From owner-freebsd-security Wed Aug 15 6:14:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from breg.mc.mpls.visi.com (breg.mc.mpls.visi.com [208.42.156.101]) by hub.freebsd.org (Postfix) with ESMTP id 4EDFD37B403 for ; Wed, 15 Aug 2001 06:14:36 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-host193.dsl.visi.com [208.42.101.193]) by breg.mc.mpls.visi.com (Postfix) with ESMTP id B4CD12D055D; Wed, 15 Aug 2001 08:14:31 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f7FDEU108126; Wed, 15 Aug 2001 08:14:30 -0500 (CDT) (envelope-from hawkeyd) Date: Wed, 15 Aug 2001 08:14:30 -0500 From: D J Hawkey Jr To: modulus@icmp.dhs.org, freebsd-security@freebsd.org Subject: Re: [modulus@icmp.dhs.org Re: ipmon and periodic] Message-ID: <20010815081430.A7983@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello All. This is old business (Feb 2001), but "modulus@icmp.dhs.org" had written a script for /etc/periodic/daily to include messages logged by 'ipmon' in the daily security mailing. I borrowed a bit of his script, but took a different approach, which I think more elegant. Please review and comment. Perhaps the Right People(tm) can forward it to the Other Right People(tm) for the -CURRENT and/or -STABLE CVS trees? This is from FreeBSD-4.2REL, incidentally. I had switched from 'ipfw' to the kernel's ipfilter yesterday, and was dismayed to find nothing in the daily security mailing this morning. This may already be remedied for current and future releases? ---8<--- --- /etc/security Mon Nov 20 06:03:04 2000 +++ security Wed Aug 15 07:54:06 2001 @@ -43,6 +43,9 @@ [ -f $LOG/messages.0.gz ] && zcat $LOG/messages.0.gz [ -f $LOG/messages.0 ] && cat $LOG/messages.0 [ -f $LOG/messages ] && cat $LOG/messages + [ -f $LOG/security.0.gz ] && zcat $LOG/security.0.gz + [ -f $LOG/security.0 ] && cat $LOG/security.0 + [ -f $LOG/security ] && cat $LOG/security } sflag=FALSE ignore= @@ -160,6 +163,15 @@ echo "ipfw log limit reached:" cat ${TMP} fi +fi + +# Show ipfilter log messages +# +if n=$(catmsgs | grep -i "^$yesterday.*ipmon" | tee ${TMP} | wc -l); then + [ $n -gt 0 -a $rc -lt 1 ] && rc=1 + separator + echo "${host} ipfilter log messages:" + cat ${TMP} | awk '{ match($0, $6); printf "%s\n", substr($0, RSTART) }' fi # Show kernel log messages --->8--- Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message