[SOLVED] "Outbound" messages and checksecurity.log setuid changes
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
"Outbound" messages and checksecurity.log setuid changes
I am using ubuntu 10.04 on an iMac 7.1. What do the following log entries mean? I recently had a "sbin/init infected" alarm with chkrootkit (or rkhunter, I forget which) and reinstalled, and I thought I was rid of the problem, whatever it was (could have been a kernel panic), but now the checksecurity setuid stuff reappeared (the checksecurity.log only appears in the log file viewer after resetting it with gconftool-2 --recursive-unset /apps/gnome-system-log, which seems suspicious; why is the log hidden by default?); also there are "outbound" messages that I don't understand. I have another ubuntu install on another Mac which seems to be unaffected (and also has checksecurity installed; I just ran it manually and also got setuid stuff, but there is no "outbound" and ufw.log is empty). I can't really think I have a rootkit (I don't notice any effects except these anomalous logfiles, and my browsing habits don't include sleazy websites). And what exactly are bound sockets? There is a lot of information about sockets on the net but it's all rather technical. I continue to look of course. I ran chkrootkit and rkhunter again, and they read clean (if I can trust them).
Is it possible that the trouble is related to the Mac's BIOS emulation? (Apple does not seem to take security very seriously; Snow Leopard does not even ask for a password for Software Update - I asked my premium reseller and he confirmed it. I should not be surprised to find out that the iMac's BIOS emulation is unsafe. I'll need to get a real computer). The MacBook Pro 5.1 has a newer firmware (for instance, it will boot ubuntu from external disks which the iMac will not), and as I said that install seems to be unaffected (The setuid stuff is probably normal, but I'm not sure the "outbound" messages are). I use grub legacy, which seems to install to the Mac's EFI partition as /dev/sda (GParted shows 18.1 MB of 200MB used on both computers with ubuntu on them, whereas an HFS+ disk without ubuntu, or with GRUB in a partition, will show 3.09 MB used).
Does it make sense to reconfigure checksecurity to check for setuid changes daily (change CHECK_WEEKLY="SETUID" in /etc/checksecurity.conf to CHECK_DAILY="SETUID")?
# There also was a lot of terminal output similar to the iMac's which I forgot to save, and when I ran checksecurity again it was blank. (Incidentally, the list of setuid programs on Mac OS is a lot longer)
I recently had a "sbin/init infected" alarm with chkrootkit (or rkhunter, I forget which) and reinstalled
Re-installing might not have been necessary if it was a false positive. Happens you know.
Quote:
Originally Posted by nokangaroo
now the checksecurity setuid stuff reappeared
Setuid root means any unprivileged user will be able to run the command as with root rights. Usually viewed as a weakness in systems for elevating users rights.
Quote:
Originally Posted by nokangaroo
I have another ubuntu install on another Mac which seems to be unaffected
Did both machines receive different package updates?
Quote:
Originally Posted by nokangaroo
what exactly are bound sockets?
"Bound" here means an application (service) is listening (waiting) on a network socket for clients. For instance your "cupsd" is waiting for clients to queue print jobs. A combination of router safety (not opening service ports to the Internet), application configuration (user and remote access), tcp_wrappers (remote addresses, local service access) and firewall (remote addresses, local port access) should help keep out unwanted access.
Quote:
Originally Posted by nokangaroo
Apple does not seem to take security very seriously;
They do. It's just they only care for themselves and not for users. Why else would they require you to pay for updates?..
Quote:
Originally Posted by nokangaroo
I'm not sure the "outbound" messages are
Traffic logged by the firewall that is exiting your machine.
Quote:
Originally Posted by nokangaroo
Does it make sense to reconfigure checksecurity to check for setuid changes daily (change CHECK_WEEKLY="SETUID" in /etc/checksecurity.conf to CHECK_DAILY="SETUID")?
If you keep the software up to date, and if you only run only vital services, and if you restrict service access to the machine to only your LAN, and if you trust other machines on the LAN, and if 'checksecurity' is not the only auditing tool you run then I'd say keep it at the weekly interval.
Quote:
Originally Posted by nokangaroo
Aug 2 01:18:56 ubuntu kernel: Kernel logging (proc) stopped.
Usually happens when Syslog gets shut down when you shut down the machine or when syslog gets restarted when logs get rotated (but then it should be followed by a starting line).
Thanks, unSpawn, for your reply. Traffic that is exiting my machine - does that mean routine stuff like add-on update requests from firefox? Then it should be present in the logs of both machines, shouldn't it? You have answered most of my questions but I am still not convinced that the outbound stuff is on the up and up. (Anyway there is none of it after August 2, so my online activity is not under "Outbound"). I'll keep track of what I do and an eye on the logs.
Traffic that is exiting my machine - does that mean routine stuff like add-on update requests from firefox? Then it should be present in the logs of both machines, shouldn't it?
Any traffic will exit your machine be it NTP (the "OUT=eth1 DST=91.189.94.4 PROTO=UDP SPT=123 DPT=123" lines to europium.canonical.com), updates or version checking (the "OUT=eth1 PROTO=TCP DPT=80" lines to gd.tuwien.ac.at and jujube.canonical.com). The relevance of reporting lines depends on reasonable firewall rules. The only blocking rule was the "[UFW BLOCK] IN=eth1 from ew-in-f101.1e100.net" line means tearing down (ACK FIN) the connection between you and Google. For unknown reasons Netfilter didn't see that as part of an established connection. Looking at "3.5. Closing a Connection" of RFC 793 it isn't exactly malicious traffic. So I fail to see how your firewall rule set marks that as something to block but then again we don't have your firewall rule set to look at.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.