From owner-freebsd-security@FreeBSD.ORG Tue Feb 22 08:36:48 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E861B16A4CE for ; Tue, 22 Feb 2005 08:36:48 +0000 (GMT) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DF5043D5E for ; Tue, 22 Feb 2005 08:36:47 +0000 (GMT) (envelope-from avg@icyb.net.ua) Received: from [212.40.38.87] (oddity.topspin.kiev.ua [212.40.38.87]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id KAA14910 for ; Tue, 22 Feb 2005 10:36:44 +0200 (EET) (envelope-from avg@icyb.net.ua) Message-ID: <421AEF1B.6000707@icyb.net.ua> Date: Tue, 22 Feb 2005 10:36:43 +0200 From: Andriy Gapon User-Agent: Mozilla Thunderbird 1.0 (X11/20041230) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=KOI8-U Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 22 Feb 2005 14:09:01 +0000 Subject: periodic/security/550.ipfwlimit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 08:36:49 -0000 550.ipfwlimit check in /etc/periodic/security takes into account only global/default verbosity limit and does not account for a specific logging limit set for a particular rule e.g.: $ ipfw -a l | fgrep log 65000 *521* 41764 deny log logamount *1000* ip from any to any $ sysctl -n net.inet.ip.fw.verbose_limit *100* >From security run output: ipfw log limit reached: 65000 519 41672 deny log logamount 1000 ip from any to any -- Andriy Gapon From owner-freebsd-security@FreeBSD.ORG Tue Feb 22 15:21:02 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8127216A4CE for ; Tue, 22 Feb 2005 15:21:02 +0000 (GMT) Received: from colt.tsua.net (colt.tsua.net [212.40.34.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE68943D46 for ; Tue, 22 Feb 2005 15:21:01 +0000 (GMT) (envelope-from pbl@colt.tsua.net) Received: from localhost (localhost [127.0.0.1]) by colt.tsua.net (Postfix) with ESMTP id 54BDE105196 for ; Tue, 22 Feb 2005 17:21:00 +0200 (EET) Received: from colt.tsua.net ([127.0.0.1]) by localhost (colt.tsua.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29127-04 for ; Tue, 22 Feb 2005 17:21:00 +0200 (EET) Received: by colt.tsua.net (Postfix, from userid 1011) id 06E3F105195; Tue, 22 Feb 2005 17:21:00 +0200 (EET) Date: Tue, 22 Feb 2005 17:21:00 +0200 From: Peter Lavee To: freebsd-security@freebsd.org Message-ID: <20050222152059.GB11631@tsua.net> References: <421AEF1B.6000707@icyb.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <421AEF1B.6000707@icyb.net.ua> X-Operating-System: FreeBSD 4.10-RELEASE-p5 i386 X-NCC-RegID: ua.tsystems User-Agent: Mutt/1.5.6i Subject: Re: periodic/security/550.ipfwlimit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 15:21:02 -0000 On Tue, Feb 22, 2005 at 10:36:43AM +0200, Andriy Gapon wrote: Quickfixed version, may apply to 4-STABLE, 4-10 & 4.11 ---------------------------->8------------------------------------------------------------------------- #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.2.2.3 2002/08/28 05:13:53 cjc Exp $ # # Show ipfw rules which have reached the log limit # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi rc=0 case "$daily_status_security_ipfwlimit_enable" in [Yy][Ee][Ss]) TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then ipfw -a l | grep " log " | grep -v " logamount " | perl -n -e \ '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} ipfw -a l | grep " log " | grep " logamount " | perl -n -e \ '/^\d+\s+(\d+).