Sync etc/periodic with FreeBSD. Short summary:
authorMatthias Schmidt <matthias@dragonflybsd.org>
Sat, 29 Dec 2007 21:44:44 +0000 (21:44 +0000)
committerMatthias Schmidt <matthias@dragonflybsd.org>
Sat, 29 Dec 2007 21:44:44 +0000 (21:44 +0000)
 - Display information about blocked counts from pf(4)
 - Make df output more human readable
 - Add login.conf checking to security
 - Fix several bugs and add some enhancements to various scripts

The list of all relevant FreeBSD Revisions is available here:

http://leaf.dragonflybsd.org/mailarchive/submit/2007-12/msg00009.html

Obtained-From: FreeBSD

etc/defaults/periodic.conf
etc/periodic/daily/110.clean-tmps
etc/periodic/daily/440.status-mailq
etc/periodic/daily/460.status-mail-rejects
etc/periodic/daily/470.status-named
etc/periodic/security/410.logincheck [copied from etc/periodic/security/800.loginfail with 70% similarity]
etc/periodic/security/520.pfdenied [copied from etc/periodic/security/800.loginfail with 69% similarity]
etc/periodic/security/800.loginfail
etc/periodic/security/Makefile
etc/periodic/security/security.functions
etc/periodic/weekly/310.locate

index 2890b66..115a7d0 100644 (file)
 # values set in this file.  This eases the upgrade path when defaults
 # are changed and new features are added.
 #
+# For a more detailed explanation of all the periodic.conf variables, please
+# refer to the periodic.conf(5) manual page.
+#
 # $FreeBSD: src/etc/defaults/periodic.conf,v 1.7.2.13 2002/11/07 19:43:16 thomas Exp $
-# $DragonFly: src/etc/defaults/periodic.conf,v 1.6 2007/03/25 11:35:11 swildner Exp $
+# $DragonFly: src/etc/defaults/periodic.conf,v 1.7 2007/12/29 21:44:44 matthias Exp $
 #
 
 # What files override these defaults ?
@@ -43,7 +46,9 @@ daily_clean_disks_verbose="YES"                               # Mention files deleted
 daily_clean_tmps_enable="NO"                           # Delete stuff daily
 daily_clean_tmps_dirs="/tmp"                           # Delete under here
 daily_clean_tmps_days="3"                              # If not accessed for
-daily_clean_tmps_ignore=".X*-lock quota.user quota.group" # Don't delete these
+daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix"
+daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group"
+                                                       # Don't delete these
 daily_clean_tmps_verbose="YES"                         # Mention files deleted
 
 # 120.clean-preserve
@@ -89,7 +94,10 @@ daily_news_expire_enable="YES"                               # Run news.expire
 
 # 400.status-disks
 daily_status_disks_enable="YES"                                # Check disk status
-daily_status_disks_df_flags="-k -t nonfs"              # df(1) flags for check
+daily_status_disks_df_flags="-k -l -h"                 # df(1) flags for check
+
+# 410.logincheck                                       # Check /etc/login.conf
+daily_status_security_logincheck_enable="YES"
 
 # 420.status-network
 daily_status_network_enable="YES"                      # Check network status
@@ -132,6 +140,7 @@ daily_status_security_output="root"                 # user or /file
 daily_status_security_noamd="NO"                       # Don't check amd mounts
 daily_status_security_nomfs="NO"                       # Don't check mfs mounts
 daily_status_security_logdir="/var/log"                        # Directory for logs
+daily_status_security_diff_flags="-b"                  # flags for diff output
 
 # 100.chksetuid
 daily_status_security_chksetuid_enable="YES"
@@ -153,6 +162,9 @@ daily_status_security_ipfwdenied_enable="YES"
 # 510.ipfdenied
 daily_status_security_ipfdenied_enable="YES"
 
