Date: Fri, 7 Dec 2001 15:58:05 -0800 From: "Crist J . Clark" <cristjc@earthlink.net> To: freebsd-current@freebsd.org Subject: HEADS UP: periodic(8)-ifying daily security checks Message-ID: <20011207155805.R8975@blossom.cjclark.org>
next in thread | raw e-mail | index | archive | help
I have just committed changes to how the daily security checks are
done in -CURRENT. Long ago, there was just /etc/daily. Then
/etc/security was split out of /etc/daily. Some time later, /etc/daily
became a set of periodic(8) scripts. Now, this evolution continues,
and /etc/security has been broken into periodic(8) scripts to make
local customization easier and more maintainable.
However, like any change, there may be some problems making the
transition to the new system. If you are using the default
/etc/security, the change will be transparent. Next time you update,
mergemaster(8) will take care of everything for you. Note that
/etc/security will no longer be used in any way, it can safely be
removed.
If you have local customizations to /etc/security, the best thing to
do and the ultimate way to fix things "properly" is to break out the
customizations into small scripts and drop the scripts into
/usr/local/etc/periodic/security. Make sure the scripts are set
executable and ls(1) in the order you wish them to execute. If your
customizations are separate from the actions in the default
/etc/security, this is all you need to do. If you have made
customizations to actions in /etc/security, drop your customized
script into /usr/local/etc/periodic/security, and then deactivate the
default script with the same action by placing the appropriate,
daily_status_security_<script>_enable="NO"
In your /etc/periodic.conf. See periodic(8) for details on how the
system works.
For those who do not have the time to do this the really quick work
around is,
mkdir -p /usr/local/etc/periodic/security
# mv /etc/security /usr/local/etc/periodic/security
# chmod 755 /usr/local/etc/periodic/security/security
# cat >> /etc/periodic.conf <<EOF
daily_status_security_chksetuid_enable="NO"
daily_status_security_chkmounts_enable="NO"
daily_status_security_chkuid0_enable="NO"
daily_status_security_passwdless_enable="NO"
daily_status_security_ipfwdenied_enable="NO"
daily_status_security_ipfwlimit_enable="NO"
daily_status_security_ip6fwdenied_enable="NO"
daily_status_security_ip6fwlimit_enable="NO"
daily_status_security_kernelmsg_enable="NO"
daily_status_security_loginfail_enable="NO"
daily_status_security_tcpwrap_enable="NO"
EOF
And everything should work (prett much) fine... EXCEPT the use of the
'daily_status_security_noamd' setting will be broken (but it does work
in the new periodic(8) scripts).
Please report any problems, but I'd really like to not get my first
pointy-hat award out of this.
--
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011207155805.R8975>