Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Oct 2013 20:01:10 -0400
From:      Adam McDougall <mcdouga9@egr.msu.edu>
To:        Jeremie Le Hen <jlh@FreeBSD.org>
Cc:        svn-src-all@freebsd.org
Subject:   Re: svn commit: r254974 - in head: etc/defaults etc/periodic/monthly etc/periodic/security etc/periodic/weekly share/man/man5
Message-ID:  <20131021000110.GJ2097@egr.msu.edu>
In-Reply-To: <201308272120.r7RLKTvk066897@svn.freebsd.org>
References:  <201308272120.r7RLKTvk066897@svn.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for working on this, I look forward to taking advantage of it!

I have a system with some old style adjustments in periodic.conf but
the compat shim doesn't seem to be working (it is running r255793).
I filed PR conf/183137 with more details.

On Tue, Aug 27, 2013 at 09:20:29PM +0000, Jeremie Le Hen wrote:

  Author: jlh
  Date: Tue Aug 27 21:20:28 2013
  New Revision: 254974
  URL: http://svnweb.freebsd.org/changeset/base/254974
  
  Log:
    Make the period of each periodic security script configurable.
    
    There are now six additional variables
      weekly_status_security_enable
      weekly_status_security_inline
      weekly_status_security_output
      monthly_status_security_enable
      monthly_status_security_inline
      monthly_status_security_output
    alongside their existing daily counterparts.  They all have the same
    default values.
    
    All other "daily_status_security_${scriptname}_${whatever}"
    variables have been renamed to "security_status_${name}_${whatever}".
    A compatibility shim has been introduced for the old variable names,
    which we will be able to remove in 11.0-RELEASE.
    
    "security_status_${name}_enable" is still a boolean but a new
    "security_status_${name}_period" allows to define the period of
    each script.  The value is one of "daily" (the default for backward
    compatibility), "weekly", "monthly" and "NO".
    
    Note that when the security periodic scripts are run directly from
    crontab(5) (as opposed to being called by daily or weekly periodic
    scripts), they will run unless the test is explicitely disabled with a
    "NO", either for in the "_enable" or the "_period" variable.
    
    When the security output is not inlined, the mail subject has been
    changed from "$host $arg run output" to "$host $arg $period run output".
    For instance:
      myfbsd security run output ->  myfbsd security daily run output
    I don't think this is considered as a stable API, but feel free to
    correct me if I'm wrong.
    
    Finally, I will rearrange periodic.conf(5) and default/periodic.conf
    to put the security options in their own section.  I left them in
    place for this commit to make reviewing easier.
    
    Reviewed by:	hackers@
  
  Added:
    head/etc/periodic/monthly/450.status-security   (contents, props changed)
    head/etc/periodic/weekly/450.status-security   (contents, props changed)
  Modified:
    head/etc/defaults/periodic.conf
    head/etc/periodic/security/100.chksetuid
    head/etc/periodic/security/110.neggrpperm
    head/etc/periodic/security/200.chkmounts
    head/etc/periodic/security/300.chkuid0
    head/etc/periodic/security/400.passwdless
    head/etc/periodic/security/410.logincheck
    head/etc/periodic/security/460.chkportsum
    head/etc/periodic/security/500.ipfwdenied
    head/etc/periodic/security/510.ipfdenied
    head/etc/periodic/security/520.pfdenied
    head/etc/periodic/security/550.ipfwlimit
    head/etc/periodic/security/610.ipf6denied
    head/etc/periodic/security/700.kernelmsg
    head/etc/periodic/security/800.loginfail
    head/etc/periodic/security/900.tcpwrap
    head/etc/periodic/security/security.functions
    head/etc/periodic/weekly/Makefile
    head/share/man/man5/periodic.conf.5
  
  Modified: head/etc/defaults/periodic.conf
  ==============================================================================
  --- head/etc/defaults/periodic.conf	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/defaults/periodic.conf	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES"	
   
   # 450.status-security
   daily_status_security_enable="YES"			# Security check
  -# See "Security options" below for more options
  +# See also "Security options" below for more options
  +daily_status_security_inline="NO"			# Run inline ?
  +daily_status_security_output="root"			# user or /file
   