+?logamount\s+(\d+)/; print if ($1 >= $2)' >> ${TMP} if [ -s "${TMP}" ]; then rc=1 echo "" echo 'ipfw log limit reached:' cat ${TMP} fi fi rm -f ${TMP};; *) rc=0;; esac exit $rc ---------------------------->8------------------------------------------------------------------------- > > 550.ipfwlimit check in /etc/periodic/security takes into account only > global/default verbosity limit and does not account for a specific > logging limit set for a particular rule e.g.: > > $ ipfw -a l | fgrep log > 65000 *521* 41764 deny log logamount *1000* ip from any to any > > $ sysctl -n net.inet.ip.fw.verbose_limit > *100* > > >From security run output: > > ipfw log limit reached: > 65000 519 41672 deny log logamount 1000 ip from any to any -- WBR, Peter Lavee Hostmaster Technological Systems CJVC From owner-freebsd-security@FreeBSD.ORG Tue Feb 22 16:02:29 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD0AE16A4CF for ; Tue, 22 Feb 2005 16:02:29 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B59343D1D for ; Tue, 22 Feb 2005 16:02:29 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from localhost (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id 490D469A42; Tue, 22 Feb 2005 11:02:28 -0500 (EST) Date: Tue, 22 Feb 2005 11:02:27 -0500 From: Bill Moran To: Peter Lavee Message-Id: <20050222110227.77fcbab0.wmoran@potentialtech.com> In-Reply-To: <20050222152059.GB11631@tsua.net> References: <421AEF1B.6000707@icyb.net.ua> <20050222152059.GB11631@tsua.net> Organization: Potential Technologies X-Mailer: Sylpheed version 1.0.0rc (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: periodic/security/550.ipfwlimit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 16:02:30 -0000 This is great. However, because of the size of the FreeBSD project, it's likely that this will get lost. To ensure that it doesn't, please submit it as a PR (problem report). You can use the send-pr command on your FreeBSD system, or this web interface: http://www.freebsd.org/send-pr.html Peter Lavee wrote: > On Tue, Feb 22, 2005 at 10:36:43AM +0200, Andriy Gapon wrote: > > Quickfixed version, may apply to 4-STABLE, 4-10 & 4.11 > ---------------------------->8------------------------------------------------------------------------- > #!/bin/sh - > # > # Copyright (c) 2001 The FreeBSD Project > # All rights reserved. > # > # Redistribution and use in source and binary forms, with or without > # modification, are permitted provided that the following conditions > # are met: > # 1. Redistributions of source code must retain the above copyright > # notice, this list of conditions and the following disclaimer. > # 2. Redistributions in binary form must reproduce the above copyright > # notice, this list of conditions and the following disclaimer in the > # documentation and/or other materials provided with the distribution. > # > # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND > # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE > # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE > # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS > # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT > # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY > # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > # SUCH DAMAGE. > # > # $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.2.2.3 2002/08/28 05:13:53 cjc Exp $ > # > > # Show ipfw rules which have reached the log limit > # > > # If there is a global system configuration file, suck it in. > # > if [ -r /etc/defaults/periodic.conf ] > then > . /etc/defaults/periodic.conf > source_periodic_confs > fi > > rc=0 > > case "$daily_status_security_ipfwlimit_enable" in > [Yy][Ee][Ss]) > TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` > IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` > if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then > ipfw -a l | grep " log " | grep -v " logamount " | perl -n -e \ > '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} > ipfw -a l | grep " log " | grep " logamount " | perl -n -e \ > '/^\d+\s+(\d+).+?logamount\s+(\d+)/; print if ($1 >= $2)' >> ${TMP} > if [ -s "${TMP}" ]; then > rc=1 > echo "" > echo 'ipfw log limit reached:' > cat ${TMP} > fi > fi > rm -f ${TMP};; > *) rc=0;; > esac > > exit $rc > ---------------------------->8------------------------------------------------------------------------- > > > > 550.ipfwlimit check in /etc/periodic/security takes into account only > > global/default verbosity limit and does not account for a specific > > logging limit set for a particular rule e.g.: > > > > $ ipfw -a l | fgrep log > > 65000 *521* 41764 deny log logamount *1000* ip from any to any > > > > $ sysctl -n net.inet.ip.fw.verbose_limit > > *100* > > > > >From security run output: > > > > ipfw log limit reached: > > 65000 519 41672 deny log logamount 1000 ip from any to any > > -- > WBR, > Peter Lavee > Hostmaster > Technological Systems > CJVC > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Bill Moran Potential Technologies http://www.potentialtech.com From owner-freebsd-security@FreeBSD.ORG Tue Feb 22 19:42:02 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B14E16A4CE; Tue, 22 Feb 2005 19:42:02 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id C61BD43D53; Tue, 22 Feb 2005 19:42:01 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from lum.celabo.org (lum.celabo.org [10.0.1.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "lum.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id F294E3E2C47; Tue, 22 Feb 2005 13:42:00 -0600 (CST) Received: by lum.celabo.org (Postfix, from userid 1001) id 5234F60047C; Tue, 22 Feb 2005 13:42:00 -0600 (CST) Date: Tue, 22 Feb 2005 13:42:00 -0600 From: Jacques Vidrine To: freebsd-vuxml@FreeBSD.org, freebsd-security@FreeBSD.org Message-ID: <20050222194200.GA27003@lum.celabo.org> Mail-Followup-To: freebsd-vuxml@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Organization: The FreeBSD Project User-Agent: Mutt/1.5.6i Subject: VuXML.org improvements X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-vuxml@FreeBSD.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 19:42:02 -0000 Hello Everyone, I have made a few small changes to the VuXML.org web sites, http://www.vuxml.org/freebsd/ (aka vuxml.freebsd.org) and http://www.vuxml.org/openbsd/ - Date-oriented indices (e.g. entry date index) visually group entries from the same date. - The package name index is more useful, listing individual package names. - Each package referenced in VuXML now has its own index page linked from the package name page, e.g. pkg-squid.html. The index page lists all entries affecting that package. In the case of FreeBSD, a link to FreshPorts.org is also displayed. - For entries which contain a CVE name reference, one may "hover" the mouse over the CVE name to get a pop-up description of the CVE as provided by MITRE. - Each CVE name referenced in VuXML now has its own index page, e.g. cveitem-2004-1308.html and cveitem-2000-0442.html. Those pages contents are generated directly from MITRE's CVE list. Cheers, -- Jacques A Vidrine / NTT/Verio nectar@celabo.org / jvidrine@verio.net / nectar@FreeBSD.org From owner-freebsd-security@FreeBSD.ORG Wed Feb 23 17:27:35 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB61516A4CE for ; Wed, 23 Feb 2005 17:27:35 +0000 (GMT) Received: from colt.tsua.net (colt.tsua.net [212.40.34.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 376FE43D55 for ; Wed, 23 Feb 2005 17:27:35 +0000 (GMT) (envelope-from pbl@colt.tsua.net) Received: from localhost (localhost [127.0.0.1]) by colt.tsua.net (Postfix) with ESMTP id 78350105117; Wed, 23 Feb 2005 19:27:33 +0200 (EET) Received: from colt.tsua.net ([127.0.0.1]) by localhost (colt.tsua.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51399-06; Wed, 23 Feb 2005 19:27:33 +0200 (EET) Received: by colt.tsua.net (Postfix, from userid 1011) id 2915610518D; Wed, 23 Feb 2005 19:27:33 +0200 (EET) Date: Wed, 23 Feb 2005 19:27:33 +0200 From: Peter Lavee To: Alexander Leidinger , Bill Moran , freebsd-security@freebsd.org Message-ID: <20050223172733.GB24603@tsua.net> References: <421AEF1B.6000707@icyb.net.ua> <20050222152059.GB11631@tsua.net> <20050222110227.77fcbab0.wmoran@potentialtech.com> <20050223155951.of0vuu1ngggog44g@netchild.homeip.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050223155951.of0vuu1ngggog44g@netchild.homeip.net> X-Operating-System: FreeBSD 4.10-RELEASE-p5 i386 X-NCC-RegID: ua.tsystems User-Agent: Mutt/1.5.6i Subject: Re: periodic/security/550.ipfwlimit - diff for RELENG-5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2005 17:27:36 -0000 On Wed, Feb 23, 2005 at 03:59:51PM +0100, Alexander Leidinger wrote: Better version then previos, it will not break order of rules. awk version, it will work on all 4 and 5 releases, at least those, where IPFW enabled ;-) Also i removed check for digit+space+digit - it can break things if ipfw output will be significally changed. diff -u 550.ipfwlimit 550.ipfwlimit.new =============================>8============================================================================================== --- 550.ipfwlimit Wed Feb 23 18:54:35 2005 +++ 550.ipfwlimit.new Wed Feb 23 19:19:19 2005 @@ -45,10 +45,10 @@ TMP=`mktemp -t security` IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then - ipfw -a l | grep " log " | \ - grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ - awk -v limit="$IPFW_LOG_LIMIT" \ - '{if ($2 > limit) {print $0}}' > ${TMP} + ipfw -a l | grep " log " \ + | \ + awk -v limit="$IPFW_LOG_LIMIT" -v logamount=$6 \ + '{if ($5 == "logamount") {if ($2 > logamount) {print $0} } else { if ($2 > limit) {print $0} } }' > ${TMP} if [ -s "${TMP}" ]; then rc=1 echo "" =============================>8============================================================================================== > Bill Moran wrote: > > > > >This is great. > > > >However, because of the size of the FreeBSD project, it's likely that this > >will get lost. To ensure that it doesn't, please submit it as a PR > >(problem report). > > While this may work on 4.x, this will not be able to go into 5.x or into > -current (and it first has to find it's way into -current, else there will > be no merge to 5.x or 4.x) since we don't have perl in the base system on > 5.x and -current. I suggest to rewrite this in awk (in the -current version > of this periodic script) and submit it as a diff. -- WBR, Peter Lavee Hostmaster Technological Systems CJVC From owner-freebsd-security@FreeBSD.ORG Wed Feb 23 17:46:50 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 523C716A4CE for ; Wed, 23 Feb 2005 17:46:50 +0000 (GMT) Received: from colt.tsua.net (colt.tsua.net [212.40.34.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4C4743D49 for ; Wed, 23 Feb 2005 17:46:49 +0000 (GMT) (envelope-from pbl@colt.tsua.net) Received: from localhost (localhost [127.0.0.1]) by colt.tsua.net (Postfix) with ESMTP id DF8321050A7; Wed, 23 Feb 2005 19:46:43 +0200 (EET) Received: from colt.tsua.net ([127.0.0.1]) by localhost (colt.tsua.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54492-06; Wed, 23 Feb 2005 19:46:43 +0200 (EET) Received: by colt.tsua.net (Postfix, from userid 1011) id 8C333105095; Wed, 23 Feb 2005 19:46:43 +0200 (EET) Date: Wed, 23 Feb 2005 19:46:43 +0200 From: Peter Lavee To: Alexander Leidinger , Bill Moran , freebsd-security@freebsd.org Message-ID: <20050223174643.GA54707@tsua.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD 4.10-RELEASE-p5 i386 X-NCC-RegID: ua.tsystems User-Agent: Mutt/1.5.6i Subject: Fw-up: Re: periodic/security/550.ipfwlimit - diff for RELENG-5] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2005 17:46:50 -0000 Almost forgot - diff need ot be appied only on FreeBSD 5 version of 550.ipfwlimit, but resulting file can be used on both 4 and 5 releases. On Wed, Feb 23, 2005 at 03:59:51PM +0100, Alexander Leidinger wrote: Better version then previos, it will not break order of rules. awk version, it will work on all 4 and 5 releases, at least those, where IPFW enabled ;-) Also i removed check for digit+space+digit - it can break things if ipfw output will be significally changed. diff -u 550.ipfwlimit 550.ipfwlimit.new =============================>8============================================================================================== --- 550.ipfwlimit Wed Feb 23 18:54:35 2005 +++ 550.ipfwlimit.new Wed Feb 23 19:19:19 2005 @@ -45,10 +45,10 @@ TMP=`mktemp -t security` IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then - ipfw -a l | grep " log " | \ - grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ - awk -v limit="$IPFW_LOG_LIMIT" \ - '{if ($2 > limit) {print $0}}' > ${TMP} + ipfw -a l | grep " log " \ + | \ + awk -v limit="$IPFW_LOG_LIMIT" -v logamount=$6 \ + '{if ($5 == "logamount") {if ($2 > logamount) {print $0} } else { if ($2 > limit) {print $0} } }' > ${TMP} if [ -s "${TMP}" ]; then rc=1 echo "" =============================>8============================================================================================== > Bill Moran wrote: > > > > >This is great. > > > >However, because of the size of the FreeBSD project, it's likely that this > >will get lost. To ensure that it doesn't, please submit it as a PR > >(problem report). > > While this may work on 4.x, this will not be able to go into 5.x or into > -current (and it first has to find it's way into -current, else there will > be no merge to 5.x or 4.x) since we don't have perl in the base system on > 5.x and -current. I suggest to rewrite this in awk (in the -current version > of this periodic script) and submit it as a diff. -- WBR, Peter Lavee Hostmaster Technological Systems CJVC From owner-freebsd-security@FreeBSD.ORG Wed Feb 23 21:45:00 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 00A3116A4CE for ; Wed, 23 Feb 2005 21:45:00 +0000 (GMT) Received: from freebee.digiware.nl (dsl439.iae.nl [212.61.63.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1724743D55 for ; Wed, 23 Feb 2005 21:44:59 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.71] (dual.digiware.nl [212.61.27.71]) by freebee.digiware.nl (8.13.1/8.13.1) with ESMTP id j1NLiwIN057421 for ; Wed, 23 Feb 2005 22:44:58 +0100 (CET) (envelope-from wjw@withagen.nl) Message-ID: <421CF978.8020705@withagen.nl> Date: Wed, 23 Feb 2005 22:45:28 +0100 From: Willem Jan Withagen User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <421AEF1B.6000707@icyb.net.ua> <20050222152059.GB11631@tsua.net> <20050222110227.77fcbab0.wmoran@potentialtech.com> <20050223155951.of0vuu1ngggog44g@netchild.homeip.net> <20050223172733.GB24603@tsua.net> In-Reply-To: <20050223172733.GB24603@tsua.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: periodic/security/550.ipfwlimit - diff for RELENG-5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2005 21:45:00 -0000 Peter Lavee wrote: [about fixing ipfwlimit] The other thing I'm having a problem with is that although IPFW logs to /var/log/security. The only full information on actual deny actions comes from looking at the kernel messages, instead of getting those from /var/log/security. Is this on purpose, or did I just forget to switch something on? Or is this a "submit code please case"? --WjW From owner-freebsd-security@FreeBSD.ORG Wed Feb 23 15:00:54 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B73416A4CE for ; Wed, 23 Feb 2005 15:00:54 +0000 (GMT) Received: from mailout01.sul.t-online.com (mailout01.sul.t-online.com [194.25.134.80]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8D5B43D58 for ; Wed, 23 Feb 2005 15:00:53 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from fwd00.aul.t-online.de by mailout01.sul.t-online.com with smtp id 1D3y0R-0002Ab-04; Wed, 