Date: Sun, 25 Aug 2013 13:05:20 +0200 From: Jeremie Le Hen <jlh@FreeBSD.org> To: Royce Williams <royce@tycho.org>, Darren Pilgrim <list_freebsd@bluerosetech.com>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: weekly periodic security status Message-ID: <20130825110520.GJ24767@caravan.chchile.org> In-Reply-To: <20130824165704.GD24767@caravan.chchile.org> References: <20130822204958.GC24767@caravan.chchile.org> <5217AD9E.1000100@bluerosetech.com> <CA%2BE3k910-BqOdDtA9sWTxVuKxtJSS02w4PSeTmM%2BJxPqNQ5Jyw@mail.gmail.com> <20130824165704.GD24767@caravan.chchile.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 24, 2013 at 06:57:04PM +0200, Jeremie Le Hen wrote:
> On Fri, Aug 23, 2013 at 08:35:55PM -0800, Royce Williams wrote:
> > On Fri, Aug 23, 2013 at 10:44 AM, Darren Pilgrim <
> > list_freebsd@bluerosetech.com> wrote:
> >
> > > Thank you for this, but if I may make one suggestion: don't combine all
> > > the security report settings--keep both daily_* and weekly_*. This makes
> > > possible running some security tasks on a daily basis and others on a
> > > weekly basis. For example, daily pkg/portaudit checks, but weekly
> > > filesystem scans.
> > >
> >
> > Agreed. I welcome and would use the weekly option at this level of
> > granularity, but would like to retain daily for many checks, and so would
> > not use weekly if was an all-or-nothing option.
>
> Sounds like a good idea. However I don't know how to implement this
> because, in the current state of the periodic security scripts, there is
> no way to know whether a script had been called from daily or weekly
> periodic scripts, so no way to know which variable to check.
>
> The easy way to work around this would be to declare an environment
> variable from 450.status-security, but it sounds like a hackish way
> because you create an additional dependency for the periodic security
> scripts.
I've modified periodic(8) to set the $PERIODIC environment variable in
r254829.
The attached patch does more or less what you requested, but slightly
differently.
We now have the following variables to control daily/weekly security
runs:
daily_status_security_enable="YES"
daily_status_security_inline="NO"
daily_status_security_output="root"
weekly_status_security_enable="YES"
weekly_status_security_inline="NO"
weekly_status_security_output="root"
And the following variables to control whether you want each check to
run "daily", "weekly" or directly from "crontab" (the default, backward
compatible values are shown):
security_status_chksetuid_enable="daily"
security_status_neggrpperm_enable="daily"
security_status_chkmounts_enable="daily"
security_status_chkuid0_enable="daily"
security_status_passwdless_enable="daily"
security_status_logincheck_enable="daily"
security_status_chkportsum_enable="NO"
security_status_ipfwdenied_enable="daily"
security_status_ipfdenied_enable="daily"
security_status_pfdenied_enable="daily"
security_status_ipfwlimit_enable="daily"
security_status_ipf6denied_enable="daily"
security_status_kernelmsg_enable="daily"
security_status_loginfail_enable="daily"
security_status_tcpwrap_enable="daily"
The periodic.conf(5) manpage and default/periodic.conf have been
updated accordingly, but I plan to further rework them after the patch
is committed (especially, grouping security related variable into their
own section). That way the modification done by the patch remain clear.
Patch available here:
http://people.freebsd.org/~jlh/daily_or_weekly_status_security.diff
--
Jeremie Le Hen
Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130825110520.GJ24767>