+# 520.pfdenied
+daily_status_security_pfdenied_enable="YES"
+
 # 550.ipfwlimit
 daily_status_security_ipfwlimit_enable="YES"
 
index c9e9955..1643afe 100644 (file)
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/110.clean-tmps,v 1.6.2.4 2002/10/13 19:59:01 joerg Exp $
-# $DragonFly: src/etc/periodic/daily/110.clean-tmps,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: src/etc/periodic/daily/110.clean-tmps,v 1.13 2004/02/28 04:58:40 ache Exp $
+# $DragonFly: src/etc/periodic/daily/110.clean-tmps,v 1.3 2007/12/29 21:44:44 matthias Exp $
 #
 # Perform temporary directory cleaning so that long-lived systems
 # don't end up with excessively old files there.
@@ -29,9 +29,13 @@ case "$daily_clean_tmps_enable" in
            set -f noglob
            args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days"
            args="${args} -ctime +$daily_clean_tmps_days"
-           [ -n "$daily_clean_tmps_ignore" ] &&
+           dargs="-empty -mtime +$daily_clean_tmps_days"
+           [ -n "$daily_clean_tmps_ignore" ] && {
                args="$args "`echo " ${daily_clean_tmps_ignore% }" |
                    sed 's/[    ][      ]*/ ! -name /g'`
+               dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" |
+                   sed 's/[    ][      ]*/ ! -name /g'`
+           }
            case "$daily_clean_tmps_verbose" in
                [Yy][Ee][Ss])
                    print=-print;;
@@ -43,8 +47,7 @@ case "$daily_clean_tmps_enable" in
                do
                    [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && {
                        find -d . -type f $args -delete $print
-                       find -d . ! -name . -type d -empty -mtime \
-                           +$daily_clean_tmps_days -delete $print
+                       find -d . ! -name . -type d $dargs -delete $print
                    } | sed "s,^\\.,  $dir,"
                done | tee /dev/stderr | wc -l)
            [ -z "$print" ] && rc=0
index 8daf906..bc6f142 100644 (file)
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/440.status-mailq,v 1.9 2002/12/07 23:37:44 keramida Exp $
-# $DragonFly: src/etc/periodic/daily/440.status-mailq,v 1.3 2004/11/15 08:11:59 joerg Exp $
+# $FreeBSD: src/etc/periodic/daily/440.status-mailq,v 1.11 2006/03/08 17:26:53 matteo Exp $
+# $DragonFly: src/etc/periodic/daily/440.status-mailq,v 1.4 2007/12/29 21:44:44 matthias Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -30,11 +30,12 @@ case "$daily_status_mailq_enable" in
                        sort |
                        uniq -c |
                        sort -nr |
-                       awk '$1 > 1 {print $1, $2}';;
+                       awk '$1 >= 1 {print $1, $2}';;
                *)
                    mailq;;
-           esac | tee /dev/stderr | fgrep -v 'mqueue is empty' | wc -l)
-           [ $rc -gt 1 ] && rc=1
+           esac | tee /dev/stderr |
+           egrep -v '(mqueue is empty|Total requests)' | wc -l)
+           [ $rc -gt 0 ] && rc=1 || rc=0
 
            case "$daily_status_include_submit_mailq" in
            [Yy][Ee][Ss])
@@ -43,18 +44,19 @@ case "$daily_status_mailq_enable" in
                    echo ""
                    echo "Mail in submit queue:"
 
