheel        32608 Oct  2 20:17:51 2019 /sbin/ping
-  321127 -r-sr-xr-x  1 root  wheel        40864 Oct  2 20:17:51 2019 /sbin/ping6
-  321128 -r-sr-xr--  2 root  operator     16016 Oct  2 20:17:51 2019 /sbin/poweroff
-  321128 -r-sr-xr--  2 root  operator     16016 Oct  2 20:17:51 2019 /sbin/shutdown
-  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/at
-  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/atq
-  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/atrm
-  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/batch
-  883029 -r-xr-sr-x  1 root  kmem         13800 Oct  2 20:17:52 2019 /usr/bin/btsockstat
-  883132 -r-sr-xr-x  1 root  wheel        25608 Oct  2 20:17:54 2019 /usr/bin/chpass
-  883603 -r-sr-xr-x  1 root  wheel        33720 Oct  2 20:17:54 2019 /usr/bin/crontab
-  883858 -r-sr-xr-x  1 root  wheel        11704 Oct  2 20:17:59 2019 /usr/bin/lock
-  883861 -r-sr-xr-x  1 root  wheel        25976 Oct  2 20:17:59 2019 /usr/bin/login
-  883868 -r-sr-sr-x  1 root  daemon       35120 Oct  2 20:17:59 2019 /usr/bin/lpq
-  883869 -r-sr-sr-x  1 root  daemon       41376 Oct  2 20:17:59 2019 /usr/bin/lpr
-  883870 -r-sr-sr-x  1 root  daemon       33200 Oct  2 20:17:59 2019 /usr/bin/lprm
-  883911 -r-xr-sr-x  1 root  kmem        153592 Oct  2 20:17:59 2019 /usr/bin/netstat
-  883934 -r-sr-xr-x  1 root  wheel         7352 Oct  2 20:18:00 2019 /usr/bin/opieinfo
-  883946 -r-sr-xr-x  1 root  wheel        14440 Oct  2 20:18:00 2019 /usr/bin/opiepasswd
-  883948 -r-sr-xr-x  1 root  wheel         9912 Oct  2 20:18:00 2019 /usr/bin/passwd
-  883992 -r-sr-xr-x  1 root  wheel        16840 Oct  2 20:18:00 2019 /usr/bin/quota
-  884015 -r-sr-xr-x  1 root  wheel        16584 Oct  2 20:18:01 2019 /usr/bin/rlogin
-  884021 -r-sr-xr-x  1 root  wheel        12368 Oct  2 20:18:01 2019 /usr/bin/rsh
-  884125 -r-sr-xr-x  1 root  wheel        17576 Oct  2 20:18:01 2019 /usr/bin/su
-  884181 -r-xr-sr-x  1 root  tty          16080 Oct  2 20:18:04 2019 /usr/bin/wall
-  884188 -r-xr-sr-x  1 root  tty          12504 Oct  2 20:18:04 2019 /usr/bin/write
-  564730 -r-xr-sr-x  1 root  mail         64288 Oct  2 20:19:03 2019 /usr/libexec/dma
-  564732 -r-sr-xr--  1 root  mail          7544 Oct  2 20:19:03 2019 /usr/libexec/dma-mbox-create
-  565739 -r-xr-sr-x  1 root  smmsp       738648 Oct  2 20:19:04 2019 /usr/libexec/sendmail/sendmail
-  565929 -r-sr-xr-x  1 root  wheel        53600 Oct  2 20:19:04 2019 /usr/libexec/ssh-keysign
-  566337 -r-sr-xr-x  1 root  wheel         6368 Oct  2 20:19:04 2019 /usr/libexec/ulog-helper
-18379225 -rwxr-sr-x  1 root  mail         11520 Nov  2 18:00:12 2019 /usr/local/bin/mutt_dotlock
-18378701 -rwsr-xr-x  1 root  wheel       129064 Nov  2 01:12:04 2019 /usr/local/bin/sudo
-71909383 -rwsr-x---  1 root  messagebus   51400 Jul  6 07:40:08 2019 /usr/local/libexec/dbus-daemon-launch-helper
