From nobody@FreeBSD.org  Thu Apr 12 22:27:22 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 6705437B424
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 12 Apr 2001 22:27:21 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f3D5RLB27430;
	Thu, 12 Apr 2001 22:27:21 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200104130527.f3D5RLB27430@freefall.freebsd.org>
Date: Thu, 12 Apr 2001 22:27:21 -0700 (PDT)
From: duwde@duwde.com.br
To: freebsd-gnats-submit@FreeBSD.org
Subject: /etc/security in 4.x-stable needs a little FIX !
X-Send-Pr-Version: www-1.0

>Number:         26529
>Category:       misc
>Synopsis:       /etc/security in 4.x-stable needs a little FIX !
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    nate
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 12 22:30:00 PDT 2001
>Closed-Date:    Fri Apr 13 09:50:19 PDT 2001
>Last-Modified:  Fri Apr 13 09:50:49 PDT 2001
>Originator:     Fabio Vilan Dias
>Release:        4.x-stable LATEST as of Apr/13/2001
>Organization:
Isec Information Security Ltda
>Environment:
bash-2.04$ uname -a
FreeBSD mobile.x.gov 4.3-RC FreeBSD 4.3-RC #26: Wed Apr 11 01:37:47 BRT 2001     duwde@mobile.x.gov:/usr/obj/usr/src/sys/MOBILE  i386

>Description:
As we can see in /usr/src/contrib/bind/CHANGES line 495
there was a little change in the logging method since 
BIND 8.2.3-T1A, thus affecting all new versions. 
(8.2.3-REL is the 4.x-stable version)

-- line 495 /usr/src/contrib/bind/CHANGES
 940.   [clarity]       unapproved -> denied in log messages.
--

/etc/security greps for "unapproved AXFR from" and the new bind
logging method is "denied AXFR from", no big deal.

So no AXFR denied are being included in the security report.
>How-To-Repeat:
run periodic daily. no denied AXFR will be included.
as the wrong grep is being used.
>Fix:
1 line patch, no big deal.
----------------------------------------------------------------------------
*** security.old        Wed Apr 11 02:00:06 2001
--- security    Wed Apr 11 02:00:26 2001
***************
*** 201,207 ****
  #
  separator
  echo "$host checking for denied secondary zone transfers:"
! n=$(catmsgs | grep -i "unapproved AXFR from" | tee /dev/stderr | wc
-l)
  [ $n -gt 0 -a $rc -lt 1 ] && rc=1
  
  rm -f ${TMP}
--- 201,207 ----
  #
  separator
  echo "$host checking for denied secondary zone transfers:"
! n=$(catmsgs | grep -i "denied AXFR from" | tee /dev/stderr | wc -l)
  [ $n -gt 0 -a $rc -lt 1 ] && rc=1
  
  rm -f ${TMP}

----------------------------------------------------------------------------
>Release-Note:
>Audit-Trail:

From: Peter Pentchev <roam@orbitel.bg>
To: duwde@duwde.com.br
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/26529: /etc/security in 4.x-stable needs a little FIX !
Date: Fri, 13 Apr 2001 12:13:48 +0300

 On Thu, Apr 12, 2001 at 10:27:21PM -0700, duwde@duwde.com.br wrote:
 > 
 > >Number:         26529
 > >Category:       misc
 > >Synopsis:       /etc/security in 4.x-stable needs a little FIX !
 > >Originator:     Fabio Vilan Dias
 > >Release:        4.x-stable LATEST as of Apr/13/2001
 > >Organization:
 > Isec Information Security Ltda
 > >Environment:
 > bash-2.04$ uname -a
 > FreeBSD mobile.x.gov 4.3-RC FreeBSD 4.3-RC #26: Wed Apr 11 01:37:47 BRT 2001     duwde@mobile.x.gov:/usr/obj/usr/src/sys/MOBILE  i386
 > 
 > >Description:
 > As we can see in /usr/src/contrib/bind/CHANGES line 495
 > there was a little change in the logging method since 
 > BIND 8.2.3-T1A, thus affecting all new versions. 
 > (8.2.3-REL is the 4.x-stable version)
 > 
 > -- line 495 /usr/src/contrib/bind/CHANGES
 >  940.   [clarity]       unapproved -> denied in log messages.
 > --
 > 
 > /etc/security greps for "unapproved AXFR from" and the new bind
 > logging method is "denied AXFR from", no big deal.
 > 
 > So no AXFR denied are being included in the security report.
 > >How-To-Repeat:
 > run periodic daily. no denied AXFR will be included.
 > as the wrong grep is being used.
 > >Fix:
 > 1 line patch, no big deal.
 > ----------------------------------------------------------------------------
 > *** security.old        Wed Apr 11 02:00:06 2001
 > --- security    Wed Apr 11 02:00:26 2001
 > ***************
 > *** 201,207 ****
 >   #
 >   separator
 >   echo "$host checking for denied secondary zone transfers:"
 > ! n=$(catmsgs | grep -i "unapproved AXFR from" | tee /dev/stderr | wc
 > -l)
 >   [ $n -gt 0 -a $rc -lt 1 ] && rc=1
 >   
 >   rm -f ${TMP}
 > --- 201,207 ----
 >   #
 >   separator
 >   echo "$host checking for denied secondary zone transfers:"
 > ! n=$(catmsgs | grep -i "denied AXFR from" | tee /dev/stderr | wc -l)
 >   [ $n -gt 0 -a $rc -lt 1 ] && rc=1
 >   
 >   rm -f ${TMP}
 
 Maybe this should be something like:
 
   grep -i '\(unapproved\|denied\) AXFR from'
 
 or
   egrep -i '(unapproved|denied) AXFR from;
 
 to allow for people still running old versions of BIND (not that anyone
 should be..)
 
 G'luck,
 Peter
 
 -- 
 If this sentence were in Chinese, it would say something else.
State-Changed-From-To: open->suspended 
State-Changed-By: nate 
State-Changed-When: Fri Apr 13 08:13:40 PDT 2001 
State-Changed-Why:  
- Applied to the HEAD v1.49, will be merged to stable after permission 
from the RE. 



Responsible-Changed-From-To: freebsd-bugs->nate 
Responsible-Changed-By: nate 
Responsible-Changed-When: Fri Apr 13 08:13:40 PDT 2001 
Responsible-Changed-Why:  
I committed the fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26529 
State-Changed-From-To: suspended->closed 
State-Changed-By: nate 
State-Changed-When: Fri Apr 13 09:50:19 PDT 2001 
State-Changed-Why:  
- Merged to -stable, Rev. 1.36.2.12 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26529 
>Unformatted:
