Date: Thu, 22 Aug 2013 22:49:58 +0200 From: Jeremie Le Hen <jlh@FreeBSD.org> To: freebsd-hackers@freebsd.org Subject: weekly periodic security status Message-ID: <20130822204958.GC24767@caravan.chchile.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi,
I plan to commit the attached patch. This allows the turn the daily
security checks into weekly checks. You do this by adding the following
to periodic.conf(5):
daily_status_security_enable=NO
weekly_status_security_enable=YES
All other $daily_status_security_whatever variables will be renamed to
$security_status_whatever. The old variable name is supported but
prints a warning.
The idea is that for many personal servers, whether it is used as a NAS
or for developement, you may not want to run I/O-expensive find(1) jobs
every day, but you don't want to disable entirely because there's a
little voice that tells you it's bad.
Well, whatever, if you have any concerns, objections or comments, please
speak now :).
Note that once I will have committed this, I will make another commit to
the manpage so as to move the security options into their own section,
out of the daily section. But it is clearer for review that way I
think.
The patch is also available here:
http://people.freebsd.org/~jlh/weekly_status_security.diff
Cheers,
--
Jeremie Le Hen
Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.
[-- Attachment #2 --]
Index: etc/defaults/periodic.conf
===================================================================
--- etc/defaults/periodic.conf (revision 254638)
+++ etc/defaults/periodic.conf (working copy)
@@ -164,58 +164,58 @@ daily_local="/etc/daily.local" # Local scripts
# These options are used by the security periodic(8) scripts spawned in
# 450.status-security above.
-daily_status_security_inline="NO" # Run inline ?
-daily_status_security_output="root" # user or /file
-daily_status_security_noamd="NO" # Don't check amd mounts
-daily_status_security_logdir="/var/log" # Directory for logs
-daily_status_security_diff_flags="-b -u" # flags for diff output
+security_status_inline="NO" # Run inline ?
+security_status_output="root" # user or /file
+security_status_noamd="NO" # Don't check amd mounts
+security_status_logdir="/var/log" # Directory for logs
+security_status_diff_flags="-b -u" # flags for diff output
# 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
+security_status_chksetuid_enable="YES"
# 110.neggrpperm
-daily_status_security_neggrpperm_enable="YES"
+security_status_neggrpperm_enable="YES"
# 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching
+security_status_chkmounts_enable="YES"
+#security_status_chkmounts_ignore="^amd:" # Don't check matching
# FS types
# 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
+security_status_chkuid0_enable="YES"
# 400.passwdless
-daily_status_security_passwdless_enable="YES"
+security_status_passwdless_enable="YES"
# 410.logincheck
-daily_status_security_logincheck_enable="YES"
+security_status_logincheck_enable="YES"
# 460.chkportsum
-daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum
+security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum
# 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
+security_status_ipfwdenied_enable="YES"
# 510.ipfdenied
-daily_status_security_ipfdenied_enable="YES"
+security_status_ipfdenied_enable="YES"
# 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
+security_status_pfdenied_enable="YES"
# 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
+security_status_ipfwlimit_enable="YES"
# 610.ipf6denied
-daily_status_security_ipf6denied_enable="YES"
+security_status_ipf6denied_enable="YES"
# 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
+security_status_kernelmsg_enable="YES"
# 800.loginfail
-daily_status_security_loginfail_enable="YES"
+security_status_loginfail_enable="YES"
# 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
+security_status_tcpwrap_enable="YES"
# Weekly options
@@ -248,6 +248,10 @@ weekly_status_pkg_enable="NO" # Find out-of-dat
pkg_version=pkg_version # Use this program
pkg_version_index=/usr/ports/INDEX-10 # Use this index file
+# 450.status-security; disabled by defaut because daily checks are enabled
+weekly_status_security_enable="NO" # Security check
+# See "Security options" above for more options
+
# 999.local
weekly_local="/etc/weekly.local" # Local scripts
@@ -276,6 +280,16 @@ monthly_local="/etc/monthly.local" # Local scrip
if [ -z "${source_periodic_confs_defined}" ]; then
source_periodic_confs_defined=yes
+ daily_security_var_compat() {
+ local new=$1 old
+
+ old=daily_status_security${#status_security}
+ [ -z "$old" ] && return
+ echo "Warning: Variable \$$old is deprecated," \
+ "use \$$new instead." >&2
+ eval \$$new=\""$old"\"
+ }
+
source_periodic_confs() {
local i sourced_files
Index: etc/periodic/security/100.chksetuid
===================================================================
--- etc/periodic/security/100.chksetuid (revision 254638)
+++ etc/periodic/security/100.chksetuid (working copy)
@@ -39,7 +39,9 @@ fi
rc=0
-case "$daily_status_security_chksetuid_enable" in
+daily_security_var_compat security_status_chksetuid_enable
+
+case "$security_status_chksetuid_enable" in
[Yy][Ee][Ss])
echo ""
echo 'Checking setuid files and devices:'
Index: etc/periodic/security/110.neggrpperm
===================================================================
--- etc/periodic/security/110.neggrpperm (revision 254638)
+++ etc/periodic/security/110.neggrpperm (working copy)
@@ -35,9 +35,11 @@ then
source_periodic_confs
fi
+daily_security_var_compat security_status_neggrpperm_enable
+
rc=0
-case "$daily_status_security_neggrpperm_enable" in
+case "$security_status_neggrpperm_enable" in
[Yy][Ee][Ss])
echo ""
echo 'Checking negative group permissions:'
Index: etc/periodic/security/200.chkmounts
===================================================================
--- etc/periodic/security/200.chkmounts (revision 254638)
+++ etc/periodic/security/200.chkmounts (working copy)
@@ -40,12 +40,16 @@ fi
. /etc/periodic/security/security.functions
-ignore="${daily_status_security_chkmounts_ignore}"
+daily_security_var_compat security_status_chkmounts_ignore
+daily_security_var_compat security_status_chkmounts_enable
+daily_security_var_compat security_status_noamd
+
+ignore="${security_status_chkmounts_ignore}"
rc=0
-case "$daily_status_security_chkmounts_enable" in
+case "$security_status_chkmounts_enable" in
[Yy][Ee][Ss])
- case "$daily_status_security_noamd" in
+ case "$security_status_noamd" in
[Yy][Ee][Ss])
ignore="${ignore}|^amd:"
esac
Index: etc/periodic/security/300.chkuid0
===================================================================
--- etc/periodic/security/300.chkuid0 (revision 254638)
+++ etc/periodic/security/300.chkuid0 (working copy)
@@ -36,7 +36,9 @@ then
source_periodic_confs
fi
-case "$daily_status_security_chkuid0_enable" in
+daily_security_var_compat security_status_chkuid0_enable
+
+case "$security_status_chkuid0_enable" in
[Yy][Ee][Ss])
echo ""
echo 'Checking for uids of 0:'
Index: etc/periodic/security/400.passwdless
===================================================================
--- etc/periodic/security/400.passwdless (revision 254638)
+++ etc/periodic/security/400.passwdless (working copy)
@@ -35,7 +35,9 @@ then
source_periodic_confs
fi
-case "$daily_status_security_passwdless_enable" in
+daily_security_var_compat security_status_passwdless_enable
+
+case "$security_status_passwdless_enable" in
[Yy][Ee][Ss])
echo ""
echo 'Checking for passwordless accounts:'
Index: etc/periodic/security/410.logincheck
===================================================================
--- etc/periodic/security/410.logincheck (revision 254638)
+++ etc/periodic/security/410.logincheck (working copy)
@@ -35,7 +35,9 @@ then
source_periodic_confs
fi
-case "$daily_status_security_logincheck_enable" in