-91572661 -r-sr-xr-x  1 root  wheel        44744 Jul  7 00:10:04 2019 /usr/local/sbin/fping
-91572171 -rwxr-sr-x  1 root  kmem        140600 Nov 14 11:17:19 2019 /usr/local/sbin/lsof
-91572659 -r-sr-xr-x  1 root  wheel        25480 Jul  9 17:02:15 2019 /usr/local/sbin/mtr-packet
-91572102 -rwxr-sr-x  1 root  maildrop     16280 Nov  2 20:32:36 2019 /usr/local/sbin/postdrop
-91572140 -rwxr-sr-x  1 root  maildrop     21344 Nov  2 20:32:36 2019 /usr/local/sbin/postqueue
-  644696 -r-sr-sr-x  2 root  authpf       24424 Oct  2 20:19:04 2019 /usr/sbin/authpf
-  644696 -r-sr-sr-x  2 root  authpf       24424 Oct  2 20:19:04 2019 /usr/sbin/authpf-noip
-  646129 -r-xr-sr-x  1 root  daemon       59976 Oct  2 20:19:07 2019 /usr/sbin/lpc
-  646230 -r-sr-xr--  1 root  network     439344 Oct  2 20:19:08 2019 /usr/sbin/ppp
-  646465 -r-sr-xr-x  1 root  wheel        21832 Oct  2 20:19:10 2019 /usr/sbin/timedc
-  646466 -r-sr-xr-x  1 root  wheel        37328 Oct  2 20:19:10 2019 /usr/sbin/traceroute
-  646467 -r-sr-xr-x  1 root  wheel        28944 Oct  2 20:19:10 2019 /usr/sbin/traceroute6
-  646469 -r-xr-sr-x  1 root  kmem         12048 Oct  2 20:19:10 2019 /usr/sbin/trpt
+561823 -r-sr-xr-x  1 root  wheel     21224 Oct  2 20:17:44 2019 /bin/rcp
+321108 -r-sr-xr--  1 root  operator  10784 Oct  2 20:17:51 2019 /sbin/mksnap_ffs
+321126 -r-sr-xr-x  1 root  wheel     32608 Oct  2 20:17:51 2019 /sbin/ping
+321127 -r-sr-xr-x  1 root  wheel     40864 Oct  2 20:17:51 2019 /sbin/ping6
+321128 -r-sr-xr--  2 root  operator  16016 Oct  2 20:17:51 2019 /sbin/poweroff
+321128 -r-sr-xr--  2 root  operator  16016 Oct  2 20:17:51 2019 /sbin/shutdown
```


----------



## SirDice (Jan 3, 2020)

Did you run an update? Because that would replace those files.


----------



## ralphbsz (Jan 3, 2020)

Very strange: One side of the diff only has 6 files, the other has dozens. Those six files are completely unchanged on the other side. Except for one thing: In the output that diff is comparing here, their alignment is different (they don't have a few extra spaces before the first column, which is probably the inode number).

In addition to SirDice's suggestions: 

So it looks like the real difference is that a whole lots of files were added or removed from the setuid list; fundamentally everything that is in /usr/ or below (clearly, there are two file systems involved, judging by the jump in inode numbers). Could it be that at the time the script ran, some file systems were not mounted? Could it be that you did a massive cleanup or install? Or maybe you changed the mount options, and disabled setuid on /usr/ and below?


----------



## ProServ (Jan 3, 2020)

After looking at other forum similar issue, ran # freebsd-update fetch install last night before nightly root mail is sent. Today's security email has basically same SETUID issue. Was under the impression the server was compromised. If it's not compromised, how to get this fixed?
Thanks.

