Date: Fri, 11 Sep 2009 18:10:05 GMT From: Chris Cowart <ccowart@timesinks.net> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/138692: 450.status-security should exit with rc=0 Message-ID: <200909111810.n8BIA5uj097720@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/138692; it has been noted by GNATS. From: Chris Cowart <ccowart@timesinks.net> To: bug-followup@FreeBSD.org, ben@b1c1l1.com Cc: Subject: Re: conf/138692: 450.status-security should exit with rc=0 Date: Fri, 11 Sep 2009 11:06:27 -0700 --s9fJI615cBHmzTOP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Remko Lodder wrote: >>> Description: >>/etc/periodic/daily/450.status-security sets rc=3D3 when >>daily_status_security_enable=3D"YES". According to periodic(8), this >>means that the output "must not be masked." However, this script >>only prints a single message or even nothing at all: >> >> case "${daily_status_security_output}" in >> "") >> ;; >> /*) >> echo " (output logged separately)";; >> *) >> echo " (output mailed separately)";; >> esac;; >> >> Please apply the attached patch to set rc=3D0, to indicate that there >> is "nothing notable" in the output. > > This informs you that a security script had been runned and will > report it's output via a different email (standard). > If you configure it to not be enabled at all; it wil tell you nothing. > If you select the other option it will be logged via > a different way. >=20 > I do not see the arugments you are proposing. I think the current > output is just fine, when I read my daily email > and see that there is additional output seperately; I will read that > seperate email. I believe there are a couple issues at work here. Firstly, while this may not be a typical case, there are environments where someone (hopefully a team) administers 100 or more FreeBSD servers. I certainly work in one of these, and I believe Ben does too. Part of the growing pains and a lesson of scalability comes on the day you realize you're spending an hour paging through dailies, every day, just to find the 1 or 2 e-mails with a small gem of information that you care about. The rest is just noise and a waste of time. On that day, you embark on a crusade to achieve the grand vision of "the machine doesn't send me an e-mail unless it has something interesting to say." Like a good system administrator, you consult the man page. There's a sudden, rare moment of geeky hope and excitement when you notice instructions in the man page that walk you through achieving _exactly the thing you wanted to do_ (normally, you have to piece two or three things together, try it out, rinse, repeat, etc.): "To only see important information from daily periodic jobs, add the following lines to /etc/periodic.conf...". So, you try it. The next day, you get your periodics, and while they're considerably shorter each, a lot of them had interesting definitions of "important information." You sigh. Not exactly what you wanted, but it's never _that easy_. You begin tuning. Oh, nagios is already monitoring disks and portaudit? Disabled. IPFW denies traffic every day... that's why the rule is there. Disabled. You get the idea. That should do it. The next day, you get your periodics, but now you're starting to think the man page was joking when it said "important information." I _nearly_ succeeded with quieting down the daily. Unfortunately, I'm still getting one "daily run output" email from each host each day. Do you know what "important" thing it thinks it needs to tell me? |=20 | Security check: | (output mailed separately) |=20 | -- End of daily output -- |=20 Every. Single. Day. 130 copies. Delightful. But I want the security job to run! I do! I'm very interested in the rc=3D1 and rc=3D3 output from those jobs. So I leave it enabled and I hack procmail to hide these "success" messages from me. At first, I didn't understand why you thought Ben's argument was flawed. Telling me the output was mailed separately is not noteworthy, not remarkable, not uncommon. It's noise. It's rc=3D1. I didn't get it until I looked more closely at the 450.status-security script. Although it would improve my inbox volume the way I want it, Ben's patch would cause the _entire security run_ output to masked in the case that the output was configured to be inlined. That's because security runs are a nested call to periodic. Unfortunately, periodic itself doesn't return a different value depending on the "severity" of its output. I would propose at _least_ the following patch to make the e-mail or logged cases more sane and consistent with the documentation by making it possible (and not by default, because by default, rc=3D0 causes the output to be included) to suppress the "output (logged|mailed) separately" lines: | --- 450.status-security 2008-12-31 23:50:16.000000000 -0800 | +++ /home/ccowart/450.status-security 2009-09-11 10:56:08.000000000 -07= 00 | @@ -23,16 +23,17 @@ | export security_output=3D"${daily_status_security_output}" | case "${daily_status_security_output}" in | "") | - ;; | + rc=3D3;; | /*) | - echo " (output logged separately)";; | + echo " (output logged separately)" | + rc=3D0;; | *) | - echo " (output mailed separately)";; | + echo " (output mailed separately)" | + rc=3D0;; | esac;; | esac | =20 | - periodic security | - rc=3D3;; | + periodic security || rc=3D3;; | =20 | *) rc=3D0;; | esac Realistically, the problem is still going to exist in the inlined output case (which I would prefer to use, because it means 1 email per machine instead of two). Assume I configure the periodics to include the security output inline. Now assume no security check has "noteworthy" output (all rc=3D0, output_success=3DNO). The daily status-security is still going to indicate non-maskable output (rc=3D3), and thus my daily will look like: |=20 | Security check: |=20 | -- End of daily output -- |=20 This is pretty lame, but I can't see a way around it without either 1) disabling the security run in "daily" and setting up a separate cron for it, or 2) doing some redesigning on periodic so its return code is a function of the return codes of the scripts it runs. I think the latter would be ideal, but I realize it's a much more significant undertaking. The patch I'm suggesting above helps minimize the noise in the easy (email or logged) case while preserving the inlined output as "notable" given "periodic daily" can't currently determine whether it was otherwise. --=20 Chris Cowart http://www.timesinks.net/ --s9fJI615cBHmzTOP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iQIcBAEBAgAGBQJKqpGhAAoJEGdJs2Q92uldLZkQAKownnVR7IwjYCbJzUcn/Fe5 c2wnW4WF3HzHtPDBmXAu59FVdOLR0RR5mTrIpeDlnuF0hFmTqe+u9cD3N7LkJmYS mhMDvRe1JIqAXr6zQaYQuYPcArj3ASvKamaK3F7WKXKJEhIkj3SXRSM0cWq4aSvb C0kNk0bt0TL1kDp/leTmf85O6J2vz+tBYkDlhRgjE9YA/pilJqUhIXDHBYyfPpR8 AVUa//yHqYq1hVsv+vTX3Nwui009WVsvrXwbcSkKXbUdA3sw2BbT4eBsMiZ3GKh3 64CxjDtYqt/CH/JoOnKPueOCuhgU2rgNFOwJjp3XRhZCjd4+LkFBoQJBbC++HUg2 F0NZcgp8E71ePXg9+I+NToe50flQlJqtlDXqgILHvfBzJkCnMhBg3415hvQT80oZ yPIz0QscQ3FJusm6BIFFveHb/f7tDT22t+pn0/IyZ7wq6tODE00UeptBBn6k5A2I kvODb96Wj/q9o2pfBMuT8sWET+IMb2jTYo+iv91R/9+YVcnXvCaHZph0H+GC9XPY 1Oyo6NOUBItYQe1pYgSAf+kMuMDCn8aChmZb/yTrzgD7VduPJQPqZk7bxjCTpjcl tE2UBpmyVjl9mErTZlnRQuPW7Vr/FgQnnKRSVZgM9tuquio6zYQjJtsq167hWSEf Tpndt2OUz6ciroQ2BLhS =FkiD -----END PGP SIGNATURE----- --s9fJI615cBHmzTOP--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200909111810.n8BIA5uj097720>