-                   rc=$(case "$daily_status_mailq_shorten" in
+                   rc_submit=$(case "$daily_status_mailq_shorten" in
                        [Yy][Ee][Ss])
                            mailq -Ac |
                                egrep -e '^[[:space:]]+[^[:space:]]+@' |
                                sort |
                                uniq -c |
                                sort -nr |
-                               awk '$1 > 1 {print $1, $2}';;
+                               awk '$1 >= 1 {print $1, $2}';;
                        *)
                            mailq -Ac;;
-                   esac | tee /dev/stderr | fgrep -v 'mqueue is empty' | wc -l)
-                   [ $rc -gt 1 ] && rc=1
+                   esac | tee /dev/stderr |
+                   egrep -v '(mqueue is empty|Total requests)' | wc -l)
+                   [ $rc_submit -gt 0 ] && rc=1
                fi;;
            esac
        fi;;
index 191426c..87cc8b3 100644 (file)
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/460.status-mail-rejects,v 1.16 2003/11/07 21:55:35 ru Exp $
-# $DragonFly: src/etc/periodic/daily/460.status-mail-rejects,v 1.3 2004/11/15 08:11:59 joerg Exp $
+# $FreeBSD: src/etc/periodic/daily/460.status-mail-rejects,v 1.20 2005/01/12 01:31:21 brian Exp $
+# $DragonFly: src/etc/periodic/daily/460.status-mail-rejects,v 1.4 2007/12/29 21:44:44 matthias Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -52,9 +52,7 @@ case "$daily_status_mail_rejects_enable" in
                done
                cat /var/log/maillog
            } |
-               fgrep 'reject=' |
-               egrep -e "^$start.*ruleset=check_[^[:space:]]+,[[:space:]]+arg1=(<[^@]+@)?([^>,]+).*reject=.*" |
-               sed -e 's/.*arg1=//' -e 's/.*@//' -e 's/[>[:space:]].*$//' |
+               sed -n -E "s/^$start"'.*ruleset=check_[^ ]+, +arg1=<?([^@]+@)?([^>,]+).*reject=([^ ]+) .* ([^ ]+)$/\2 (\3... \4)/p' |
                sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l)
            [ $rc -gt 0 ] && rc=1
        fi;;
index 0afb0c4..c132d8b 100644 (file)
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/470.status-named,v 1.6 2003/11/07 21:55:35 ru Exp $
-# $DragonFly: src/etc/periodic/daily/470.status-named,v 1.3 2004/11/15 08:11:59 joerg Exp $
+# $FreeBSD: src/etc/periodic/daily/470.status-named,v 1.8 2006/06/11 20:39:12 maxim Exp $
+# $DragonFly: src/etc/periodic/daily/470.status-named,v 1.4 2007/12/29 21:44:44 matthias Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -32,24 +32,22 @@ case "$daily_status_named_enable" in
 
        start=`date -v-1d '+%b %e'`
        rc=$(catmsgs |
-           fgrep '^'"$start"'.*named\[[[:digit:]]\+\]: denied [AI]XFR from \[.*\]\.[[:digit:]]\+ for' | \
-           sed -e 's/.*: denied [AI]XFR from \[\(.*\)\]\.[[:digit:]]* for "\(.*\)".*$/\2 from \1/'
+           fgrep -E "^$start.*named\[[[:digit:]]+\]: transfer of .*failed .*: REFUSED" |
+           sed -e "s/.*transfer of \'\(.*\)\/IN\' from \(.*\)#[0-9]*: .*/\1 from \2/" |
            sort -f | uniq -ic | (
                usedns=0
-               if [ X"${daily_status_named_usedns}" != X"" ]; then
-                       case $daily_status_named_usedns in
-                       [yY][eE][sS])   usedns=1 ;;
-                       esac
-               fi
+               case "$daily_status_named_usedns" in
+               '') ;;
+               [yY][eE][sS]) usedns=1 ;;
+               esac
 