```
setuid diffs:
--- /var/log/setuid.today    2020-01-02 03:16:37.985560000 -0500
+++ /tmp/security.mxZ4Q5JO    2020-01-03 03:11:45.886152000 -0500
@@ -1,6 +1,49 @@
-561823 -r-sr-xr-x  1 root  wheel     21224 Oct  2 20:17:44 2019 /bin/rcp
-321108 -r-sr-xr--  1 root  operator  10784 Oct  2 20:17:51 2019 /sbin/mksnap_ffs
-321126 -r-sr-xr-x  1 root  wheel     32608 Oct  2 20:17:51 2019 /sbin/ping
-321127 -r-sr-xr-x  1 root  wheel     40864 Oct  2 20:17:51 2019 /sbin/ping6
-321128 -r-sr-xr--  2 root  operator  16016 Oct  2 20:17:51 2019 /sbin/poweroff
-321128 -r-sr-xr--  2 root  operator  16016 Oct  2 20:17:51 2019 /sbin/shutdown
+  561823 -r-sr-xr-x  1 root  wheel        21224 Oct  2 20:17:44 2019 /bin/rcp
+  321108 -r-sr-xr--  1 root  operator     10784 Oct  2 20:17:51 2019 /sbin/mksnap_ffs
+  321126 -r-sr-xr-x  1 root  wheel        32608 Oct  2 20:17:51 2019 /sbin/ping
+  321127 -r-sr-xr-x  1 root  wheel        40864 Oct  2 20:17:51 2019 /sbin/ping6
+  321128 -r-sr-xr--  2 root  operator     16016 Oct  2 20:17:51 2019 /sbin/poweroff
+  321128 -r-sr-xr--  2 root  operator     16016 Oct  2 20:17:51 2019 /sbin/shutdown
+  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/at
+  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/atq
+  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/atrm
+  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/batch
+  883029 -r-xr-sr-x  1 root  kmem         13800 Oct  2 20:17:52 2019 /usr/bin/btsockstat
+  883132 -r-sr-xr-x  1 root  wheel        25608 Oct  2 20:17:54 2019 /usr/bin/chpass
+  883603 -r-sr-xr-x  1 root  wheel        33720 Oct  2 20:17:54 2019 /usr/bin/crontab
+  883858 -r-sr-xr-x  1 root  wheel        11704 Oct  2 20:17:59 2019 /usr/bin/lock
+  883861 -r-sr-xr-x  1 root  wheel        25976 Oct  2 20:17:59 2019 /usr/bin/login
+  883868 -r-sr-sr-x  1 root  daemon       35120 Oct  2 20:17:59 2019 /usr/bin/lpq
+  883869 -r-sr-sr-x  1 root  daemon       41376 Oct  2 20:17:59 2019 /usr/bin/lpr
+  883870 -r-sr-sr-x  1 root  daemon       33200 Oct  2 20:17:59 2019 /usr/bin/lprm
+  883911 -r-xr-sr-x  1 root  kmem        153592 Oct  2 20:17:59 2019 /usr/bin/netstat
+  883934 -r-sr-xr-x  1 root  wheel         7352 Oct  2 20:18:00 2019 /usr/bin/opieinfo
+  883946 -r-sr-xr-x  1 root  wheel        14440 Oct  2 20:18:00 2019 /usr/bin/opiepasswd
+  883948 -r-sr-xr-x  1 root  wheel         9912 Oct  2 20:18:00 2019 /usr/bin/passwd
+  883992 -r-sr-xr-x  1 root  wheel        16840 Oct  2 20:18:00 2019 /usr/bin/quota
+  884015 -r-sr-xr-x  1 root  wheel        16584 Oct  2 20:18:01 2019 /usr/bin/rlogin
+  884021 -r-sr-xr-x  1 root  wheel        12368 Oct  2 20:18:01 2019 /usr/bin/rsh
+  884125 -r-sr-xr-x  1 root  wheel        17576 Oct  2 20:18:01 2019 /usr/bin/su
+  884181 -r-xr-sr-x  1 root  tty          16080 Oct  2 20:18:04 2019 /usr/bin/wall
+  884188 -r-xr-sr-x  1 root  tty          12504 Oct  2 20:18:04 2019 /usr/bin/write
+  564730 -r-xr-sr-x  1 root  mail         64288 Oct  2 20:19:03 2019 /usr/libexec/dma
+  564732 -r-sr-xr--  1 root  mail          7544 Oct  2 20:19:03 2019 /usr/libexec/dma-mbox-create
+  565739 -r-xr-sr-x  1 root  smmsp       738648 Oct  2 20:19:04 2019 /usr/libexec/sendmail/sendmail
+  565929 -r-sr-xr-x  1 root  wheel        53600 Oct  2 20:19:04 2019 /usr/libexec/ssh-keysign