+daily_security_var_compat security_status_logincheck_enable
+
+case "$security_status_logincheck_enable" in
[Yy][Ee][Ss])
echo ""
echo 'Checking login.conf permissions:'
Index: etc/periodic/security/460.chkportsum
===================================================================
--- etc/periodic/security/460.chkportsum (revision 254638)
+++ etc/periodic/security/460.chkportsum (working copy)
@@ -40,7 +40,7 @@ rc=0
echo ""
echo 'Checking for ports with mismatched checksums:'
-case "${daily_status_security_chkportsum_enable}" in
+case "${security_status_chkportsum_enable}" in
[Yy][Ee][Ss])
set -f
pkg_info -ga 2>/dev/null | \
Index: etc/periodic/security/500.ipfwdenied
===================================================================
--- etc/periodic/security/500.ipfwdenied (revision 254638)
+++ etc/periodic/security/500.ipfwdenied (working copy)
@@ -37,9 +37,11 @@ fi
. /etc/periodic/security/security.functions
+daily_security_var_compat security_status_ipfwdenied_enable
+
rc=0
-case "$daily_status_security_ipfwdenied_enable" in
+case "$security_status_ipfwdenied_enable" in
[Yy][Ee][Ss])
TMP=`mktemp -t security`
if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
Index: etc/periodic/security/510.ipfdenied
===================================================================
--- etc/periodic/security/510.ipfdenied (revision 254638)
+++ etc/periodic/security/510.ipfdenied (working copy)
@@ -37,9 +37,11 @@ fi
. /etc/periodic/security/security.functions
+daily_security_var_compat security_status_ipfdenied_enable
+
rc=0
-case "$daily_status_security_ipfdenied_enable" in
+case "$security_status_ipfdenied_enable" in
[Yy][Ee][Ss])
TMP=`mktemp -t security`
if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then
Index: etc/periodic/security/520.pfdenied
===================================================================
--- etc/periodic/security/520.pfdenied (revision 254638)
+++ etc/periodic/security/520.pfdenied (working copy)
@@ -37,9 +37,11 @@ fi
. /etc/periodic/security/security.functions
+daily_security_var_compat security_status_pfdenied_enable
+
rc=0
-case "$daily_status_security_pfdenied_enable" in
+case "$security_status_pfdenied_enable" in
[Yy][Ee][Ss])
TMP=`mktemp -t security`
if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
Index: etc/periodic/security/550.ipfwlimit
===================================================================
--- etc/periodic/security/550.ipfwlimit (revision 254638)
+++ etc/periodic/security/550.ipfwlimit (working copy)
@@ -38,9 +38,11 @@ then
source_periodic_confs
fi
+daily_security_var_compat security_status_ipfwlimit_enable
+
rc=0
-case "$daily_status_security_ipfwlimit_enable" in
+case "$security_status_ipfwlimit_enable" in
[Yy][Ee][Ss])
IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
Index: etc/periodic/security/610.ipf6denied
===================================================================
--- etc/periodic/security/610.ipf6denied (revision 254638)
+++ etc/periodic/security/610.ipf6denied (working copy)
@@ -37,9 +37,11 @@ fi
. /etc/periodic/security/security.functions
+daily_security_var_compat security_status_ipf6denied_enable
+
rc=0
-case "$daily_status_security_ipf6denied_enable" in
+case "$security_status_ipf6denied_enable" in
[Yy][Ee][Ss])
TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then
Index: etc/periodic/security/700.kernelmsg
===================================================================
--- etc/periodic/security/700.kernelmsg (revision 254638)
+++ etc/periodic/security/700.kernelmsg (working copy)
@@ -40,9 +40,11 @@ fi
. /etc/periodic/security/security.functions
+daily_security_var_compat security_status_kernelmsg_enable
+
rc=0
-case "$daily_status_security_kernelmsg_enable" in
+case "$security_status_kernelmsg_enable" in
[Yy][Ee][Ss])
dmesg 2>/dev/null |
check_diff new_only dmesg - "${host} kernel log messages:"
Index: etc/periodic/security/800.loginfail