   # 460.status-mail-rejects
   daily_status_mail_rejects_enable="YES"			# Check mail rejects
  @@ -163,59 +165,78 @@ daily_local="/etc/daily.local"				# Loca
   # Security options
   
   # These options are used by the security periodic(8) scripts spawned in
  -# 450.status-security above.
  -daily_status_security_inline="NO"			# Run inline ?
  -daily_status_security_output="root"			# user or /file
  -daily_status_security_logdir="/var/log"			# Directory for logs
  -daily_status_security_diff_flags="-b -u"		# flags for diff output
  +# daily and weekly 450.status-security.
  +security_status_logdir="/var/log"			# Directory for logs
  +security_status_diff_flags="-b -u"			# flags for diff output
  +
  +# Each of the security_status_*_enable options below can have one of the
  +# following values:
  +# - NO
  +# - daily: only run during the daily security status
  +# - weekly: only run during the weekly security status
   
   # 100.chksetuid
  -daily_status_security_chksetuid_enable="YES"
  +security_status_chksetuid_enable="YES"
  +security_status_chksetuid_period="daily"
   
   # 110.neggrpperm
  -daily_status_security_neggrpperm_enable="YES"
  +security_status_neggrpperm_enable="YES"
  +security_status_neggrpperm_period="daily"
   
   # 200.chkmounts
  -daily_status_security_chkmounts_enable="YES"
  -#daily_status_security_chkmounts_ignore="^amd:"		# Don't check matching
  +security_status_chkmounts_enable="YES"
  +security_status_chkmounts_period="daily"
  +#security_status_chkmounts_ignore="^amd:"		# Don't check matching
   							# FS types
  -daily_status_security_noamd="NO"			# Don't check amd mounts
  +security_status_noamd="NO"				# Don't check amd mounts
   
   # 300.chkuid0
  -daily_status_security_chkuid0_enable="YES"
  +security_status_chkuid0_enable="YES"
  +security_status_chkuid0_period="daily"
   
   # 400.passwdless
  -daily_status_security_passwdless_enable="YES"
  +security_status_passwdless_enable="YES"
  +security_status_passwdless_period="daily"
   
   # 410.logincheck
  -daily_status_security_logincheck_enable="YES"
  +security_status_logincheck_enable="YES"
  +security_status_logincheck_period="daily"
   
   # 460.chkportsum
  -daily_status_security_chkportsum_enable="NO"	# Check ports w/ wrong checksum
  +security_status_chkportsum_enable="NO"		# Check ports w/ wrong checksum
  +security_status_chkportsum_period="daily"
   
   # 500.ipfwdenied
  -daily_status_security_ipfwdenied_enable="YES"
  +security_status_ipfwdenied_enable="YES"
  +security_status_ipfwdenied_period="daily"
   
   # 510.ipfdenied
  -daily_status_security_ipfdenied_enable="YES"
  +security_status_ipfdenied_enable="YES"
  +security_status_ipfdenied_period="daily"
   
   # 520.pfdenied
  -daily_status_security_pfdenied_enable="YES"
  +security_status_pfdenied_enable="YES"
  +security_status_pfdenied_period="daily"
   
   # 550.ipfwlimit
  -daily_status_security_ipfwlimit_enable="YES"
  +security_status_ipfwlimit_enable="YES"
  +security_status_ipfwlimit_period="daily"
   
   # 610.ipf6denied
  -daily_status_security_ipf6denied_enable="YES"
  +security_status_ipf6denied_enable="YES"
  +security_status_ipf6denied_period="daily"
   
   # 700.kernelmsg
  -daily_status_security_kernelmsg_enable="YES"
  +security_status_kernelmsg_enable="YES"
  +security_status_kernelmsg_period="daily"
   
   # 800.loginfail
  -daily_status_security_loginfail_enable="YES"
  +security_status_loginfail_enable="YES"
  +security_status_loginfail_period="daily"
   
   # 900.tcpwrap
  -daily_status_security_tcpwrap_enable="YES"
  +security_status_tcpwrap_enable="YES"
  +security_status_tcpwrap_period="daily"
   
   
   # Weekly options
  @@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO"				# Find 
   pkg_version=pkg_version					# Use this program
   pkg_version_index=/usr/ports/INDEX-10			# Use this index file
   
  +# 450.status-security
  +weekly_status_security_enable="YES"			# Security check
  +# See also "Security options" above for more options
  +weekly_status_security_inline="NO"			# Run inline ?
  +weekly_status_security_output="root"			# user or /file
  +
   # 999.local
   weekly_local="/etc/weekly.local"			# Local scripts
   
  @@ -267,6 +294,12 @@ monthly_show_badconfig="NO"				# scripts
   # 200.accounting
   monthly_accounting_enable="YES"				# Login accounting
   
  +# 450.status-security
  +monthly_status_security_enable="YES"			# Security check
  +# See also "Security options" above for more options
  +monthly_status_security_inline="NO"			# Run inline ?
  +monthly_status_security_output="root"			# user or /file
  +
   # 999.local
   monthly_local="/etc/monthly.local"			# Local scripts
   
  @@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local"			# L
   
   if [ -z "${source_periodic_confs_defined}" ]; then
           source_periodic_confs_defined=yes
  +
  +	# Compatibility with old daily variable names.
  +	# They can be removed in stable/11.
  +	security_daily_compat_var() {
  +		local var=$1 dailyvar value
  +
  +		dailyvar=daily_status_security${#status_security}
  +		periodvar=${var%enable}period
  +		eval value=\"\$$dailyvar\"
  +		[ -z "$value" ] && return
  +		echo "Warning: Variable \$$dailyvar is deprecated," \
  +		    "use \$$var instead." >&2
  +		case "$value" in
  +		[Yy][Ee][Ss])
  +			$var=YES
  +			$periodvar=daily
  +			;;
  +		*)
  +			$var="$value"
  +			;;
  +		esac
  +	}
  +
  +	check_yesno_period() {
  +		local var="$1" periodvar value period
  +
  +		eval value=\"\$$var\"
  +		case "$value" in
  +		[Yy][Ee][Ss]) ;;
  +		*) return 1 ;;
  +		esac
  +
  +		periodvar=${var%enable}period
  +		eval period=\"\$$periodvar\"
  +		case "$PERIODIC" in
  +		"security daily")
  +			case "$period" in
  +			[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
  +			*) return 1 ;;
  +			esac
  +			;;
  +		"security weekly")
  +			case "$period" in
  +			[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
  +			*) return 1 ;;
  +			esac
  +			;;
  +		"security monthly")
  +			case "$period" in
  +			[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
  +			*) return 1 ;;
  +			esac
  +			;;
  +		security)
  +			# Run directly from crontab(5).
  +			case "$period" in
  +			[Nn][Oo]) return 1 ;;
  +			*) return 0 ;;
  +			esac
  +			;;
  +		*)
  +			echo "ASSERTION FAILED: Unexpected value for " \
  +			    "\$PERIODIC: '$PERIODIC'" >&2
  +			exit 127
  +			;;
  +		esac
  +	}
  +
           source_periodic_confs() {
                   local i sourced_files
   
  
  Added: head/etc/periodic/monthly/450.status-security
  ==============================================================================
  --- /dev/null	00:00:00 1970	(empty, because file is newly added)
  +++ head/etc/periodic/monthly/450.status-security	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -0,0 +1,41 @@
  +#!/bin/sh
  +#
  +# $FreeBSD$
  +#
  +
  +# If there is a global system configuration file, suck it in.
  +#
  +if [ -r /etc/defaults/periodic.conf ]
  +then
  +    . /etc/defaults/periodic.conf
  +    source_periodic_confs
  +fi
  +
  +case "$monthly_status_security_enable" in
  +    [Yy][Ee][Ss])
  +	echo ""
  +	echo "Security check:"
  +
  +	case "$monthly_status_security_inline" in
  +	    [Yy][Ee][Ss])
  +		monthly_status_security_output="";;
  +	esac
  +
  +	export security_output="${monthly_status_security_output}"
  +	case "${monthly_status_security_output}" in
  +	    "")
  +		rc=3;;
  +	    /*)
  +		echo "    (output logged separately)"
  +		rc=0;;
  +	    *)
  +		echo "    (output mailed separately)"
  +		rc=0;;
  +	esac
  +
  +	periodic security || rc=3;;
  +
  +    *)  rc=0;;
  +esac
  +
  +exit $rc
  
  Modified: head/etc/periodic/security/100.chksetuid
  ==============================================================================
  --- head/etc/periodic/security/100.chksetuid	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/100.chksetuid	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -37,10 +37,12 @@ fi
   
   . /etc/periodic/security/security.functions
   
  +security_daily_compat_var security_status_chksetuid_enable
  +
   rc=0
   
  -case "$daily_status_security_chksetuid_enable" in
  -    [Yy][Ee][Ss])
  +if check_yesno_period security_status_chksetuid_enable
  +then
   	echo ""
   	echo 'Checking setuid files and devices:'
   	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
  @@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_e
   	    \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
   	check_diff setuid - "${host} setuid diffs:"
   	rc=$?
  -	;;
  -    *)
  -	rc=0
  -	;;
  -esac
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/110.neggrpperm
  ==============================================================================
  --- head/etc/periodic/security/110.neggrpperm	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/110.neggrpperm	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -35,10 +35,12 @@ then
       source_periodic_confs
   fi
   
  +security_daily_compat_var security_status_neggrpperm_enable
  +
   rc=0
   
  -case "$daily_status_security_neggrpperm_enable" in
  -    [Yy][Ee][Ss])
  +if check_yesno_period security_status_neggrpperm_enable
  +then
   	echo ""
   	echo 'Checking negative group permissions:'
   	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
  @@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_
   	    \( ! -perm +040 -and -perm +004 \) \) \
   	    -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
   	[ $n -gt 0 ] && rc=1 || rc=0
  -	;;
  -esac
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/200.chkmounts
  ==============================================================================
  --- head/etc/periodic/security/200.chkmounts	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/200.chkmounts	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -40,12 +40,16 @@ fi
   
   . /etc/periodic/security/security.functions
   
  -ignore="${daily_status_security_chkmounts_ignore}"
  +security_daily_compat_var security_status_chkmounts_enable
  +security_daily_compat_var security_status_chkmounts_ignore
  +security_daily_compat_var security_status_noamd
  +
  +ignore="${security_status_chkmounts_ignore}"
   rc=0
   
  -case "$daily_status_security_chkmounts_enable" in
  -    [Yy][Ee][Ss])
  -	case "$daily_status_security_noamd" in
  +if check_yesno_period security_status_chkmounts_enable
  +then
  +	case "$security_status_noamd" in
   	    [Yy][Ee][Ss])
   		ignore="${ignore}|^amd:"
   	esac
  @@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_e
   	fi
   	mount -p | sort | ${cmd} |
   	  check_diff mount - "${host} changes in mounted filesystems:"
  -	rc=$?;;
  -    *)	rc=0;;
  -esac
  +	rc=$?
  +fi
   
   exit "$rc"
  
  Modified: head/etc/periodic/security/300.chkuid0
  ==============================================================================
  --- head/etc/periodic/security/300.chkuid0	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/300.chkuid0	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -36,16 +36,19 @@ then
       source_periodic_confs
   fi
   
  -case "$daily_status_security_chkuid0_enable" in
  -    [Yy][Ee][Ss])
  +security_daily_compat_var security_status_chkuid0_enable
  +
  +rc=0
  +
  +if check_yesno_period security_status_chkuid0_enable
  +then
   	echo ""
   	echo 'Checking for uids of 0:'
   	n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
   	tee /dev/stderr |
   	sed -e '/^root 0$/d' -e '/^toor 0$/d' |
   	wc -l)
  -	[ $n -gt 0 ] && rc=1 || rc=0;;
  -    *)	rc=0;;
  -esac
  +	[ $n -gt 0 ] && rc=1 || rc=0
  +fi
   
   exit "$rc"
  
