From owner-freebsd-bugs@FreeBSD.ORG Tue Dec 29 06:00:10 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3C821065696 for ; Tue, 29 Dec 2009 06:00:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A563B8FC1D for ; Tue, 29 Dec 2009 06:00:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nBT609cw027616 for ; Tue, 29 Dec 2009 06:00:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nBT609U5027615; Tue, 29 Dec 2009 06:00:09 GMT (envelope-from gnats) Resent-Date: Tue, 29 Dec 2009 06:00:09 GMT Resent-Message-Id: <200912290600.nBT609U5027615@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eric Lakin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61F3D1065670 for ; Tue, 29 Dec 2009 05:53:56 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 4DA7A8FC16 for ; Tue, 29 Dec 2009 05:53:56 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id nBT5rtkc054444 for ; Tue, 29 Dec 2009 05:53:55 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id nBT5rt4J054443; Tue, 29 Dec 2009 05:53:55 GMT (envelope-from nobody) Message-Id: <200912290553.nBT5rt4J054443@www.freebsd.org> Date: Tue, 29 Dec 2009 05:53:55 GMT From: Eric Lakin To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/142114: security report from 'periodic daily' doesn't respect the "daily_show_*" configurables X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Dec 2009 06:00:10 -0000 >Number: 142114 >Category: misc >Synopsis: security report from 'periodic daily' doesn't respect the "daily_show_*" configurables >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Dec 29 06:00:09 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eric Lakin >Release: 8.0-STABLE >Organization: >Environment: FreeBSD osiris.priv.infohell.net 8.0-STABLE FreeBSD 8.0-STABLE #0: Sun Dec 20 00:44:01 PST 2009 root@osiris.infohell.net:/usr/obj/usr/src/sys/OSIRIS i386 >Description: the daily system report that gets run ("periodic daily") from cron has a couple varibles that can be used in /etc/periodic.conf to fine-tune what output is seen -- in particular: % grep daily_show /etc/defaults/periodic.conf daily_show_success="YES" # scripts returning 0 daily_show_info="YES" # scripts returning 1 daily_show_badconfig="NO" # scripts returning 2 One would expect that the security portion of the daily report would obey these settings -- but it doesn't. The security report gets implemented by running "periodic security" which has the effect that it's controlled by security_show_success, security_show_info, and security_show_badconfig. These aren't documented in /etc/defaults/periodic.conf. >How-To-Repeat: # echo 'daily_show_success="NO"' >> /etc/periodic.conf # periodic daily the security report will include things that it shouldn't by the above setting. >Fix: I would suggest modifying /etc/periodic/450.status-security to include: export security_show_success=${daily_show_success} export security_show_info=${daily_show_info} export security_show_badconfig=${daily_show_badconfig} just prior to the execution of "periodic security". This will cause the security output to inherit the daily output's settings, but if somebody REALLY wants different settings for the security output, putting security_show_* in /etc/periodic.conf will override. >Release-Note: >Audit-Trail: >Unformatted: