From owner-freebsd-hackers@FreeBSD.ORG Sun Aug 25 11:05:23 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id DABF04FD for ; Sun, 25 Aug 2013 11:05:22 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from caravan.chchile.org (caravan.chchile.org [178.32.125.136]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 70409278A for ; Sun, 25 Aug 2013 11:05:22 +0000 (UTC) Received: by caravan.chchile.org (Postfix, from userid 1000) id 6F72FC08E3; Sun, 25 Aug 2013 11:05:20 +0000 (UTC) Date: Sun, 25 Aug 2013 13:05:20 +0200 From: Jeremie Le Hen To: Royce Williams , Darren Pilgrim , FreeBSD Hackers Subject: Re: weekly periodic security status Message-ID: <20130825110520.GJ24767@caravan.chchile.org> Mail-Followup-To: Royce Williams , Darren Pilgrim , FreeBSD Hackers References: <20130822204958.GC24767@caravan.chchile.org> <5217AD9E.1000100@bluerosetech.com> <20130824165704.GD24767@caravan.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130824165704.GD24767@caravan.chchile.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Aug 2013 11:05:23 -0000 On Sat, Aug 24, 2013 at 06:57:04PM +0200, Jeremie Le Hen wrote: > On Fri, Aug 23, 2013 at 08:35:55PM -0800, Royce Williams wrote: > > On Fri, Aug 23, 2013 at 10:44 AM, Darren Pilgrim < > > list_freebsd@bluerosetech.com> wrote: > > > > > Thank you for this, but if I may make one suggestion: don't combine all > > > the security report settings--keep both daily_* and weekly_*. This makes > > > possible running some security tasks on a daily basis and others on a > > > weekly basis. For example, daily pkg/portaudit checks, but weekly > > > filesystem scans. > > > > > > > Agreed. I welcome and would use the weekly option at this level of > > granularity, but would like to retain daily for many checks, and so would > > not use weekly if was an all-or-nothing option. > > Sounds like a good idea. However I don't know how to implement this > because, in the current state of the periodic security scripts, there is > no way to know whether a script had been called from daily or weekly > periodic scripts, so no way to know which variable to check. > > The easy way to work around this would be to declare an environment > variable from 450.status-security, but it sounds like a hackish way > because you create an additional dependency for the periodic security > scripts. I've modified periodic(8) to set the $PERIODIC environment variable in r254829. The attached patch does more or less what you requested, but slightly differently. We now have the following variables to control daily/weekly security runs: daily_status_security_enable="YES" daily_status_security_inline="NO" daily_status_security_output="root" weekly_status_security_enable="YES" weekly_status_security_inline="NO" weekly_status_security_output="root" And the following variables to control whether you want each check to run "daily", "weekly" or directly from "crontab" (the default, backward compatible values are shown): security_status_chksetuid_enable="daily" security_status_neggrpperm_enable="daily" security_status_chkmounts_enable="daily" security_status_chkuid0_enable="daily" security_status_passwdless_enable="daily" security_status_logincheck_enable="daily" security_status_chkportsum_enable="NO" security_status_ipfwdenied_enable="daily" security_status_ipfdenied_enable="daily" security_status_pfdenied_enable="daily" security_status_ipfwlimit_enable="daily" security_status_ipf6denied_enable="daily" security_status_kernelmsg_enable="daily" security_status_loginfail_enable="daily" security_status_tcpwrap_enable="daily" The periodic.conf(5) manpage and default/periodic.conf have been updated accordingly, but I plan to further rework them after the patch is committed (especially, grouping security related variable into their own section). That way the modification done by the patch remain clear. Patch available here: http://people.freebsd.org/~jlh/daily_or_weekly_status_security.diff -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.