                while read line ;do
                        ipaddr=`echo "$line" | sed -e 's/^.*from //'`
                        if [ $usedns -eq 1 ]; then
                                name=`host "${ipaddr}" 2>/dev/null | \
-                                  grep 'domain name pointer' | \
-                                  sed -e 's/^.* //'`
+                                  sed 's/.*domain name pointer \(.*\)\./\1/'`
                        fi
-                       if [ X"${name}" != X"" ]; then
+                       if [ -n "${name}" ]; then
                                echo "${line} (${name})"
                        else
                                echo "${line}"
similarity index 70%
copy from etc/periodic/security/800.loginfail
copy to etc/periodic/security/410.logincheck
index ec72bb5..7dae73d 100644 (file)
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-# Copyright (c) 2001  The FreeBSD Project
+# Copyright (c) 2006  Tom Rhodes
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.1.2.2 2002/04/15 00:44:16 dougb Exp $
-# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.2 2003/06/17 04:24:48 dillon Exp $
-#
-
-# Show login failures
+# $FreeBSD: src/etc/periodic/security/410.logincheck,v 1.1 2006/08/25 07:34:36 trhodes Exp $
+# $DragonFly: src/etc/periodic/security/410.logincheck,v 1.1 2007/12/29 21:44:44 matthias Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -39,25 +36,18 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
-
-yesterday=`date -v-1d "+%b %e "`
-
-catmsgs() {
-       find ${LOG} -name 'auth.log.*' -mtime -2 |
-           sort -t. -r -n +1 -2 |
-           xargs zcat -f
-       [ -f ${LOG}/auth.log ] && cat $LOG/auth.log
-}
-
-case "$daily_status_security_loginfail_enable" in
+case "$daily_status_security_logincheck_enable" in
     [Yy][Ee][Ss])
        echo ""
-       echo "${host} login failures:"
-       n=$(catmsgs | grep -ia "^$yesterday.*fail" |
-           tee /dev/stderr | wc -l)
+       echo 'Checking login.conf permissions:'
+       if [ -G /etc/login.conf -a -O /etc/login.conf ] then
+           n=0
+       else
+           echo "Bad ownership of /etc/login.conf"
+           n=1
+       fi
        [ $n -gt 0 ] && rc=1 || rc=0;;
     *) rc=0;;
 esac
 
-exit $rc
+exit "$rc"
similarity index 69%
copy from etc/periodic/security/800.loginfail
copy to etc/periodic/security/520.pfdenied
index ec72bb5..1e5b949 100644 (file)
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-# Copyright (c) 2001  The FreeBSD Project
+# Copyright (c) 2004  The FreeBSD Project
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.1.2.2 2002/04/15 00:44:16 dougb Exp $
-# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.2 2003/06/17 04:24:48 dillon Exp $
-#
-
-# Show login failures
+# $FreeBSD: src/etc/periodic/security/520.pfdenied,v 1.1.2.1 2004/12/08 00:37:50 mlaier Exp $
+# $DragonFly: src/etc/periodic/security/520.pfdenied,v 1.1 2007/12/29 21:44:44 matthias Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -39,24 +36,18 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
-
-yesterday=`date -v-1d "+%b %e "`
+. /etc/periodic/security/security.functions
 
-catmsgs() {
-       find ${LOG} -name 'auth.log.*' -mtime -2 |
-           sort -t. -r -n +1 -2 |
-           xargs zcat -f
-       [ -f ${LOG}/auth.log ] && cat $LOG/auth.log
-}
+rc=0
 
-case "$daily_status_security_loginfail_enable" in
+case "$daily_status_security_pfdenied_enable" in
     [Yy][Ee][Ss])
-       echo ""
-       echo "${host} login failures:"
-       n=$(catmsgs | grep -ia "^$yesterday.*fail" |
-           tee /dev/stderr | wc -l)
-       [ $n -gt 0 ] && rc=1 || rc=0;;
+       TMP=`mktemp -t security`
+       if pfctl -sr -v 2>/dev/null | awk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
+         check_diff new_only pf ${TMP} "${host} pf denied packets:"
+       fi
+       rc=$?
+       rm -f ${TMP};;
     *) rc=0;;
 esac
 
index ec72bb5..c86736a 100644 (file)
@@ -24,8 +24,8 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.1.2.2 2002/04/15 00:44:16 dougb Exp $
-# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.8 2007/02/23 21:42:54 remko Exp $
+# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.3 2007/12/29 21:44:44 matthias Exp $
 #
 
