Auto update removes csf.tempint?

Buccleuch · Post by **Buccleuch** » 21 Jan 2009, 15:52

chirpy,

My system auto-updated from 4.36 to 4.38 this morning, and in the process sent me the integrityalert email as follows:

Code: Select all

Time:     Wed Jan 21 09:40:07 2009 -0600

The following list of files have FAILED the md5sum comparision test. This means
+that the file has been changed in some way. This could be a result of an OS
+update or application upgrade. If the change is unexpected it should be
+investigated:

/usr/sbin/csf: FAILED
/usr/sbin/lfd: FAILED
/etc/init.d/csf: FAILED
/etc/init.d/lfd: FAILED

This is fine, I understand that the md5sums changed for those files due to the update, but the peculiar thing (to me at least) is that in the process, csf.tempint disappeared entirely and I was forced to restart the services to make it regenerate the list.

This concerns me because:

A) During this time, there was presumably no integrity checking on the system, and,
B) Due to the disappearance of the file, there's no way to validate (via lfd at least) that no other files md5sum values changed between the 4.36 and 4.38 version update.

Also, feature request- upon auto update, shoot out an alert mail *before* the updated version of lfd finds that csf/lfd files have changed so that admins around the globe don't have a heart attack first thing in the morning.

Post by **chirpy** » 29 Jan 2009, 10:26

csf.tempint is removed after a report is emailed to prevent repeated reporting of the same changes. It should be recreated the next time to md5sum check runs again. I'll check through the code logic and have it regenerate the file immediately after that occurs.

Edit: I've found a couple of issues in the code for LF_INTEGRITY WRT what you've seen and will have a update for it in the next release.

Buccleuch · Post by **Buccleuch** » 29 Jan 2009, 16:35

chirpy,

Thanks for that.

I got the auto update again this morning.

Code: Select all

Subject: lfd on toshiro: System Integrity checking detected a
+modified system file

Time:     Thu Jan 29 09:40:08 2009 -0600

The following list of files have FAILED the md5sum comparision test. This means
+that the file has been changed in some way. This could be a result of an OS
+update or application upgrade. If the change is unexpected it should be
+investigated:

/usr/sbin/csf: FAILED
/usr/sbin/lfd: FAILED

And this is what I see:

Code: Select all

# ps xauww|egrep "(csf|lfd)"
root     19612  0.0  0.5 121952 23248 ?        S    09:40   0:00 lfd - sleeping
root     20823  0.0  0.0  61124   780 pts/9    R+   10:30   0:00 egrep (csf|lfd)
# ls -al /etc/csf/csf.temp*
-rw------- 1 root root      0 Jan 29 08:13 /etc/csf/csf.tempban
-rw-r--r-- 1 root root 144539 Jan 29 09:40 /etc/csf/csf.tempint
-rw------- 1 root root    187 Jan 29 07:13 /etc/csf/csf.tempip

So obviously it has regenerated tempint at that point, so that allays my fears for that...

I thought csf was supposed to run at all times? Or was I mistaken. I restarted csf/lfd just now and see the same thing, so I assume the ps list above is normal.

I would still like to suggest that before autoupdate runs, have it send an email alert to notify that an autoupdate has happened, and possibly have the autoupdate shutdown lfd first, then regenerate the csf/lfd md5sums in tempint in place with a regex before restarting them.

This would first notify the admin that the update had happened, and could show him/her what version it went from and upgraded to, and would also stop one from having a heart attack in the morning due to an suspicious change which was in fact not suspicious at all.

Thanks for all the hard work, I'm loving csf/lfd so far, they're great stuff!