  Modified: head/etc/periodic/security/400.passwdless
  ==============================================================================
  --- head/etc/periodic/security/400.passwdless	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/400.passwdless	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -35,14 +35,17 @@ then
       source_periodic_confs
   fi
   
  -case "$daily_status_security_passwdless_enable" in
  -    [Yy][Ee][Ss])
  +security_daily_compat_var security_status_passwdless_enable
  +
  +rc=0
  +
  +if check_yesno_period security_status_passwdless_enable
  +then
   	echo ""
   	echo 'Checking for passwordless accounts:'
   	n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
   	    tee /dev/stderr | wc -l)
  -	[ $n -gt 0 ] && rc=1 || rc=0;;
  -    *)	rc=0;;
  -esac
  +	[ $n -gt 0 ] && rc=1 || rc=0
  +fi
   
   exit "$rc"
  
  Modified: head/etc/periodic/security/410.logincheck
  ==============================================================================
  --- head/etc/periodic/security/410.logincheck	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/410.logincheck	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -35,8 +35,12 @@ then
       source_periodic_confs
   fi
   
  -case "$daily_status_security_logincheck_enable" in
  -    [Yy][Ee][Ss])
  +security_daily_compat_var security_status_logincheck_enable
  +
  +rc=0
  +
  +if check_yesno_period security_status_logincheck_enable
  +then
   	echo ""
   	echo 'Checking login.conf permissions:'
   	if [ -G /etc/login.conf -a -O /etc/login.conf ]; then
  @@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_
   	    echo "Bad ownership of /etc/login.conf"
   	    n=1
   	fi
  -	[ $n -gt 0 ] && rc=1 || rc=0;;
  -    *)	rc=0;;
  -esac
  +	[ $n -gt 0 ] && rc=1 || rc=0
  +fi
   
   exit "$rc"
  
  Modified: head/etc/periodic/security/460.chkportsum
  ==============================================================================
  --- head/etc/periodic/security/460.chkportsum	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/460.chkportsum	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -35,13 +35,15 @@ fi
   
   . /etc/periodic/security/security.functions
   
  +security_daily_compat_var security_status_chkportsum_enable
  +
   rc=0
   
   echo ""
   echo 'Checking for ports with mismatched checksums:'
   
  -case "${daily_status_security_chkportsum_enable}" in
  -	[Yy][Ee][Ss])
  +if check_yesno_period security_status_chkportsum_enable
  +then
   	set -f
   	pkg_info -ga 2>/dev/null | \
   	while IFS= read -r line; do
  @@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum
   			;;
   		esac
   	done
  -	;;
  -	*)
  -	rc=0
  -	;;
  -esac
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/500.ipfwdenied
  ==============================================================================
  --- head/etc/periodic/security/500.ipfwdenied	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/500.ipfwdenied	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -37,17 +37,18 @@ fi
   
   . /etc/periodic/security/security.functions
   
  +security_daily_compat_var security_status_ipfwdenied_enable
  +
   rc=0
   
  -case "$daily_status_security_ipfwdenied_enable" in
  -    [Yy][Ee][Ss])
  +if check_yesno_period security_status_ipfwdenied_enable
  +then
   	TMP=`mktemp -t security`
   	if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
   	  check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
   	fi
   	rc=$?
  -	rm -f ${TMP};;
  -    *)	rc=0;;
  -esac
  +	rm -f ${TMP}
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/510.ipfdenied
  ==============================================================================
  --- head/etc/periodic/security/510.ipfdenied	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/510.ipfdenied	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -37,17 +37,18 @@ fi
   
   . /etc/periodic/security/security.functions
   
  +security_daily_compat_var security_status_ipfdenied_enable
  +
   rc=0
   
  -case "$daily_status_security_ipfdenied_enable" in
  -    [Yy][Ee][Ss])
  +if check_yesno_period security_status_ipfdenied_enable
  +then
   	TMP=`mktemp -t security`
   	if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then
   	  check_diff new_only ipf ${TMP} "${host} ipf denied packets:"
   	fi
   	rc=$?
  -	rm -f ${TMP};;
  -    *)	rc=0;;
  -esac
  +	rm -f ${TMP}
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/520.pfdenied
  ==============================================================================
  --- head/etc/periodic/security/520.pfdenied	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/520.pfdenied	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -37,17 +37,18 @@ fi
   
   . /etc/periodic/security/security.functions
   
  +security_daily_compat_var security_status_pfdenied_enable
  +
   rc=0
   
  -case "$daily_status_security_pfdenied_enable" in
  -    [Yy][Ee][Ss])
  +if check_yesno_period security_status_pfdenied_enable
  +then
   	TMP=`mktemp -t security`
   	if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
   	  check_diff new_only pf ${TMP} "${host} pf denied packets:"
   	fi
   	rc=$?
  -	rm -f ${TMP};;
  -    *)	rc=0;;
  -esac
  +	rm -f ${TMP}
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/550.ipfwlimit
  ==============================================================================
  --- head/etc/periodic/security/550.ipfwlimit	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/550.ipfwlimit	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -38,10 +38,12 @@ then
       source_periodic_confs
   fi
   
  +security_daily_compat_var security_status_ipfwlimit_enable
  +
   rc=0
   
  -case "$daily_status_security_ipfwlimit_enable" in
  -    [Yy][Ee][Ss])
  +if check_yesno_period security_status_ipfwlimit_enable
  +then
   	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
   	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
   		exit 0
  @@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_e
   		echo 'ipfw log limit reached:'
   		cat ${TMP}
   	fi
  -	rm -f ${TMP};;
  -    *)	rc=0;;
  -esac
  +	rm -f ${TMP}
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/610.ipf6denied
  ==============================================================================
  --- head/etc/periodic/security/610.ipf6denied	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/610.ipf6denied	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -37,17 +37,18 @@ fi
   
   . /etc/periodic/security/security.functions
   
  +security_daily_compat_var security_status_ipf6denied_enable
  +
   rc=0
   
  -case "$daily_status_security_ipf6denied_enable" in
  -    [Yy][Ee][Ss])
  +if check_yesno_period security_status_ipf6denied_enable
  +then
   	TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
   	if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then
   	 check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:"
   	fi
   	rc=$?
  -	rm -f ${TMP};;
  -    *)	rc=0;;
  -esac
  +	rm -f ${TMP}
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/700.kernelmsg
  ==============================================================================
  --- head/etc/periodic/security/700.kernelmsg	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/700.kernelmsg	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -40,14 +40,15 @@ fi
   
   . /etc/periodic/security/security.functions
   
  +security_daily_compat_var security_status_kernelmsg_enable
  +
   rc=0
   
  -case "$daily_status_security_kernelmsg_enable" in
  -    [Yy][Ee][Ss])
  +if check_yesno_period security_status_kernelmsg_enable
  +then
   	dmesg 2>/dev/null |
   	    check_diff new_only dmesg - "${host} kernel log messages:"
  -	rc=$?;;
  -    *)	rc=0;;
  -esac
  +	rc=$?
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/800.loginfail
  ==============================================================================
  --- head/etc/periodic/security/800.loginfail	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/800.loginfail	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -38,7 +38,10 @@ then
       source_periodic_confs
   fi
   
  -LOG="${daily_status_security_logdir}"
  +security_daily_compat_var security_status_logdir
  +security_daily_compat_var security_status_loginfail_enable
  +
  +LOG="${security_status_logdir}"
   
   yesterday=`date -v-1d "+%b %e "`
   
  @@ -55,14 +58,15 @@ catmsgs() {
   	[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
   }
   
  -case "$daily_status_security_loginfail_enable" in
  -    [Yy][Ee][Ss])
  +rc=0
  +
  +if check_yesno_period security_status_loginfail_enable
  +then
   	echo ""
   	echo "${host} login failures:"
   	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
   	    tee /dev/stderr | wc -l)
  -	[ $n -gt 0 ] && rc=1 || rc=0;;
  -    *)	rc=0;;
  -esac
  +	[ $n -gt 0 ] && rc=1 || rc=0
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/900.tcpwrap
  ==============================================================================
  --- head/etc/periodic/security/900.tcpwrap	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/900.tcpwrap	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -38,7 +38,10 @@ then
       source_periodic_confs
   fi
   
