From owner-svn-src-head@FreeBSD.ORG Tue Aug 27 21:20:33 2013 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 8A380D86; Tue, 27 Aug 2013 21:20:33 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 74F442350; Tue, 27 Aug 2013 21:20:33 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r7RLKXR0066926; Tue, 27 Aug 2013 21:20:33 GMT (envelope-from jlh@svn.freebsd.org) Received: (from jlh@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r7RLKTvk066897; Tue, 27 Aug 2013 21:20:29 GMT (envelope-from jlh@svn.freebsd.org) Message-Id: <201308272120.r7RLKTvk066897@svn.freebsd.org> From: Jeremie Le Hen Date: Tue, 27 Aug 2013 21:20:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r254974 - in head: etc/defaults etc/periodic/monthly etc/periodic/security etc/periodic/weekly share/man/man5 X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Aug 2013 21:20:33 -0000 Author: jlh Date: Tue Aug 27 21:20:28 2013 New Revision: 254974 URL: http://svnweb.freebsd.org/changeset/base/254974 Log: Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@ Added: head/etc/periodic/monthly/450.status-security (contents, props changed) head/etc/periodic/weekly/450.status-security (contents, props changed) Modified: head/etc/defaults/periodic.conf head/etc/periodic/security/100.chksetuid head/etc/periodic/security/110.neggrpperm head/etc/periodic/security/200.chkmounts head/etc/periodic/security/300.chkuid0 head/etc/periodic/security/400.passwdless head/etc/periodic/security/410.logincheck head/etc/periodic/security/460.chkportsum head/etc/periodic/security/500.ipfwdenied head/etc/periodic/security/510.ipfdenied head/etc/periodic/security/520.pfdenied head/etc/periodic/security/550.ipfwlimit head/etc/periodic/security/610.ipf6denied head/etc/periodic/security/700.kernelmsg head/etc/periodic/security/800.loginfail head/etc/periodic/security/900.tcpwrap head/etc/periodic/security/security.functions head/etc/periodic/weekly/Makefile head/share/man/man5/periodic.conf.5 Modified: head/etc/defaults/periodic.conf ============================================================================== --- head/etc/defaults/periodic.conf Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/defaults/periodic.conf Tue Aug 27 21:20:28 2013 (r254974) @@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # 450.status-security daily_status_security_enable="YES" # Security check -# See "Security options" below for more options +# See also "Security options" below for more options +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file # 460.status-mail-rejects daily_status_mail_rejects_enable="YES" # Check mail rejects @@ -163,59 +165,78 @@ daily_local="/etc/daily.local" # Loca # Security options # These options are used by the security periodic(8) scripts spawned in -# 450.status-security above. -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file -daily_status_security_logdir="/var/log" # Directory for logs -daily_status_security_diff_flags="-b -u" # flags for diff output +# daily and weekly 450.status-security. +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output + +# Each of the security_status_*_enable options below can have one of the +# following values: +# - NO +# - daily: only run during the daily security status +# - weekly: only run during the weekly security status # 100.chksetuid -daily_status_security_chksetuid_enable="YES" +security_status_chksetuid_enable="YES" +security_status_chksetuid_period="daily" # 110.neggrpperm -daily_status_security_neggrpperm_enable="YES" +security_status_neggrpperm_enable="YES" +security_status_neggrpperm_period="daily" # 200.chkmounts -daily_status_security_chkmounts_enable="YES" -#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching +security_status_chkmounts_enable="YES" +security_status_chkmounts_period="daily" +#security_status_chkmounts_ignore="^amd:" # Don't check matching # FS types -daily_status_security_noamd="NO" # Don't check amd mounts +security_status_noamd="NO" # Don't check amd mounts # 300.chkuid0 -daily_status_security_chkuid0_enable="YES" +security_status_chkuid0_enable="YES" +security_status_chkuid0_period="daily" # 400.passwdless -daily_status_security_passwdless_enable="YES" +security_status_passwdless_enable="YES" +security_status_passwdless_period="daily" # 410.logincheck -daily_status_security_logincheck_enable="YES" +security_status_logincheck_enable="YES" +security_status_logincheck_period="daily" # 460.chkportsum -daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_period="daily" # 500.ipfwdenied -daily_status_security_ipfwdenied_enable="YES" +security_status_ipfwdenied_enable="YES" +security_status_ipfwdenied_period="daily" # 510.ipfdenied -daily_status_security_ipfdenied_enable="YES" +security_status_ipfdenied_enable="YES" +security_status_ipfdenied_period="daily" # 520.pfdenied -daily_status_security_pfdenied_enable="YES" +security_status_pfdenied_enable="YES" +security_status_pfdenied_period="daily" # 550.ipfwlimit -daily_status_security_ipfwlimit_enable="YES" +security_status_ipfwlimit_enable="YES" +security_status_ipfwlimit_period="daily" # 610.ipf6denied -daily_status_security_ipf6denied_enable="YES" +security_status_ipf6denied_enable="YES" +security_status_ipf6denied_period="daily" # 700.kernelmsg -daily_status_security_kernelmsg_enable="YES" +security_status_kernelmsg_enable="YES" +security_status_kernelmsg_period="daily" # 800.loginfail -daily_status_security_loginfail_enable="YES" +security_status_loginfail_enable="YES" +security_status_loginfail_period="daily" # 900.tcpwrap -daily_status_security_tcpwrap_enable="YES" +security_status_tcpwrap_enable="YES" +security_status_tcpwrap_period="daily" # Weekly options @@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO" # Find pkg_version=pkg_version # Use this program pkg_version_index=/usr/ports/INDEX-10 # Use this index file +# 450.status-security +weekly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +weekly_status_security_inline="NO" # Run inline ? +weekly_status_security_output="root" # user or /file + # 999.local weekly_local="/etc/weekly.local" # Local scripts @@ -267,6 +294,12 @@ monthly_show_badconfig="NO" # scripts # 200.accounting monthly_accounting_enable="YES" # Login accounting +# 450.status-security +monthly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +monthly_status_security_inline="NO" # Run inline ? +monthly_status_security_output="root" # user or /file + # 999.local monthly_local="/etc/monthly.local" # Local scripts @@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local" # L if [ -z "${source_periodic_confs_defined}" ]; then source_periodic_confs_defined=yes + + # Compatibility with old daily variable names. + # They can be removed in stable/11. + security_daily_compat_var() { + local var=$1 dailyvar value + + dailyvar=daily_status_security${#status_security} + periodvar=${var%enable}period + eval value=\"\$$dailyvar\" + [ -z "$value" ] && return + echo "Warning: Variable \$$dailyvar is deprecated," \ + "use \$$var instead." >&2 + case "$value" in + [Yy][Ee][Ss]) + $var=YES + $periodvar=daily + ;; + *) + $var="$value" + ;; + esac + } + + check_yesno_period() { + local var="$1" periodvar value period + + eval value=\"\$$var\" + case "$value" in + [Yy][Ee][Ss]) ;; + *) return 1 ;; + esac + + periodvar=${var%enable}period + eval period=\"\$$periodvar\" + case "$PERIODIC" in + "security daily") + case "$period" in + [Dd][Aa][Ii][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security weekly") + case "$period" in + [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security monthly") + case "$period" in + [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + security) + # Run directly from crontab(5). + case "$period" in + [Nn][Oo]) return 1 ;; + *) return 0 ;; + esac + ;; + *) + echo "ASSERTION FAILED: Unexpected value for " \ + "\$PERIODIC: '$PERIODIC'" >&2 + exit 127 + ;; + esac + } + source_periodic_confs() { local i sourced_files Added: head/etc/periodic/monthly/450.status-security ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/etc/periodic/monthly/450.status-security Tue Aug 27 21:20:28 2013 (r254974) @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$monthly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$monthly_status_security_inline" in + [Yy][Ee][Ss]) + monthly_status_security_output="";; + esac + + export security_output="${monthly_status_security_output}" + case "${monthly_status_security_output}" in + "") + rc=3;; + /*) + echo " (output logged separately)" + rc=0;; + *) + echo " (output mailed separately)" + rc=0;; + esac + + periodic security || rc=3;; + + *) rc=0;; +esac + +exit $rc Modified: head/etc/periodic/security/100.chksetuid ============================================================================== --- head/etc/periodic/security/100.chksetuid Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/100.chksetuid Tue Aug 27 21:20:28 2013 (r254974) @@ -37,10 +37,12 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chksetuid_enable + rc=0 -case "$daily_status_security_chksetuid_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_chksetuid_enable +then echo "" echo 'Checking setuid files and devices:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` @@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_e \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | check_diff setuid - "${host} setuid diffs:" rc=$? - ;; - *) - rc=0 - ;; -esac +fi exit $rc Modified: head/etc/periodic/security/110.neggrpperm ============================================================================== --- head/etc/periodic/security/110.neggrpperm Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/110.neggrpperm Tue Aug 27 21:20:28 2013 (r254974) @@ -35,10 +35,12 @@ then source_periodic_confs fi +security_daily_compat_var security_status_neggrpperm_enable + rc=0 -case "$daily_status_security_neggrpperm_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_neggrpperm_enable +then echo "" echo 'Checking negative group permissions:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` @@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_ \( ! -perm +040 -and -perm +004 \) \) \ -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 - ;; -esac +fi exit $rc