+  566337 -r-sr-xr-x  1 root  wheel         6368 Oct  2 20:19:04 2019 /usr/libexec/ulog-helper
+18379225 -rwxr-sr-x  1 root  mail         11520 Nov  2 18:00:12 2019 /usr/local/bin/mutt_dotlock
+18378701 -rwsr-xr-x  1 root  wheel       129064 Nov  2 01:12:04 2019 /usr/local/bin/sudo
+71909383 -rwsr-x---  1 root  messagebus   51400 Jul  6 07:40:08 2019 /usr/local/libexec/dbus-daemon-launch-helper
+91572661 -r-sr-xr-x  1 root  wheel        44744 Jul  7 00:10:04 2019 /usr/local/sbin/fping
+91572171 -rwxr-sr-x  1 root  kmem        140600 Nov 14 11:17:19 2019 /usr/local/sbin/lsof
+91572659 -r-sr-xr-x  1 root  wheel        25480 Jul  9 17:02:15 2019 /usr/local/sbin/mtr-packet
+91572102 -rwxr-sr-x  1 root  maildrop     16280 Nov  2 20:32:36 2019 /usr/local/sbin/postdrop
+91572140 -rwxr-sr-x  1 root  maildrop     21344 Nov  2 20:32:36 2019 /usr/local/sbin/postqueue
+  644696 -r-sr-sr-x  2 root  authpf       24424 Oct  2 20:19:04 2019 /usr/sbin/authpf
+  644696 -r-sr-sr-x  2 root  authpf       24424 Oct  2 20:19:04 2019 /usr/sbin/authpf-noip
+  646129 -r-xr-sr-x  1 root  daemon       59976 Oct  2 20:19:07 2019 /usr/sbin/lpc
+  646230 -r-sr-xr--  1 root  network     439344 Oct  2 20:19:08 2019 /usr/sbin/ppp
+  646465 -r-sr-xr-x  1 root  wheel        21832 Oct  2 20:19:10 2019 /usr/sbin/timedc
+  646466 -r-sr-xr-x  1 root  wheel        37328 Oct  2 20:19:10 2019 /usr/sbin/traceroute
+  646467 -r-sr-xr-x  1 root  wheel        28944 Oct  2 20:19:10 2019 /usr/sbin/traceroute6
+  646469 -r-xr-sr-x  1 root  kmem         12048 Oct  2 20:19:10 2019 /usr/sbin/trpt
```


----------



## ProServ (Jan 3, 2020)

To answer SirDice' question. Generally we run # freebsd-update fetch install to keep the server up-to-date and when new releases are made, -r new FreeBSD release.  Right now this particular FreeBSD Server is at: 

```
11.3-RELEASE-p5 FreeBSD 11.3-RELEASE-p5 #0: Tue Nov 12 08:59:04 UTC 2019     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
```


----------



## ralphbsz (Jan 4, 2020)

The basic problem to me is that the diff makes no sense. This time there are 6 lines on the "---" side (which was yesterday), and dozens and dozens on the "+++" side (which is now). And those six lines are the same! So why is diff claiming that they are different? Must be that it is running with 6 lines of context (you could check that by reading how the nightly security job is implemented, it's just a script). And again, the diff is complaining that everything in /usr and below is not there on one side.

Oh wait. Read the two diffs carefully. The one in the original post complains that everything under /usr has vanished; this was yesterday. The new one complains that everything under /usr/ was gone yesterday, and has come back. Here's a plausible explanation: Yesterday, when nightly security ran, there was a problem with /usr not being mounted, now it is back, and everything is normal.

Oh, and this really doesn't look like your server was compromised. It would be very weird for an intruder to delete all setuid executables that are under /usr without a trace. Worse than weird: It would be stoooopid, since the system would be left nearly unusable, and not useful to the intruder.