===================================================================
--- etc/periodic/security/800.loginfail (revision 254638)
+++ etc/periodic/security/800.loginfail (working copy)
@@ -38,8 +38,11 @@ then
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+daily_security_var_compat security_status_logdir
+daily_security_var_compat security_status_loginfail_enable
+LOG="${security_status_logdir}"
+
yesterday=`date -v-1d "+%b %e "`
catmsgs() {
@@ -55,7 +58,7 @@ catmsgs() {
[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
}
-case "$daily_status_security_loginfail_enable" in
+case "$security_status_loginfail_enable" in
[Yy][Ee][Ss])
echo ""
echo "${host} login failures:"
Index: etc/periodic/security/900.tcpwrap
===================================================================
--- etc/periodic/security/900.tcpwrap (revision 254638)
+++ etc/periodic/security/900.tcpwrap (working copy)
@@ -38,8 +38,11 @@ then
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+daily_security_var_compat security_status_logdir
+daily_security_var_compat security_status_tcpwrap_enable
+LOG="${security_status_logdir}"
+
yesterday=`date -v-1d "+%b %e "`
catmsgs() {
@@ -55,7 +58,7 @@ catmsgs() {
[ -f ${LOG}/messages ] && cat $LOG/messages
}
-case "$daily_status_security_tcpwrap_enable" in
+case "$security_status_tcpwrap_enable" in
[Yy][Ee][Ss])
echo ""
echo "${host} refused connections:"
Index: etc/periodic/security/security.functions
===================================================================
--- etc/periodic/security/security.functions (revision 254638)
+++ etc/periodic/security/security.functions (working copy)
@@ -31,6 +31,8 @@
# Show differences in the output of an audit command
#
+daily_security_var_compat daily_status_security_logdir
+
LOG="${daily_status_security_logdir}"
rc=0
Index: etc/periodic/weekly/Makefile
===================================================================
--- etc/periodic/weekly/Makefile (revision 254638)
+++ etc/periodic/weekly/Makefile (working copy)
@@ -3,6 +3,7 @@
.include <bsd.own.mk>
FILES= 340.noid \
+ 450.status-security \
999.local
# NB: keep these sorted by MK_* knobs
Index: share/man/man5/periodic.conf.5
===================================================================
--- share/man/man5/periodic.conf.5 (revision 254638)
+++ share/man/man5/periodic.conf.5 (working copy)
@@ -450,7 +450,7 @@ is set to
.Dq Li YES .
This may not work with MTAs other than
.Xr sendmail 8 .
-.It Va daily_status_security_enable
+.It Va security_status_enable
.Pq Vt bool
Set to
.Dq Li YES
@@ -462,46 +462,48 @@ The system defaults are in
.Pa /etc/periodic/security .
Local scripts should be placed in
.Pa /usr/local/etc/periodic/security .
+It makes to sense to be enabled along with
+.Va weekly_status_security_enable .
See the
.Xr periodic 8
manual page for more information.
-.It Va daily_status_security_inline
+.It Va security_status_inline
.Pq Vt bool
Set to
.Dq Li YES
if you want the security check output inline.
The default is to either mail or log the output according to the value of
-.Va daily_status_security_output .
-.It Va daily_status_security_output
+.Va security_status_output .
+.It Va security_status_output
.Pq Vt str
Where to send the output of the security check if
-.Va daily_status_security_inline
+.Va security_status_inline
is set to
.Dq Li NO .
This variable behaves in the same way as the
.Va *_output
variables above, namely it can be set either to one or more email addresses
or to an absolute file name.
-.It Va daily_status_security_diff_flags
+.It Va security_status_diff_flags
.Pq Vt str
Set to the arguments to pass to the
.Xr diff 1
utility when generating differences.
The default is
.Fl b u .
-.It Va daily_status_security_chksetuid_enable
+.It Va security_status_chksetuid_enable
.Pq Vt bool
Set to
.Dq Li YES
to compare the modes and modification times of setuid executables with
the previous day's values.
