Date: Tue, 27 Aug 2013 23:31:48 +0200 From: Jeremie Le Hen <jlh@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r254974 - in head: etc/defaults etc/periodic/monthly etc/periodic/security etc/periodic/weekly share/man/man5 Message-ID: <20130827213148.GR24767@caravan.chchile.org> In-Reply-To: <201308272120.r7RLKTvk066897@svn.freebsd.org> References: <201308272120.r7RLKTvk066897@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 27, 2013 at 09:20:29PM +0000, Jeremie Le Hen wrote: > Author: jlh > Date: Tue Aug 27 21:20:28 2013 > New Revision: 254974 > URL: http://svnweb.freebsd.org/changeset/base/254974 > > Log: > Make the period of each periodic security script configurable. > > There are now six additional variables > weekly_status_security_enable > weekly_status_security_inline > weekly_status_security_output > monthly_status_security_enable > monthly_status_security_inline > monthly_status_security_output > alongside their existing daily counterparts. They all have the same > default values. > > All other "daily_status_security_${scriptname}_${whatever}" > variables have been renamed to "security_status_${name}_${whatever}". > A compatibility shim has been introduced for the old variable names, > which we will be able to remove in 11.0-RELEASE. > > "security_status_${name}_enable" is still a boolean but a new > "security_status_${name}_period" allows to define the period of > each script. The value is one of "daily" (the default for backward > compatibility), "weekly", "monthly" and "NO". > > Note that when the security periodic scripts are run directly from > crontab(5) (as opposed to being called by daily or weekly periodic > scripts), they will run unless the test is explicitely disabled with a > "NO", either for in the "_enable" or the "_period" variable. > > When the security output is not inlined, the mail subject has been > changed from "$host $arg run output" to "$host $arg $period run output". > For instance: > myfbsd security run output -> myfbsd security daily run output > I don't think this is considered as a stable API, but feel free to > correct me if I'm wrong. > > Finally, I will rearrange periodic.conf(5) and default/periodic.conf > to put the security options in their own section. I left them in > place for this commit to make reviewing easier. In summary, just add the following lines to periodic.conf(5) to avoid running those I/O-expensive scripts daily. security_status_chksetuid_period="weekly" security_status_neggrpperm_period="weekly" -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130827213148.GR24767>