----------



## ProServ (Jan 5, 2020)

Hi, /usr was never dismounted. Today and yesterday's nightly root security mail is clean. Thing is nothing was changed and no update was ran. Just don't quite get what was causing the setuid diffs.

Today's security email:

Checking setuid files and devices:

Checking negative group permissions:


----------



## ralphbsz (Jan 5, 2020)

Strange. No idea how this could have happened then.


----------



## ProServ (Jan 5, 2020)

Yeah very strange. I don't have any idea what caused it.
Thanks.


----------



## SirDice (Jan 6, 2020)

Check /var/log/setuid.*. Look at the timestamps. I have a feeling they're not being updated and therefor you keep seeing the same "change" in the security checks. The diff you see in the emails are created from these two files.


----------



## ProServ (Jan 6, 2020)

Hi SirDice, Sat and Sun no issues. This morning again it comes back.  I will go check those files and see what they show. In the meantime .....

```
setuid diffs:
--- /var/log/setuid.today    2020-01-03 03:11:45.886152000 -0500
+++ /tmp/security.7Ry13E3a    2020-01-06 03:06:18.120171000 -0500
@@ -1,49 +1,6 @@
-  561823 -r-sr-xr-x  1 root  wheel        21224 Oct  2 20:17:44 2019 /bin/rcp
-  321108 -r-sr-xr--  1 root  operator     10784 Oct  2 20:17:51 2019 /sbin/mksnap_ffs
-  321126 -r-sr-xr-x  1 root  wheel        32608 Oct  2 20:17:51 2019 /sbin/ping
-  321127 -r-sr-xr-x  1 root  wheel        40864 Oct  2 20:17:51 2019 /sbin/ping6
-  321128 -r-sr-xr--  2 root  operator     16016 Oct  2 20:17:51 2019 /sbin/poweroff
-  321128 -r-sr-xr--  2 root  operator     16016 Oct  2 20:17:51 2019 /sbin/shutdown
-  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/at
-  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/atq
-  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/atrm
-  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/batch
-  883029 -r-xr-sr-x  1 root  kmem         13800 Oct  2 20:17:52 2019 /usr/bin/btsockstat
-  883132 -r-sr-xr-x  1 root  wheel        25608 Oct  2 20:17:54 2019 /usr/bin/chpass
-  883603 -r-sr-xr-x  1 root  wheel        33720 Oct  2 20:17:54 2019 /usr/bin/crontab
-  883858 -r-sr-xr-x  1 root  wheel        11704 Oct  2 20:17:59 2019 /usr/bin/lock
-  883861 -r-sr-xr-x  1 root  wheel        25976 Oct  2 20:17:59 2019 /usr/bin/login
-  883868 -r-sr-sr-x  1 root  daemon       35120 Oct  2 20:17:59 2019 /usr/bin/lpq
-  883869 -r-sr-sr-x  1 root  daemon       41376 Oct  2 20:17:59 2019 /usr/bin/lpr
-  883870 -r-sr-sr-x  1 root  daemon       33200 Oct  2 20:17:59 2019 /usr/bin/lprm
-  883911 -r-xr-sr-x  1 root  kmem        153592 Oct  2 20:17:59 2019 /usr/bin/netstat
-  883934 -r-sr-xr-x  1 root  wheel         7352 Oct  2 20:18:00 2019 /usr/bin/opieinfo
-  883946 -r-sr-xr-x  1 root  wheel        14440 Oct  2 20:18:00 2019 /usr/bin/opiepasswd
-  883948 -r-sr-xr-x  1 root  wheel         9912 Oct  2 20:18:00 2019 /usr/bin/passwd