  -LOG="${daily_status_security_logdir}"
  +security_daily_compat_var security_status_logdir
  +security_daily_compat_var security_status_tcpwrap_enable
  +
  +LOG="${security_status_logdir}"
   
   yesterday=`date -v-1d "+%b %e "`
   
  @@ -55,14 +58,15 @@ catmsgs() {
   	[ -f ${LOG}/messages ] && cat $LOG/messages
   }
   
  -case "$daily_status_security_tcpwrap_enable" in
  -    [Yy][Ee][Ss])
  +rc=0
  +
  +if check_yesno_period security_status_tcpwrap_enable
  +then
   	echo ""
   	echo "${host} refused connections:"
   	n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
   	    tee /dev/stderr | wc -l)
  -	[ $n -gt 0 ] && rc=1 || rc=0;;
  -    *)	rc=0;;
  -esac
  +	[ $n -gt 0 ] && rc=1 || rc=0
  +fi
   
   exit $rc
  
  Modified: head/etc/periodic/security/security.functions
  ==============================================================================
  --- head/etc/periodic/security/security.functions	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/security/security.functions	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -27,11 +27,19 @@
   # $FreeBSD$
   #
   
  +# This is a library file, so we only try to do something when sourced.
  +case "$0" in
  +*/security.functions) exit 0 ;;
  +esac
  +
  +security_daily_compat_var security_status_logdir
  +security_daily_compat_var security_status_diff_flags
  +
   #
   # Show differences in the output of an audit command
   #
   
  -LOG="${daily_status_security_logdir}"
  +LOG="${security_status_logdir}"
   rc=0
   
   # Usage: COMMAND | check_diff [new_only] LABEL - MSG
  @@ -67,7 +75,7 @@ check_diff() {
       [ $rc -lt 1 ] && rc=1
       echo ""
       echo "${msg}"
  -    diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \
  +    diff ${security_status_diff_flags} ${LOG}/${label}.today \
   	${tmpf} | eval "${filter}"
       mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
       mv ${tmpf} ${LOG}/${label}.today || rc=3
  
  Added: head/etc/periodic/weekly/450.status-security
  ==============================================================================
  --- /dev/null	00:00:00 1970	(empty, because file is newly added)
  +++ head/etc/periodic/weekly/450.status-security	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -0,0 +1,41 @@
  +#!/bin/sh
  +#
  +# $FreeBSD$
  +#
  +
  +# If there is a global system configuration file, suck it in.
  +#
  +if [ -r /etc/defaults/periodic.conf ]
  +then
  +    . /etc/defaults/periodic.conf
  +    source_periodic_confs
  +fi
  +
  +case "$weekly_status_security_enable" in
  +    [Yy][Ee][Ss])
  +	echo ""
  +	echo "Security check:"
  +
  +	case "$weekly_status_security_inline" in
  +	    [Yy][Ee][Ss])
  +		weekly_status_security_output="";;
  +	esac
  +
  +	export security_output="${weekly_status_security_output}"
  +	case "${weekly_status_security_output}" in
  +	    "")
  +		rc=3;;
  +	    /*)
  +		echo "    (output logged separately)"
  +		rc=0;;
  +	    *)
  +		echo "    (output mailed separately)"
  +		rc=0;;
  +	esac
  +
  +	periodic security || rc=3;;
  +
  +    *)  rc=0;;
  +esac
  +
  +exit $rc
  
  Modified: head/etc/periodic/weekly/Makefile
  ==============================================================================
  --- head/etc/periodic/weekly/Makefile	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/etc/periodic/weekly/Makefile	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -3,6 +3,7 @@
   .include <bsd.own.mk>
   