-.It Va daily_status_security_chkportsum_enable
+.It Va security_status_chkportsum_enable
.Pq Vt bool
Set to
.Dq Li YES
to verify checksums of all installed packages against the known checksums in
.Pa /var/db/pkg .
-.It Va daily_status_security_neggrpperm_enable
+.It Va security_status_neggrpperm_enable
.Pq Vt bool
Set to
.Dq Li YES
@@ -509,35 +511,35 @@ to check for files where the group of a file has l
the world at large.
When users are in more than 14 supplemental groups these negative
permissions may not be enforced via NFS shares.
-.It Va daily_status_security_chkmounts_enable
+.It Va security_status_chkmounts_enable
.Pq Vt bool
Set to
.Dq Li YES
to check for changes mounted file systems to the previous day's values.
-.It Va daily_status_security_noamd
+.It Va security_status_noamd
.Pq Vt bool
Set to
.Dq Li YES
if you want to ignore
.Xr amd 8
mounts when comparing against yesterday's file system mounts in the
-.Va daily_status_security_chkmounts_enable
+.Va security_status_chkmounts_enable
check.
-.It Va daily_status_security_chkuid0_enable
+.It Va security_status_chkuid0_enable
.Pq Vt bool
Set to
.Dq Li YES
to check
.Pa /etc/master.passwd
for accounts with UID 0.
-.It Va daily_status_security_passwdless_enable
+.It Va security_status_passwdless_enable
.Pq Vt bool
Set to
.Dq Li YES
to check
.Pa /etc/master.passwd
for accounts with empty passwords.
-.It Va daily_status_security_logincheck_enable
+.It Va security_status_logincheck_enable
.Pq Vt bool
Set to
.Dq Li YES
@@ -546,49 +548,49 @@ to check
ownership, see
.Xr login.conf 5
for more information.
-.It Va daily_status_security_ipfwdenied_enable
+.It Va security_status_ipfwdenied_enable
.Pq Vt bool
Set to
.Dq Li YES
to show log entries for packets denied by
.Xr ipfw 8
since yesterday's check.
-.It Va daily_status_security_ipfdenied_enable
+.It Va security_status_ipfdenied_enable
.Pq Vt bool
Set to
.Dq Li YES
to show log entries for packets denied by
.Xr ipf 8
since yesterday's check.
-.It Va daily_status_security_pfdenied_enable
+.It Va security_status_pfdenied_enable
.Pq Vt bool
Set to
.Dq Li YES
to show log entries for packets denied by
.Xr pf 4
since yesterday's check.
-.It Va daily_status_security_ipfwlimit_enable
+.It Va security_status_ipfwlimit_enable
.Pq Vt bool
Set to
.Dq Li YES
to display
.Xr ipfw 8
rules that have reached their verbosity limit.
-.It Va daily_status_security_kernelmsg_enable
+.It Va security_status_kernelmsg_enable
.Pq Vt bool
Set to
.Dq Li YES
to show new
.Xr dmesg 8
entries since yesterday's check.
-.It Va daily_status_security_loginfail_enable
+.It Va security_status_loginfail_enable
.Pq Vt bool
Set to
.Dq Li YES
to display failed logins from
.Pa /var/log/messages
in the previous day.
-.It Va daily_status_security_tcpwrap_enable
+.It Va security_status_tcpwrap_enable
.Pq Vt bool
Set to
.Dq Li YES
@@ -709,6 +711,23 @@ An orphaned file is one with an invalid owner or g
A list of directories under which orphaned files are searched for.
This would usually be set to
.Pa / .
+.It Va weekly_status_security_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+if you want to run the security check.
+The security check is another set of
+.Xr periodic 8
+scripts.
+The system defaults are in
+.Pa /etc/periodic/security .
+Local scripts should be placed in
+.Pa /usr/local/etc/periodic/security .
+It makes to sense to be enabled along with
+.Va daily_status_security_enable .
+See the
+.Xr periodic 8
+manual page for more information.
.It Va weekly_status_pkg_enable
.Pq Vt bool
Set to
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130822204958.GC24767>