-  883992 -r-sr-xr-x  1 root  wheel        16840 Oct  2 20:18:00 2019 /usr/bin/quota
-  884015 -r-sr-xr-x  1 root  wheel        16584 Oct  2 20:18:01 2019 /usr/bin/rlogin
-  884021 -r-sr-xr-x  1 root  wheel        12368 Oct  2 20:18:01 2019 /usr/bin/rsh
-  884125 -r-sr-xr-x  1 root  wheel        17576 Oct  2 20:18:01 2019 /usr/bin/su
-  884181 -r-xr-sr-x  1 root  tty          16080 Oct  2 20:18:04 2019 /usr/bin/wall
-  884188 -r-xr-sr-x  1 root  tty          12504 Oct  2 20:18:04 2019 /usr/bin/write
-  564730 -r-xr-sr-x  1 root  mail         64288 Oct  2 20:19:03 2019 /usr/libexec/dma
-  564732 -r-sr-xr--  1 root  mail          7544 Oct  2 20:19:03 2019 /usr/libexec/dma-mbox-create
-  565739 -r-xr-sr-x  1 root  smmsp       738648 Oct  2 20:19:04 2019 /usr/libexec/sendmail/sendmail
-  565929 -r-sr-xr-x  1 root  wheel        53600 Oct  2 20:19:04 2019 /usr/libexec/ssh-keysign
-  566337 -r-sr-xr-x  1 root  wheel         6368 Oct  2 20:19:04 2019 /usr/libexec/ulog-helper
-18379225 -rwxr-sr-x  1 root  mail         11520 Nov  2 18:00:12 2019 /usr/local/bin/mutt_dotlock
-18378701 -rwsr-xr-x  1 root  wheel       129064 Nov  2 01:12:04 2019 /usr/local/bin/sudo
-71909383 -rwsr-x---  1 root  messagebus   51400 Jul  6 07:40:08 2019 /usr/local/libexec/dbus-daemon-launch-helper
-91572661 -r-sr-xr-x  1 root  wheel        44744 Jul  7 00:10:04 2019 /usr/local/sbin/fping
-91572171 -rwxr-sr-x  1 root  kmem        140600 Nov 14 11:17:19 2019 /usr/local/sbin/lsof
-91572659 -r-sr-xr-x  1 root  wheel        25480 Jul  9 17:02:15 2019 /usr/local/sbin/mtr-packet
-91572102 -rwxr-sr-x  1 root  maildrop     16280 Nov  2 20:32:36 2019 /usr/local/sbin/postdrop
-91572140 -rwxr-sr-x  1 root  maildrop     21344 Nov  2 20:32:36 2019 /usr/local/sbin/postqueue
-  644696 -r-sr-sr-x  2 root  authpf       24424 Oct  2 20:19:04 2019 /usr/sbin/authpf
-  644696 -r-sr-sr-x  2 root  authpf       24424 Oct  2 20:19:04 2019 /usr/sbin/authpf-noip
-  646129 -r-xr-sr-x  1 root  daemon       59976 Oct  2 20:19:07 2019 /usr/sbin/lpc
-  646230 -r-sr-xr--  1 root  network     439344 Oct  2 20:19:08 2019 /usr/sbin/ppp
-  646465 -r-sr-xr-x  1 root  wheel        21832 Oct  2 20:19:10 2019 /usr/sbin/timedc
-  646466 -r-sr-xr-x  1 root  wheel        37328 Oct  2 20:19:10 2019 /usr/sbin/traceroute
-  646467 -r-sr-xr-x  1 root  wheel        28944 Oct  2 20:19:10 2019 /usr/sbin/traceroute6
-  646469 -r-xr-sr-x  1 root  kmem         12048 Oct  2 20:19:10 2019 /usr/sbin/trpt
+561823 -r-sr-xr-x  1 root  wheel     21224 Oct  2 20:17:44 2019 /bin/rcp
+321108 -r-sr-xr--  1 root  operator  10784 Oct  2 20:17:51 2019 /sbin/mksnap_ffs
+321126 -r-sr-xr-x  1 root  wheel     32608 Oct  2 20:17:51 2019 /sbin/ping
+321127 -r-sr-xr-x  1 root  wheel     40864 Oct  2 20:17:51 2019 /sbin/ping6
+321128 -r-sr-xr--  2 root  operator  16016 Oct  2 20:17:51 2019 /sbin/poweroff
+321128 -r-sr-xr--  2 root  operator  16016 Oct  2 20:17:51 2019 /sbin/shutdown
```


----------



## ProServ (Jan 6, 2020)

```