23 Feb 2005 16:00:51 +0100 Received: from Andro-Beta.Leidinger.net (VmsVi4ZBoeYWlhrO6gzSWeSPDre9QZADQT5w+196n6v6JbvoccJ64K@[84.128.201.157]) by fmrl00.sul.t-online.com with esmtp id 1D3y09-05rFbc0; Wed, 23 Feb 2005 16:00:33 +0100 Received: from localhost (localhost [127.0.0.1])j1NExpfq027632; Wed, 23 Feb 2005 15:59:51 +0100 (CET) (envelope-from Alexander@Leidinger.net) Received: from 141.113.101.32 ([141.113.101.32]) by netchild.homeip.net (Horde) with HTTP for ; Wed, 23 Feb 2005 15:59:51 +0100 Message-ID: <20050223155951.of0vuu1ngggog44g@netchild.homeip.net> X-Priority: 3 (Normal) Date: Wed, 23 Feb 2005 15:59:51 +0100 From: Alexander Leidinger To: Bill Moran References: <421AEF1B.6000707@icyb.net.ua> <20050222152059.GB11631@tsua.net> <20050222110227.77fcbab0.wmoran@potentialtech.com> In-Reply-To: <20050222110227.77fcbab0.wmoran@potentialtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.0.2) / FreeBSD-4.11 X-ID: VmsVi4ZBoeYWlhrO6gzSWeSPDre9QZADQT5w+196n6v6JbvoccJ64K@t-dialin.net X-TOI-MSGID: d4071edd-fc14-40e3-a3ff-deec2c238705 X-Mailman-Approved-At: Thu, 24 Feb 2005 14:36:11 +0000 cc: freebsd-security@freebsd.org cc: Peter Lavee Subject: Re: periodic/security/550.ipfwlimit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Feb 2005 15:00:54 -0000 Bill Moran wrote: > > This is great. > > However, because of the size of the FreeBSD project, it's likely that this > will get lost. To ensure that it doesn't, please submit it as a PR > (problem report). While this may work on 4.x, this will not be able to go into 5.x or into -current (and it first has to find it's way into -current, else there will be no merge to 5.x or 4.x) since we don't have perl in the base system on 5.x and -current. I suggest to rewrite this in awk (in the -current version of this periodic script) and submit it as a diff. Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-security@FreeBSD.ORG Sat Feb 26 15:05:36 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEACF16A4CE for ; Sat, 26 Feb 2005 15:05:36 +0000 (GMT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id C35C343D58 for ; Sat, 26 Feb 2005 15:05:35 +0000 (GMT) (envelope-from Mathias.Picker@gmx.de) Received: (qmail invoked by alias); 26 Feb 2005 15:05:34 -0000 Received: from strongdesk.com (EHLO [213.239.214.227]) (213.239.214.227) by mail.gmx.net (mp020) with SMTP; 26 Feb 2005 16:05:34 +0100 X-Authenticated: #23891974 Message-ID: <42209060.7040202@gmx.de> Date: Sat, 26 Feb 2005 16:06:08 +0100 From: Mathias Picker User-Agent: Mozilla Thunderbird 1.0 (X11/20050114) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: mac questions: stopping root from reading /home && mac_biba stops clean shutdown X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Feb 2005 15:05:37 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just try to understand the concepts and possiblities behind the mac framework. After days of puzzling I found one puzzling behaviour and still have one immediate question (this is on 5-stable) - - when I enable mac_biba, set root to biba/equal (or any value, actually), and do a setfmac -R biba/equal / I expect biba to be activated without any change to the system behaviour. This seems to be correct, safe for one detail: the system does not shutdown cleanly: it syncs, but never gets to power down or reboot and the disks are not marked clean, so fsck run on next boot. Is this an expected behaviour?? - - What is the easiest way to block root from reading /home once the system is in multiuser.... Thanks for any hints, tips, links to background info about biba + mls Mathias P.S.: bsdextended does not block root from anything, right?? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCIJBgSnKsATEFgwERAk+TAJ9tpmGVlY7W+OcIxj9q4vGqfTTkkgCfTWmK 0/myndlVB1DTfXAFHkxht5g= =vIgR -----END PGP SIGNATURE-----