 # Show login failures
@@ -45,8 +45,14 @@ yesterday=`date -v-1d "+%b %e "`
 
 catmsgs() {
        find ${LOG} -name 'auth.log.*' -mtime -2 |
-           sort -t. -r -n +1 -2 |
-           xargs zcat -f
+           sort -t. -r -n -k 2,2 |
+           while read f
+           do
+               case $f in
+                   *.gz)       zcat -f $f;;
+                   *.bz2)      bzcat -f $f;;
+               esac
+           done
        [ -f ${LOG}/auth.log ] && cat $LOG/auth.log
 }
 
@@ -54,7 +60,7 @@ case "$daily_status_security_loginfail_enable" in
     [Yy][Ee][Ss])
        echo ""
        echo "${host} login failures:"
-       n=$(catmsgs | grep -ia "^$yesterday.*fail" |
+       n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" |
            tee /dev/stderr | wc -l)
        [ $n -gt 0 ] && rc=1 || rc=0;;
     *) rc=0;;
index 426d7f4..4e16ba5 100644 (file)
@@ -1,12 +1,14 @@
-# $FreeBSD: src/etc/periodic/security/Makefile,v 1.1.2.3 2002/11/07 19:38:46 thomas Exp $
-# $DragonFly: src/etc/periodic/security/Makefile,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: src/etc/periodic/security/Makefile,v 1.6 2006/08/25 07:34:36 trhodes Exp $
+# $DragonFly: src/etc/periodic/security/Makefile,v 1.3 2007/12/29 21:44:44 matthias Exp $
 
 FILES= 100.chksetuid \
        200.chkmounts \
        300.chkuid0 \
        400.passwdless \
+       410.logincheck \
        500.ipfwdenied \
        510.ipfdenied \
+       520.pfdenied \
        550.ipfwlimit \
        600.ip6fwdenied \
        650.ip6fwlimit \
index f48e602..deb7ef2 100644 (file)
@@ -24,8 +24,8 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/security.functions,v 1.1.2.2 2002/11/19 19:00:39 thomas Exp $
-# $DragonFly: src/etc/periodic/security/security.functions,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: src/etc/periodic/security/security.functions,v 1.5 2005/08/22 09:33:36 cperciva Exp $
+# $DragonFly: src/etc/periodic/security/security.functions,v 1.3 2007/12/29 21:44:44 matthias Exp $
 #
 
 #
@@ -44,7 +44,7 @@ check_diff() {
   rc=0
   if [ "$1" = "new_only" ]; then
     shift
-    filter="grep '^>'"
+    filter="grep '^[>+]'"
   else
     filter="cat"
   fi
@@ -53,7 +53,7 @@ check_diff() {
   msg="$1"; shift
 
   if [ "${tmpf}" = "-" ]; then
-    tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
+    tmpf=`mktemp -t security`
     cat > ${tmpf}
   fi
 
@@ -68,7 +68,8 @@ check_diff() {
     [ $rc -lt 1 ] && rc=1
     echo ""
     echo "${msg}"
-    diff -b ${LOG}/${label}.today ${tmpf} | eval "${filter}"
+    diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \
+       ${tmpf} | eval "${filter}"
     mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
     mv ${tmpf} ${LOG}/${label}.today || rc=3
   fi
index 9774422..b4eff9e 100644 (file)
@@ -1,7 +1,7 @@
 #!/bin/sh -
 #
-# $FreeBSD: src/etc/periodic/weekly/310.locate,v 1.4.2.2 2000/09/20 02:46:17 jkh Exp $
-# $DragonFly: src/etc/periodic/weekly/310.locate,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: src/etc/periodic/weekly/310.locate,v 1.7 2007/02/23 18:44:20 remko Exp $
+# $DragonFly: src/etc/periodic/weekly/310.locate,v 1.3 2007/12/29 21:44:44 matthias Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -24,7 +24,7 @@ case "$weekly_locate_enable" in
        chmod 644 $locdb || rc=3
 
        cd /
-       echo /usr/libexec/locate.updatedb | nice -5 su -fm nobody || rc=3
+       echo /usr/libexec/locate.updatedb | nice -5 su -fm nobody || rc=3
        chmod 444 $locdb || rc=3;;
 
     *)  rc=0;;