Checking negative group permissions:
-rw-------  1 root       wheel            463 Jan  6 03:06 setuid.today
-rw-------  1 root       wheel           4275 Jan  3 03:11 setuid.yesterday


# cat setuid.today
561823 -r-sr-xr-x  1 root  wheel     21224 Oct  2 20:17:44 2019 /bin/rcp
321108 -r-sr-xr--  1 root  operator  10784 Oct  2 20:17:51 2019 /sbin/mksnap_ffs
321126 -r-sr-xr-x  1 root  wheel     32608 Oct  2 20:17:51 2019 /sbin/ping
321127 -r-sr-xr-x  1 root  wheel     40864 Oct  2 20:17:51 2019 /sbin/ping6
321128 -r-sr-xr--  2 root  operator  16016 Oct  2 20:17:51 2019 /sbin/poweroff
321128 -r-sr-xr--  2 root  operator  16016 Oct  2 20:17:51 2019 /sbin/shutdown

# cat setuid.yesterday
  561823 -r-sr-xr-x  1 root  wheel        21224 Oct  2 20:17:44 2019 /bin/rcp
  321108 -r-sr-xr--  1 root  operator     10784 Oct  2 20:17:51 2019 /sbin/mksnap_ffs
  321126 -r-sr-xr-x  1 root  wheel        32608 Oct  2 20:17:51 2019 /sbin/ping
  321127 -r-sr-xr-x  1 root  wheel        40864 Oct  2 20:17:51 2019 /sbin/ping6
  321128 -r-sr-xr--  2 root  operator     16016 Oct  2 20:17:51 2019 /sbin/poweroff
  321128 -r-sr-xr--  2 root  operator     16016 Oct  2 20:17:51 2019 /sbin/shutdown
  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/at
  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/atq
  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/atrm
  882975 -r-sr-xr-x  4 root  wheel        29512 Oct  2 20:17:52 2019 /usr/bin/batch
  883029 -r-xr-sr-x  1 root  kmem         13800 Oct  2 20:17:52 2019 /usr/bin/btsockstat
  883132 -r-sr-xr-x  1 root  wheel        25608 Oct  2 20:17:54 2019 /usr/bin/chpass
  883603 -r-sr-xr-x  1 root  wheel        33720 Oct  2 20:17:54 2019 /usr/bin/crontab
  883858 -r-sr-xr-x  1 root  wheel        11704 Oct  2 20:17:59 2019 /usr/bin/lock
  883861 -r-sr-xr-x  1 root  wheel        25976 Oct  2 20:17:59 2019 /usr/bin/login
  883868 -r-sr-sr-x  1 root  daemon       35120 Oct  2 20:17:59 2019 /usr/bin/lpq
  883869 -r-sr-sr-x  1 root  daemon       41376 Oct  2 20:17:59 2019 /usr/bin/lpr
  883870 -r-sr-sr-x  1 root  daemon       33200 Oct  2 20:17:59 2019 /usr/bin/lprm
  883911 -r-xr-sr-x  1 root  kmem        153592 Oct  2 20:17:59 2019 /usr/bin/netstat
  883934 -r-sr-xr-x  1 root  wheel         7352 Oct  2 20:18:00 2019 /usr/bin/opieinfo
  883946 -r-sr-xr-x  1 root  wheel        14440 Oct  2 20:18:00 2019 /usr/bin/opiepasswd
  883948 -r-sr-xr-x  1 root  wheel         9912 Oct  2 20:18:00 2019 /usr/bin/passwd
  883992 -r-sr-xr-x  1 root  wheel        16840 Oct  2 20:18:00 2019 /usr/bin/quota
  884015 -r-sr-xr-x  1 root  wheel        16584 Oct  2 20:18:01 2019 /usr/bin/rlogin
  884021 -r-sr-xr-x  1 root  wheel        12368 Oct  2 20:18:01 2019 /usr/bin/rsh
  884125 -r-sr-xr-x  1 root  wheel        17576 Oct  2 20:18:01 2019 /usr/bin/su
  884181 -r-xr-sr-x  1 root  tty          16080 Oct  2 20:18:04 2019 /usr/bin/wall
  884188 -r-xr-sr-x  1 root  tty          12504 Oct  2 20:18:04 2019 /usr/bin/write