   FILES=	340.noid \
  +	450.status-security \
   	999.local
   
   # NB: keep these sorted by MK_* knobs
  
  Modified: head/share/man/man5/periodic.conf.5
  ==============================================================================
  --- head/share/man/man5/periodic.conf.5	Tue Aug 27 20:52:02 2013	(r254973)
  +++ head/share/man/man5/periodic.conf.5	Tue Aug 27 21:20:28 2013	(r254974)
  @@ -1,4 +1,4 @@
  -.\"-
  +\"-
   .\" Copyright (c) 2000 Brian Somers <brian@Awfulhak.org>
   .\" All rights reserved.
   .\"
  @@ -482,26 +482,42 @@ This variable behaves in the same way as
   .Va *_output
   variables above, namely it can be set either to one or more email addresses
   or to an absolute file name.
  -.It Va daily_status_security_diff_flags
  +.It Va security_status_diff_flags
   .Pq Vt str
   Set to the arguments to pass to the
   .Xr diff 1
   utility when generating differences.
   The default is
   .Fl b u .
  -.It Va daily_status_security_chksetuid_enable
  +.It Va security_status_chksetuid_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to compare the modes and modification times of setuid executables with
   the previous day's values.
  -.It Va daily_status_security_chkportsum_enable
  +.It Va security_status_chksetuid_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_chkportsum_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to verify checksums of all installed packages against the known checksums in
   .Pa /var/db/pkg .
  -.It Va daily_status_security_neggrpperm_enable
  +.It Va security_status_chkportsum_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_neggrpperm_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
  @@ -509,35 +525,67 @@ to check for files where the group of a 
   the world at large.
   When users are in more than 14 supplemental groups these negative
   permissions may not be enforced via NFS shares.
  -.It Va daily_status_security_chkmounts_enable
  +.It Va security_status_neggrpperm_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_chkmounts_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to check for changes mounted file systems to the previous day's values.
  -.It Va daily_status_security_noamd
  +.It Va security_status_chkmounts_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_noamd
   .Pq Vt bool
   Set to
   .Dq Li YES
   if you want to ignore
   .Xr amd 8
   mounts when comparing against yesterday's file system mounts in the
  -.Va daily_status_security_chkmounts_enable
  +.Va security_status_chkmounts_enable
   check.
  -.It Va daily_status_security_chkuid0_enable
  +.It Va security_status_chkuid0_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to check
   .Pa /etc/master.passwd
   for accounts with UID 0.
  -.It Va daily_status_security_passwdless_enable
  +.It Va security_status_chkuid0_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_passwdless_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to check
   .Pa /etc/master.passwd
   for accounts with empty passwords.
  -.It Va daily_status_security_logincheck_enable
  +.It Va security_status_passwdless_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_logincheck_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
  @@ -546,49 +594,105 @@ to check
   ownership, see
   .Xr login.conf 5
   for more information.
  -.It Va daily_status_security_ipfwdenied_enable
  +.It Va security_status_logincheck_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_ipfwdenied_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to show log entries for packets denied by
   .Xr ipfw 8
   since yesterday's check.
  -.It Va daily_status_security_ipfdenied_enable
  +.It Va security_status_ipfwdenied_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_ipfdenied_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to show log entries for packets denied by
   .Xr ipf 8
   since yesterday's check.
  -.It Va daily_status_security_pfdenied_enable
  +.It Va security_status_ipfdenied_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_pfdenied_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to show log entries for packets denied by
   .Xr pf 4
   since yesterday's check.
  -.It Va daily_status_security_ipfwlimit_enable
  +.It Va security_status_pfdenied_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_ipfwlimit_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to display
   .Xr ipfw 8
   rules that have reached their verbosity limit.
  -.It Va daily_status_security_kernelmsg_enable
  +.It Va security_status_ipfwlimit_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_kernelmsg_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to show new
   .Xr dmesg 8
   entries since yesterday's check.
  -.It Va daily_status_security_loginfail_enable
  +.It Va security_status_kernelmsg_period
  +.Pq Vt str
  +Set to either
  +.Dq Li daily ,
  +.Dq Li weekly ,
  +.Dq Li monthly
  +or
  +.Dq Li NO .
  +.It Va security_status_loginfail_enable
   .Pq Vt bool
   Set to
   .Dq Li YES
   to display failed logins from
   .Pa /var/log/messages
   in the previous day.
  
  *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
  _______________________________________________
  svn-src-all@freebsd.org mailing list
  http://lists.freebsd.org/mailman/listinfo/svn-src-all
  To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131021000110.GJ2097>