Index: share/man/man5/periodic.conf.5 =================================================================== --- share/man/man5/periodic.conf.5 (revision 254841) +++ share/man/man5/periodic.conf.5 (working copy) @@ -482,121 +482,208 @@ This variable behaves in the same way as the .Va *_output variables above, namely it can be set either to one or more email addresses or to an absolute file name. -.It Va daily_status_security_diff_flags +.It Va security_status_diff_flags .Pq Vt str Set to the arguments to pass to the .Xr diff 1 utility when generating differences. The default is .Fl b u . -.It Va daily_status_security_chksetuid_enable -.Pq Vt bool +.It Va security_status_chksetuid_enable +.Pq Vt str Set to -.Dq Li YES +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to compare the modes and modification times of setuid executables with the previous day's values. -.It Va daily_status_security_chkportsum_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_chkportsum_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to verify checksums of all installed packages against the known checksums in .Pa /var/db/pkg . -.It Va daily_status_security_neggrpperm_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_neggrpperm_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to check for files where the group of a file has less permissions than the world at large. When users are in more than 14 supplemental groups these negative permissions may not be enforced via NFS shares. -.It Va daily_status_security_chkmounts_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_chkmounts_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to check for changes mounted file systems to the previous day's values. -.It Va daily_status_security_noamd -.Pq Vt bool Set to +.Dq Li NO +to disable. +.It Va security_status_noamd +.Pq Vt str +Set to .Dq Li YES if you want to ignore .Xr amd 8 mounts when comparing against yesterday's file system mounts in the -.Va daily_status_security_chkmounts_enable +.Va security_status_chkmounts_enable check. -.It Va daily_status_security_chkuid0_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_chkuid0_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to check .Pa /etc/master.passwd for accounts with UID 0. -.It Va daily_status_security_passwdless_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_passwdless_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to check .Pa /etc/master.passwd for accounts with empty passwords. -.It Va daily_status_security_logincheck_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_logincheck_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to check .Pa /etc/login.conf ownership, see .Xr login.conf 5 for more information. -.It Va daily_status_security_ipfwdenied_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_ipfwdenied_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to show log entries for packets denied by .Xr ipfw 8 since yesterday's check. -.It Va daily_status_security_ipfdenied_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_ipfdenied_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to show log entries for packets denied by .Xr ipf 8 since yesterday's check. -.It Va daily_status_security_pfdenied_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_pfdenied_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to show log entries for packets denied by .Xr pf 4 since yesterday's check. -.It Va daily_status_security_ipfwlimit_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_ipfwlimit_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to display .Xr ipfw 8 rules that have reached their verbosity limit. -.It Va daily_status_security_kernelmsg_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_kernelmsg_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to show new .Xr dmesg 8 entries since yesterday's check. -.It Va daily_status_security_loginfail_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_loginfail_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to display failed logins from .Pa /var/log/messages in the previous day. -.It Va daily_status_security_tcpwrap_enable -.Pq Vt bool Set to -.Dq Li YES +.Dq Li NO +to disable. +.It Va security_status_tcpwrap_enable +.Pq Vt str +Set to +.Dq Li daily , +.Dq Li weekly +or +.Dq Li crontab to display connections denied by tcpwrappers (see .Xr hosts_access 5 ) from .Pa /var/log/messages during the previous day. +Set to +.Dq Li NO +to disable. .It Va daily_status_mail_rejects_enable .Pq Vt bool Set to @@ -709,6 +796,38 @@ An orphaned file is one with an invalid owner or g A list of directories under which orphaned files are searched for. This would usually be set to .Pa / . +.It Va weekly_status_security_enable +.Pq Vt bool +Set to +.Dq Li YES +if you want to run the security check. +The security check is another set of +.Xr periodic 8 +scripts. +The system defaults are in +.Pa /etc/periodic/security . +Local scripts should be placed in +.Pa /usr/local/etc/periodic/security . +See the +.Xr periodic 8 +manual page for more information. +.It Va weekly_status_security_inline +.Pq Vt bool +Set to +.Dq Li YES +if you want the security check output inline. +The default is to either mail or log the output according to the value of +.Va daily_status_security_output . +.It Va weekly_status_security_output +.Pq Vt str +Where to send the output of the security check if +.Va daily_status_security_inline +is set to +.Dq Li NO . +This variable behaves in the same way as the +.Va *_output +variables above, namely it can be set either to one or more email addresses +or to an absolute file name. .It Va weekly_status_pkg_enable .Pq Vt bool Set to Index: etc/defaults/periodic.conf =================================================================== --- etc/defaults/periodic.conf (revision 254841) +++ etc/defaults/periodic.conf (working copy) @@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # Also s # 450.status-security daily_status_security_enable="YES" # Security check -# See "Security options" below for more options +# See also "Security options" below for more options +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file # 460.status-mail-rejects daily_status_mail_rejects_enable="YES" # Check mail rejects @@ -163,59 +165,64 @@ daily_local="/etc/daily.local" # Local scripts # Security options # These options are used by the security periodic(8) scripts spawned in -# 450.status-security above. -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file -daily_status_security_logdir="/var/log" # Directory for logs -daily_status_security_diff_flags="-b -u" # flags for diff output +# daily and weekly 450.status-security. +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output +# Each of the security_status_*_enable options below can have one of the +# following values: +# - NO +# - daily: only run during the daily security status +# - weekly: only run during the weekly security status +# - crontab: only run when the security sttus is run directly from crontab(5) + # 100.chksetuid -daily_status_security_chksetuid_enable="YES" +security_status_chksetuid_enable="daily" # 110.neggrpperm -daily_status_security_neggrpperm_enable="YES" +security_status_neggrpperm_enable="daily" # 200.chkmounts -daily_status_security_chkmounts_enable="YES" -#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching +security_status_chkmounts_enable="daily" +#security_status_chkmounts_ignore="^amd:" # Don't check matching # FS types -daily_status_security_noamd="NO" # Don't check amd mounts +security_status_noamd="NO" # Don't check amd mounts # 300.chkuid0 -daily_status_security_chkuid0_enable="YES" +security_status_chkuid0_enable="daily" # 400.passwdless -daily_status_security_passwdless_enable="YES" +security_status_passwdless_enable="daily" # 410.logincheck -daily_status_security_logincheck_enable="YES" +security_status_logincheck_enable="daily" # 460.chkportsum -daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum # 500.ipfwdenied -daily_status_security_ipfwdenied_enable="YES" +security_status_ipfwdenied_enable="daily" # 510.ipfdenied -daily_status_security_ipfdenied_enable="YES" +security_status_ipfdenied_enable="daily" # 520.pfdenied -daily_status_security_pfdenied_enable="YES" +security_status_pfdenied_enable="daily" # 550.ipfwlimit -daily_status_security_ipfwlimit_enable="YES" +security_status_ipfwlimit_enable="daily" # 610.ipf6denied -daily_status_security_ipf6denied_enable="YES" +security_status_ipf6denied_enable="daily" # 700.kernelmsg -daily_status_security_kernelmsg_enable="YES" +security_status_kernelmsg_enable="daily" # 800.loginfail -daily_status_security_loginfail_enable="YES" +security_status_loginfail_enable="daily" # 900.tcpwrap -daily_status_security_tcpwrap_enable="YES" +security_status_tcpwrap_enable="daily" # Weekly options @@ -248,6 +255,12 @@ weekly_status_pkg_enable="NO" # Find out-of-dat pkg_version=pkg_version # Use this program pkg_version_index=/usr/ports/INDEX-10 # Use this index file +# 450.status-security +weekly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +weekly_status_security_inline="NO" # Run inline ? +weekly_status_security_output="root" # user or /file + # 999.local weekly_local="/etc/weekly.local" # Local scripts @@ -276,6 +289,68 @@ monthly_local="/etc/monthly.local" # Local scrip if [ -z "${source_periodic_confs_defined}" ]; then source_periodic_confs_defined=yes + + # Compatibility with old daily variable names. + # They can be removed in stable/11. + security_daily_compat_var() { + local var=$1 yes=$2 dailyvar value + + [ -z "$yes" ] && yes=daily + dailyvar=daily_status_security${#status_security} + eval value=\"\$$dailyvar\" + [ -z "$value" ] && return + echo "Warning: Variable \$$dailyvar is deprecated," \ + "use \$$var instead." >&2 + case "$value" in + [Yy][Ee][Ss]) $var=$yes ;; + esac + } + + check_daily_weekly_monthly() { + local var="$1" value + + eval value=\"\$$var\" + case "$value" in + [Yy][Ee][Ss]) + echo "Warning: \$$var is set to \"$value\"," \ + "this is incorrect. See periodic.conf(5)." \ + "Assuming \"daily\" for now." >&2 + value=daily + ;; + esac + case "$PERIODIC" in + "security daily") + case "$value" in + [Dd][Aa][Ii][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security weekly") + case "$value" in + [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security monthly") + case "$value" in + [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + security) + case "$value" in + [Cc][Rr][Oo][Nn][Tt][Aa][Bb]) return 0 ;; + *) return 1 ;; + esac + ;; + *) + echo "ASSERTION FAILED: Unexpected value for " \ + "\$PERIODIC: '$PERIODIC'" >&2 + exit 127 + ;; + esac + } + source_periodic_confs() { local i sourced_files Index: etc/periodic/security/100.chksetuid =================================================================== --- etc/periodic/security/100.chksetuid (revision 254841) +++ etc/periodic/security/100.chksetuid (working copy) @@ -37,10 +37,12 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chksetuid_enable + rc=0 -case "$daily_status_security_chksetuid_enable" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_chksetuid_enable +then echo "" echo 'Checking setuid files and devices:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` @@ -49,10 +51,6 @@ rc=0 \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | check_diff setuid - "${host} setuid diffs:" rc=$? - ;; - *) - rc=0 - ;; -esac +fi exit $rc Index: etc/periodic/security/110.neggrpperm =================================================================== --- etc/periodic/security/110.neggrpperm (revision 254841) +++ etc/periodic/security/110.neggrpperm (working copy) @@ -35,10 +35,12 @@ then source_periodic_confs fi +security_daily_compat_var security_status_neggrpperm_enable + rc=0 -case "$daily_status_security_neggrpperm_enable" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_neggrpperm_enable +then echo "" echo 'Checking negative group permissions:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` @@ -48,7 +50,6 @@ rc=0 \( ! -perm +040 -and -perm +004 \) \) \ -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 - ;; -esac +fi exit $rc Index: etc/periodic/security/200.chkmounts =================================================================== --- etc/periodic/security/200.chkmounts (revision 254841) +++ etc/periodic/security/200.chkmounts (working copy) @@ -40,12 +40,16 @@ fi . /etc/periodic/security/security.functions -ignore="${daily_status_security_chkmounts_ignore}" +security_daily_compat_var security_status_chkmounts_enable +security_daily_compat_var security_status_chkmounts_ignore +security_daily_compat_var security_status_noamd + +ignore="${security_status_chkmounts_ignore}" rc=0 -case "$daily_status_security_chkmounts_enable" in - [Yy][Ee][Ss]) - case "$daily_status_security_noamd" in +if check_daily_weekly_monthly security_status_chkmounts_enable +then + case "$security_status_noamd" in [Yy][Ee][Ss]) ignore="${ignore}|^amd:" esac @@ -55,8 +59,7 @@ rc=0 fi mount -p | sort | ${cmd} | check_diff mount - "${host} changes in mounted filesystems:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit "$rc" Index: etc/periodic/security/300.chkuid0 =================================================================== --- etc/periodic/security/300.chkuid0 (revision 254841) +++ etc/periodic/security/300.chkuid0 (working copy) @@ -36,16 +36,19 @@ then source_periodic_confs fi -case "$daily_status_security_chkuid0_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_chkuid0_enable + +rc=0 + +if check_daily_weekly_monthly security_status_chkuid0_enable +then echo "" echo 'Checking for uids of 0:' n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr | sed -e '/^root 0$/d' -e '/^toor 0$/d' | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" Index: etc/periodic/security/400.passwdless =================================================================== --- etc/periodic/security/400.passwdless (revision 254841) +++ etc/periodic/security/400.passwdless (working copy) @@ -35,14 +35,17 @@ then source_periodic_confs fi -case "$daily_status_security_passwdless_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_passwdless_enable + +rc=0 + +if check_daily_weekly_monthly security_status_passwdless_enable +then echo "" echo 'Checking for passwordless accounts:' n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" Index: etc/periodic/security/410.logincheck =================================================================== --- etc/periodic/security/410.logincheck (revision 254841) +++ etc/periodic/security/410.logincheck (working copy) @@ -35,8 +35,12 @@ then source_periodic_confs fi -case "$daily_status_security_logincheck_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_logincheck_enable + +rc=0 + +if check_daily_weekly_monthly security_status_logincheck_enable +then echo "" echo 'Checking login.conf permissions:' if [ -G /etc/login.conf -a -O /etc/login.conf ]; then @@ -45,8 +49,7 @@ fi echo "Bad ownership of /etc/login.conf" n=1 fi - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" Index: etc/periodic/security/460.chkportsum =================================================================== --- etc/periodic/security/460.chkportsum (revision 254841) +++ etc/periodic/security/460.chkportsum (working copy) @@ -35,13 +35,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chkportsum_enable + rc=0 echo "" echo 'Checking for ports with mismatched checksums:' -case "${daily_status_security_chkportsum_enable}" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_chkportsum_enable +then set -f pkg_info -ga 2>/dev/null | \ while IFS= read -r line; do @@ -59,10 +61,6 @@ echo 'Checking for ports with mismatched checksums ;; esac done - ;; - *) - rc=0 - ;; -esac +fi exit $rc Index: etc/periodic/security/500.ipfwdenied =================================================================== --- etc/periodic/security/500.ipfwdenied (revision 254841) +++ etc/periodic/security/500.ipfwdenied (working copy) @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfwdenied_enable + rc=0 -case "$daily_status_security_ipfwdenied_enable" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_ipfwdenied_enable +then TMP=`mktemp -t security` if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Index: etc/periodic/security/510.ipfdenied =================================================================== --- etc/periodic/security/510.ipfdenied (revision 254841) +++ etc/periodic/security/510.ipfdenied (working copy) @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfdenied_enable + rc=0 -case "$daily_status_security_ipfdenied_enable" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_ipfdenied_enable +then TMP=`mktemp -t security` if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf ${TMP} "${host} ipf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Index: etc/periodic/security/520.pfdenied =================================================================== --- etc/periodic/security/520.pfdenied (revision 254841) +++ etc/periodic/security/520.pfdenied (working copy) @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_pfdenied_enable + rc=0 -case "$daily_status_security_pfdenied_enable" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_pfdenied_enable +then TMP=`mktemp -t security` if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Index: etc/periodic/security/550.ipfwlimit =================================================================== --- etc/periodic/security/550.ipfwlimit (revision 254841) +++ etc/periodic/security/550.ipfwlimit (working copy) @@ -38,10 +38,12 @@ then source_periodic_confs fi +security_daily_compat_var security_status_ipfwlimit_enable + rc=0 -case "$daily_status_security_ipfwlimit_enable" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_ipfwlimit_enable +then IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then exit 0 @@ -61,8 +63,7 @@ rc=0 echo 'ipfw log limit reached:' cat ${TMP} fi - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Index: etc/periodic/security/610.ipf6denied =================================================================== --- etc/periodic/security/610.ipf6denied (revision 254841) +++ etc/periodic/security/610.ipf6denied (working copy) @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipf6denied_enable + rc=0 -case "$daily_status_security_ipf6denied_enable" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_ipf6denied_enable +then TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc Index: etc/periodic/security/700.kernelmsg =================================================================== --- etc/periodic/security/700.kernelmsg (revision 254841) +++ etc/periodic/security/700.kernelmsg (working copy) @@ -40,14 +40,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_kernelmsg_enable + rc=0 -case "$daily_status_security_kernelmsg_enable" in - [Yy][Ee][Ss]) +if check_daily_weekly_monthly security_status_kernelmsg_enable +then dmesg 2>/dev/null | check_diff new_only dmesg - "${host} kernel log messages:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit $rc Index: etc/periodic/security/800.loginfail =================================================================== --- etc/periodic/security/800.loginfail (revision 254841) +++ etc/periodic/security/800.loginfail (working copy) @@ -38,8 +38,11 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_loginfail_enable +LOG="${security_status_logdir}" + yesterday=`date -v-1d "+%b %e "` catmsgs() { @@ -55,14 +58,15 @@ catmsgs() { [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } -case "$daily_status_security_loginfail_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_daily_weekly_monthly security_status_loginfail_enable +then echo "" echo "${host} login failures:" n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc Index: etc/periodic/security/900.tcpwrap =================================================================== --- etc/periodic/security/900.tcpwrap (revision 254841) +++ etc/periodic/security/900.tcpwrap (working copy) @@ -38,8 +38,11 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_tcpwrap_enable +LOG="${security_status_logdir}" + yesterday=`date -v-1d "+%b %e "` catmsgs() { @@ -55,14 +58,15 @@ catmsgs() { [ -f ${LOG}/messages ] && cat $LOG/messages } -case "$daily_status_security_tcpwrap_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_daily_weekly_monthly security_status_tcpwrap_enable +then echo "" echo "${host} refused connections:" n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc Index: etc/periodic/security/security.functions =================================================================== --- etc/periodic/security/security.functions (revision 254841) +++ etc/periodic/security/security.functions (working copy) @@ -27,11 +27,19 @@ # $FreeBSD$ # +# This is a library file, so we only try to do something when sourced. +case "$0" in +*/security.functions) exit 0 ;; +esac + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_diff_flags + # # Show differences in the output of an audit command # -LOG="${daily_status_security_logdir}" +LOG="${security_status_logdir}" rc=0 # Usage: COMMAND | check_diff [new_only] LABEL - MSG @@ -67,7 +75,7 @@ check_diff() { [ $rc -lt 1 ] && rc=1 echo "" echo "${msg}" - diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \ + diff ${security_status_diff_flags} ${LOG}/${label}.today \ ${tmpf} | eval "${filter}" mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3 Index: etc/periodic/weekly/Makefile =================================================================== --- etc/periodic/weekly/Makefile (revision 254841) +++ etc/periodic/weekly/Makefile (working copy) @@ -3,6 +3,7 @@ .include FILES= 340.noid \ + 450.status-security \ 999.local # NB: keep these sorted by MK_* knobs