  564730 -r-xr-sr-x  1 root  mail         64288 Oct  2 20:19:03 2019 /usr/libexec/dma
  564732 -r-sr-xr--  1 root  mail          7544 Oct  2 20:19:03 2019 /usr/libexec/dma-mbox-create
  565739 -r-xr-sr-x  1 root  smmsp       738648 Oct  2 20:19:04 2019 /usr/libexec/sendmail/sendmail
  565929 -r-sr-xr-x  1 root  wheel        53600 Oct  2 20:19:04 2019 /usr/libexec/ssh-keysign
  566337 -r-sr-xr-x  1 root  wheel         6368 Oct  2 20:19:04 2019 /usr/libexec/ulog-helper
18379225 -rwxr-sr-x  1 root  mail         11520 Nov  2 18:00:12 2019 /usr/local/bin/mutt_dotlock
18378701 -rwsr-xr-x  1 root  wheel       129064 Nov  2 01:12:04 2019 /usr/local/bin/sudo
71909383 -rwsr-x---  1 root  messagebus   51400 Jul  6 07:40:08 2019 /usr/local/libexec/dbus-daemon-launch-helper
91572661 -r-sr-xr-x  1 root  wheel        44744 Jul  7 00:10:04 2019 /usr/local/sbin/fping
91572171 -rwxr-sr-x  1 root  kmem        140600 Nov 14 11:17:19 2019 /usr/local/sbin/lsof
91572659 -r-sr-xr-x  1 root  wheel        25480 Jul  9 17:02:15 2019 /usr/local/sbin/mtr-packet
91572102 -rwxr-sr-x  1 root  maildrop     16280 Nov  2 20:32:36 2019 /usr/local/sbin/postdrop
91572140 -rwxr-sr-x  1 root  maildrop     21344 Nov  2 20:32:36 2019 /usr/local/sbin/postqueue
  644696 -r-sr-sr-x  2 root  authpf       24424 Oct  2 20:19:04 2019 /usr/sbin/authpf
  644696 -r-sr-sr-x  2 root  authpf       24424 Oct  2 20:19:04 2019 /usr/sbin/authpf-noip
  646129 -r-xr-sr-x  1 root  daemon       59976 Oct  2 20:19:07 2019 /usr/sbin/lpc
  646230 -r-sr-xr--  1 root  network     439344 Oct  2 20:19:08 2019 /usr/sbin/ppp
  646465 -r-sr-xr-x  1 root  wheel        21832 Oct  2 20:19:10 2019 /usr/sbin/timedc
  646466 -r-sr-xr-x  1 root  wheel        37328 Oct  2 20:19:10 2019 /usr/sbin/traceroute
  646467 -r-sr-xr-x  1 root  wheel        28944 Oct  2 20:19:10 2019 /usr/sbin/traceroute6
  646469 -r-xr-sr-x  1 root  kmem         12048 Oct  2 20:19:10 2019 /usr/sbin/trpt
```


----------



## SirDice (Jan 6, 2020)

Do you leave the system running 24/7? Or do you normally switch off at night? These scripts are ran by periodic(8) and typically run just after 3 o'clock at night. But if the system is off during that time they may not get updated. But then you wouldn't receive a daily security email either.


----------



## ProServ (Jan 6, 2020)

This server never shuts down. That is unless there is an FreeBSD upgrade that requires rebooting.
It was rebooted 3 days ago after running # freebsd-update

# uptime
 2:36PM  up 3 days, 19:35, 1 user, load averages: 0.15, 0.20, 0.17


----------



## ProServ (Jan 9, 2020)

And of course, new day, new root email. Clean as a whistle. Tomorrow? Who knows.

Checking setuid files and devices:

Checking negative group permissions:

Nothing was upgraded/changed. Well that's untrue. Yesterday ran portmaster -y -d --packages cacti   
in order to get to 1.2.8 and yeah there were a few php packages (dependencies) which got upgraded. But that's it.


----------

