From owner-freebsd-hackers Thu Jul 6 3:48: 2 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from walrus.xiam.com (walrus.xiam.com [194.125.50.210]) by hub.freebsd.org (Postfix) with ESMTP id 8A2D037B7B1 for ; Thu, 6 Jul 2000 03:47:48 -0700 (PDT) (envelope-from cillian@xiam.com) Received: from xiam.com (REMUS.xiam.com [10.20.3.46]) by walrus.xiam.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id N5HWY98N; Thu, 6 Jul 2000 11:49:33 +0100 Message-ID: <3964638F.9162B7C@xiam.com> Date: Thu, 06 Jul 2000 11:46:39 +0100 From: cillian@xiam.com X-Mailer: Mozilla 4.61 [en]C-CCK-MCD C-UDP; (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: Re: /etc/security -> /etc/periodic/security ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > why not even something like security_enable=[YES|NO] and > > security_periode=[daily|weekly|monthly] defaulting to daily? /etc/security is hard-wired in many respects to be run on a daily basis, i.e. it does lots of 'today/yesterday' diff reports. Anyway, I think security reports are important enough that you'd want to be informed daily, at the very least. > That's just what we need - a configuration option that lets the admin > turn security off. 8) :) While we're on the subject of /etc/security, just a few comments/suggestions.. For 'logfile' reports (login failures, kernel messages, refused connections, etc.), I think we should use the 'logtail' program or something similar. This could be run from cron on a frequent [i.e. hourly] basis, coinciding with newsyslog. This way, you don't have to wait for the daily security report to tell you something's wrong, and it should also eliminate duplicated data in reports as each report only shows the 'bad' messages since last run, as opposed to all the bad messages currently in the respective logfiles. [which is what it certainly does on 3.4, anyway] Also, /var/log/kernel [syslog: kern.*] should be used in preference to dmesg as the source of kernel messages, as there's no risk of losing kernel messages that have disappeared from the system message buffer. Better support for ipfw and ipf/ipmon would be nice, but I'd imagine most people just roll-their-own, when it comes to firewall scripts/status reports. -- Cillian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message