Modified: head/etc/periodic/security/200.chkmounts ============================================================================== --- head/etc/periodic/security/200.chkmounts Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/200.chkmounts Tue Aug 27 21:20:28 2013 (r254974) @@ -40,12 +40,16 @@ fi . /etc/periodic/security/security.functions -ignore="${daily_status_security_chkmounts_ignore}" +security_daily_compat_var security_status_chkmounts_enable +security_daily_compat_var security_status_chkmounts_ignore +security_daily_compat_var security_status_noamd + +ignore="${security_status_chkmounts_ignore}" rc=0 -case "$daily_status_security_chkmounts_enable" in - [Yy][Ee][Ss]) - case "$daily_status_security_noamd" in +if check_yesno_period security_status_chkmounts_enable +then + case "$security_status_noamd" in [Yy][Ee][Ss]) ignore="${ignore}|^amd:" esac @@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_e fi mount -p | sort | ${cmd} | check_diff mount - "${host} changes in mounted filesystems:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit "$rc" Modified: head/etc/periodic/security/300.chkuid0 ============================================================================== --- head/etc/periodic/security/300.chkuid0 Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/300.chkuid0 Tue Aug 27 21:20:28 2013 (r254974) @@ -36,16 +36,19 @@ then source_periodic_confs fi -case "$daily_status_security_chkuid0_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_chkuid0_enable + +rc=0 + +if check_yesno_period security_status_chkuid0_enable +then echo "" echo 'Checking for uids of 0:' n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr | sed -e '/^root 0$/d' -e '/^toor 0$/d' | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" Modified: head/etc/periodic/security/400.passwdless ============================================================================== --- head/etc/periodic/security/400.passwdless Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/400.passwdless Tue Aug 27 21:20:28 2013 (r254974) @@ -35,14 +35,17 @@ then source_periodic_confs fi -case "$daily_status_security_passwdless_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_passwdless_enable + +rc=0 + +if check_yesno_period security_status_passwdless_enable +then echo "" echo 'Checking for passwordless accounts:' n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" Modified: head/etc/periodic/security/410.logincheck ============================================================================== --- head/etc/periodic/security/410.logincheck Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/410.logincheck Tue Aug 27 21:20:28 2013 (r254974) @@ -35,8 +35,12 @@ then source_periodic_confs fi -case "$daily_status_security_logincheck_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_logincheck_enable + +rc=0 + +if check_yesno_period security_status_logincheck_enable +then echo "" echo 'Checking login.conf permissions:' if [ -G /etc/login.conf -a -O /etc/login.conf ]; then @@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_ echo "Bad ownership of /etc/login.conf" n=1 fi - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" Modified: head/etc/periodic/security/460.chkportsum ============================================================================== --- head/etc/periodic/security/460.chkportsum Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/460.chkportsum Tue Aug 27 21:20:28 2013 (r254974) @@ -35,13 +35,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chkportsum_enable + rc=0 echo "" echo 'Checking for ports with mismatched checksums:' -case "${daily_status_security_chkportsum_enable}" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_chkportsum_enable +then set -f pkg_info -ga 2>/dev/null | \ while IFS= read -r line; do @@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum ;; esac done - ;; - *) - rc=0 - ;; -esac +fi exit $rc Modified: head/etc/periodic/security/500.ipfwdenied ============================================================================== --- head/etc/periodic/security/500.ipfwdenied Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/500.ipfwdenied Tue Aug 27 21:20:28 2013 (r254974) @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfwdenied_enable + rc=0 -case "$daily_status_security_ipfwdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfwdenied_enable +then TMP=`mktemp -t security` if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Modified: head/etc/periodic/security/510.ipfdenied ============================================================================== --- head/etc/periodic/security/510.ipfdenied Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/510.ipfdenied Tue Aug 27 21:20:28 2013 (r254974) @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfdenied_enable + rc=0 -case "$daily_status_security_ipfdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfdenied_enable +then TMP=`mktemp -t security` if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf ${TMP} "${host} ipf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Modified: head/etc/periodic/security/520.pfdenied ============================================================================== --- head/etc/periodic/security/520.pfdenied Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/520.pfdenied Tue Aug 27 21:20:28 2013 (r254974) @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_pfdenied_enable + rc=0 -case "$daily_status_security_pfdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_pfdenied_enable +then TMP=`mktemp -t security` if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Modified: head/etc/periodic/security/550.ipfwlimit ============================================================================== --- head/etc/periodic/security/550.ipfwlimit Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/550.ipfwlimit Tue Aug 27 21:20:28 2013 (r254974) @@ -38,10 +38,12 @@ then source_periodic_confs fi +security_daily_compat_var security_status_ipfwlimit_enable + rc=0 -case "$daily_status_security_ipfwlimit_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfwlimit_enable +then IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then exit 0 @@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_e echo 'ipfw log limit reached:' cat ${TMP} fi - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Modified: head/etc/periodic/security/610.ipf6denied ============================================================================== --- head/etc/periodic/security/610.ipf6denied Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/610.ipf6denied Tue Aug 27 21:20:28 2013 (r254974) @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipf6denied_enable + rc=0 -case "$daily_status_security_ipf6denied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipf6denied_enable +then TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Modified: head/etc/periodic/security/700.kernelmsg ============================================================================== --- head/etc/periodic/security/700.kernelmsg Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/700.kernelmsg Tue Aug 27 21:20:28 2013 (r254974) @@ -40,14 +40,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_kernelmsg_enable + rc=0 -case "$daily_status_security_kernelmsg_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_kernelmsg_enable +then dmesg 2>/dev/null | check_diff new_only dmesg - "${host} kernel log messages:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit $rc Modified: head/etc/periodic/security/800.loginfail ============================================================================== --- head/etc/periodic/security/800.loginfail Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/800.loginfail Tue Aug 27 21:20:28 2013 (r254974) @@ -38,7 +38,10 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_loginfail_enable + +LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` @@ -55,14 +58,15 @@ catmsgs() { [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } -case "$daily_status_security_loginfail_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_yesno_period security_status_loginfail_enable +then echo "" echo "${host} login failures:" n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc Modified: head/etc/periodic/security/900.tcpwrap ============================================================================== --- head/etc/periodic/security/900.tcpwrap Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/900.tcpwrap Tue Aug 27 21:20:28 2013 (r254974) @@ -38,7 +38,10 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_tcpwrap_enable + +LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` @@ -55,14 +58,15 @@ catmsgs() { [ -f ${LOG}/messages ] && cat $LOG/messages } -case "$daily_status_security_tcpwrap_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_yesno_period security_status_tcpwrap_enable +then echo "" echo "${host} refused connections:" n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc Modified: head/etc/periodic/security/security.functions ============================================================================== --- head/etc/periodic/security/security.functions Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/security/security.functions Tue Aug 27 21:20:28 2013 (r254974) @@ -27,11 +27,19 @@ # $FreeBSD$ # +# This is a library file, so we only try to do something when sourced. +case "$0" in +*/security.functions) exit 0 ;; +esac + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_diff_flags + # # Show differences in the output of an audit command # -LOG="${daily_status_security_logdir}" +LOG="${security_status_logdir}" rc=0 # Usage: COMMAND | check_diff [new_only] LABEL - MSG @@ -67,7 +75,7 @@ check_diff() { [ $rc -lt 1 ] && rc=1 echo "" echo "${msg}" - diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \ + diff ${security_status_diff_flags} ${LOG}/${label}.today \ ${tmpf} | eval "${filter}" mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3 Added: head/etc/periodic/weekly/450.status-security ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/etc/periodic/weekly/450.status-security Tue Aug 27 21:20:28 2013 (r254974) @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$weekly_status_security_inline" in + [Yy][Ee][Ss]) + weekly_status_security_output="";; + esac + + export security_output="${weekly_status_security_output}" + case "${weekly_status_security_output}" in + "") + rc=3;; + /*) + echo " (output logged separately)" + rc=0;; + *) + echo " (output mailed separately)" + rc=0;; + esac + + periodic security || rc=3;; + + *) rc=0;; +esac + +exit $rc Modified: head/etc/periodic/weekly/Makefile ============================================================================== --- head/etc/periodic/weekly/Makefile Tue Aug 27 20:52:02 2013 (r254973) +++ head/etc/periodic/weekly/Makefile Tue Aug 27 21:20:28 2013 (r254974) @@ -3,6 +3,7 @@ .include FILES= 340.noid \ + 450.status-security \ 999.local # NB: keep these sorted by MK_* knobs Modified: head/share/man/man5/periodic.conf.5 ============================================================================== --- head/share/man/man5/periodic.conf.5 Tue Aug 27 20:52:02 2013 (r254973) +++ head/share/man/man5/periodic.conf.5 Tue Aug 27 21:20:28 2013 (r254974) @@ -1,4 +1,4 @@ -.\"- +\"- .\" Copyright (c) 2000 Brian Somers .\" All rights reserved. .\" @@ -482,26 +482,42 @@ This variable behaves in the same way as .Va *_output variables above, namely it can be set either to one or more email addresses or to an absolute file name. -.It Va daily_status_security_diff_flags +.It Va security_status_diff_flags .Pq Vt str Set to the arguments to pass to the .Xr diff 1 utility when generating differences. The default is .Fl b u . -.It Va daily_status_security_chksetuid_enable +.It Va security_status_chksetuid_enable .Pq Vt bool Set to .Dq Li YES to compare the modes and modification times of setuid executables with the previous day's values. -.It Va daily_status_security_chkportsum_enable +.It Va security_status_chksetuid_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_chkportsum_enable .Pq Vt bool Set to .Dq Li YES to verify checksums of all installed packages against the known checksums in .Pa /var/db/pkg . -.It Va daily_status_security_neggrpperm_enable +.It Va security_status_chkportsum_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_neggrpperm_enable .Pq Vt bool Set to .Dq Li YES @@ -509,35 +525,67 @@ to check for files where the group of a the world at large. When users are in more than 14 supplemental groups these negative permissions may not be enforced via NFS shares. -.It Va daily_status_security_chkmounts_enable +.It Va security_status_neggrpperm_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_chkmounts_enable .Pq Vt bool Set to .Dq Li YES to check for changes mounted file systems to the previous day's values. -.It Va daily_status_security_noamd +.It Va security_status_chkmounts_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_noamd .Pq Vt bool Set to .Dq Li YES if you want to ignore .Xr amd 8 mounts when comparing against yesterday's file system mounts in the -.Va daily_status_security_chkmounts_enable +.Va security_status_chkmounts_enable check. -.It Va daily_status_security_chkuid0_enable +.It Va security_status_chkuid0_enable .Pq Vt bool Set to .Dq Li YES to check .Pa /etc/master.passwd for accounts with UID 0. -.It Va daily_status_security_passwdless_enable +.It Va security_status_chkuid0_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_passwdless_enable .Pq Vt bool Set to .Dq Li YES to check .Pa /etc/master.passwd for accounts with empty passwords. -.It Va daily_status_security_logincheck_enable +.It Va security_status_passwdless_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_logincheck_enable .Pq Vt bool Set to .Dq Li YES @@ -546,49 +594,105 @@ to check ownership, see .Xr login.conf 5 for more information. -.It Va daily_status_security_ipfwdenied_enable +.It Va security_status_logincheck_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ipfwdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr ipfw 8 since yesterday's check. -.It Va daily_status_security_ipfdenied_enable +.It Va security_status_ipfwdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ipfdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr ipf 8 since yesterday's check. -.It Va daily_status_security_pfdenied_enable +.It Va security_status_ipfdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_pfdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr pf 4 since yesterday's check. -.It Va daily_status_security_ipfwlimit_enable +.It Va security_status_pfdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ipfwlimit_enable .Pq Vt bool Set to .Dq Li YES to display .Xr ipfw 8 rules that have reached their verbosity limit. -.It Va daily_status_security_kernelmsg_enable +.It Va security_status_ipfwlimit_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_kernelmsg_enable .Pq Vt bool Set to .Dq Li YES to show new .Xr dmesg 8 entries since yesterday's check. -.It Va daily_status_security_loginfail_enable +.It Va security_status_kernelmsg_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_loginfail_enable .Pq Vt bool Set to .Dq Li YES to display failed logins from .Pa /var/log/messages in the previous day. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***