security scripts diff

[Dmitry Morozovsky]

Dear colleagues,

looking at regular security mails I found that foloowing patch would greatly
desreases amount of false positive reports; it's totally possible I'm missing
some vital areas, but my current look at security scripts did not reveal any.

What do you think? Thank you in advance.

marck@woozle:/lh/src.current/etc/periodic/security> cvs -R diff
Index: security.functions
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/security.functions,v
retrieving revision 1.5
diff -u -r1.5 security.functions
--- security.functions 22 Aug 2005 09:33:36 -0000 1.5
+++ security.functions 1 Feb 2010 00:09:59 -0000
@@ -67,7 +67,7 @@
[ $rc -lt 1 ] && rc=1
echo ""
echo "${msg}"
- diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \
+ diff -w ${daily_status_security_diff_flags} ${LOG}/${label}.today \
${tmpf} | eval "${filter}"
mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
mv ${tmpf} ${LOG}/${label}.today || rc=3

--
Sincerely,
D.Marck [DM5020, MCK-RIPE, DM3-RIPN]
[ FreeBSD committer: ma...@FreeBSD.org ]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- ma...@rinet.ru ***
------------------------------------------------------------------------

[David Wolfskill]

On Mon, Feb 01, 2010 at 03:13:39AM +0300, Dmitry Morozovsky wrote:
> Dear colleagues,
>
> looking at regular security mails I found that foloowing patch would greatly
> desreases amount of false positive reports; it's totally possible I'm missing
> some vital areas, but my current look at security scripts did not reveal any.
>
> What do you think? Thank you in advance.

> ...

I think maybe -b ("Ignore changes in the amount of white space.") might
be better than -w ("Ignore all white space."), as the presence or
absence of *some* white space can be a signifant difference (e.g., to a
non-FORTRAN IV parser).

Peace,
david
--
David H. Wolfskill da...@catwhisker.org
Depriving a girl or boy of an opportunity for education is evil.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

[Dmitry Morozovsky]

On Sun, 31 Jan 2010, David Wolfskill wrote:

DW> > looking at regular security mails I found that foloowing patch would greatly
DW> > desreases amount of false positive reports; it's totally possible I'm missing
DW> > some vital areas, but my current look at security scripts did not reveal any.
DW> >
DW> > What do you think? Thank you in advance.
DW> > ...
DW>
DW> I think maybe -b ("Ignore changes in the amount of white space.") might
DW> be better than -w ("Ignore all white space."), as the presence or
DW> absence of *some* white space can be a signifant difference (e.g., to a
DW> non-FORTRAN IV parser).

Agreed.

[Esa Karkkainen]

On Sun, Jan 31, 2010 at 04:40:03PM -0800, David Wolfskill wrote:
> On Mon, Feb 01, 2010 at 03:13:39AM +0300, Dmitry Morozovsky wrote:
> > Dear colleagues,
> >
> > looking at regular security mails I found that foloowing patch would greatly
> > desreases amount of false positive reports; it's totally possible I'm missing
> > some vital areas, but my current look at security scripts did not reveal any.
> >
> > What do you think? Thank you in advance.
> > ...
>
> I think maybe -b ("Ignore changes in the amount of white space.") might
> be better than -w ("Ignore all white space."), as the presence or
> absence of *some* white space can be a signifant difference (e.g., to a
> non-FORTRAN IV parser).

I've always disliked the feature which lists unchanged files on security
emails (100.chksetuid). I've created a patch some time ago.

http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/119464

--
"In the beginning the Universe was created. This has made a lot of
people very angry and been widely regarded as a bad move."
-- Douglas Adams 1952 - 2001