From c451e5e96a29300c262e4cc068f6d6c4233ba2fa Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Fri, 9 Mar 2018 00:28:24 +0800 Subject: [PATCH] periodic: Sync with FreeBSD current * Sync periodic scripts, periodic.conf, periodic.conf.5 with FreeBSD * The "{daily,weekly,monthly}_status_security__enable" variables are changed to be "security_status__enable" and "security_status__period" (daily, weekly, monthly). * Keep DFly-specific settings (e.g., HAMMER and HAMMER2 related) * Ignore the FreeBSD-specific things, e.g., ZFS, GEOM --- Makefile_upgrade.inc | 1 + etc/defaults/periodic.conf | 284 ++++++--- etc/periodic/daily/100.clean-disks | 11 +- etc/periodic/daily/110.clean-tmps | 7 +- etc/periodic/daily/120.clean-preserve | 3 +- etc/periodic/daily/130.clean-msgs | 3 +- etc/periodic/daily/140.clean-rwho | 3 +- etc/periodic/daily/150.clean-hoststat | 3 +- etc/periodic/daily/200.backup-passwd | 9 +- etc/periodic/daily/210.backup-aliases | 3 +- etc/periodic/daily/300.calendar | 3 +- etc/periodic/daily/310.accounting | 22 +- etc/periodic/daily/330.news | 3 +- etc/periodic/daily/400.status-disks | 20 +- etc/periodic/daily/410.status-mfi | 33 + etc/periodic/daily/420.status-network | 11 +- .../{430.status-rwho => 430.status-uptime} | 5 +- etc/periodic/daily/440.status-mailq | 2 +- etc/periodic/daily/450.status-security | 38 +- etc/periodic/daily/460.status-mail-rejects | 22 +- etc/periodic/daily/500.queuerun | 3 +- etc/periodic/daily/999.local | 10 +- etc/periodic/daily/Makefile | 2 +- etc/periodic/monthly/200.accounting | 5 +- etc/periodic/monthly/450.status-security | 47 ++ etc/periodic/monthly/999.local | 10 +- etc/periodic/monthly/Makefile | 1 + etc/periodic/security/100.chksetuid | 39 +- .../security/{900.tcpwrap => 110.neggrpperm} | 42 +- etc/periodic/security/200.chkmounts | 24 +- etc/periodic/security/300.chkuid0 | 16 +- etc/periodic/security/400.passwdless | 16 +- etc/periodic/security/410.logincheck | 16 +- etc/periodic/security/500.ipfwdenied | 18 +- etc/periodic/security/520.pfdenied | 28 +- etc/periodic/security/550.ipfwlimit | 35 +- etc/periodic/security/600.ip6fwdenied | 16 +- etc/periodic/security/650.ip6fwlimit | 33 +- etc/periodic/security/700.kernelmsg | 14 +- etc/periodic/security/800.loginfail | 21 +- etc/periodic/security/900.tcpwrap | 29 +- etc/periodic/security/Makefile | 1 + etc/periodic/security/security.functions | 18 +- etc/periodic/weekly/310.locate | 3 +- etc/periodic/weekly/320.whatis | 3 +- etc/periodic/weekly/340.noid | 3 +- etc/periodic/weekly/450.status-security | 47 ++ etc/periodic/weekly/999.local | 10 +- etc/periodic/weekly/Makefile | 1 + share/man/man5/periodic.conf.5 | 588 ++++++++++++------ 50 files changed, 1051 insertions(+), 534 deletions(-) create mode 100644 etc/periodic/daily/410.status-mfi rename etc/periodic/daily/{430.status-rwho => 430.status-uptime} (71%) create mode 100644 etc/periodic/monthly/450.status-security copy etc/periodic/security/{900.tcpwrap => 110.neggrpperm} (67%) create mode 100644 etc/periodic/weekly/450.status-security diff --git a/Makefile_upgrade.inc b/Makefile_upgrade.inc index a8154cefa7..af639c380d 100644 --- a/Makefile_upgrade.inc +++ b/Makefile_upgrade.inc @@ -3376,6 +3376,7 @@ TO_REMOVE+=/usr/share/man/man2/expreadv.2.gz TO_REMOVE+=/etc/periodic/monthly/300.statistics TO_REMOVE+=/etc/periodic/weekly/120.clean-kvmdb TO_REMOVE+=/etc/periodic/daily/470.status-named +TO_REMOVE+=/etc/periodic/daily/430.status-rwho .if !defined(WANT_INSTALLER) TO_REMOVE+=/usr/sbin/dfuibe_installer diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index 019f53cbf7..b73c288e52 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -13,15 +13,17 @@ # For a more detailed explanation of all the periodic.conf variables, please # refer to the periodic.conf(5) manual page. # -# $FreeBSD: src/etc/defaults/periodic.conf,v 1.7.2.13 2002/11/07 19:43:16 thomas Exp $ +# $FreeBSD: head/etc/defaults/periodic.conf 324738 2017-10-19 03:17:50Z cy $ # # What files override these defaults ? periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local" # periodic script dirs -local_periodic="/usr/local/etc/periodic /usr/pkg/etc/periodic" +local_periodic="/usr/local/etc/periodic" +# Max time to sleep to avoid causing congestion on download servers +anticongestion_sleeptime=3600 # Daily options @@ -46,7 +48,8 @@ daily_clean_tmps_enable="NO" # Delete stuff daily daily_clean_tmps_dirs="/tmp" # Delete under here daily_clean_tmps_days="3" # If not accessed for daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix" -daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group" +daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap" +daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal" # Don't delete these daily_clean_tmps_verbose="YES" # Mention files deleted @@ -65,7 +68,8 @@ daily_clean_rwho_days=7 # If not modified for daily_clean_rwho_verbose="YES" # Mention files deleted # 150.clean-hoststat -daily_clean_hoststat_enable="NO" # Delete .hoststat daily +daily_clean_hoststat_enable="YES" # Purge sendmail host + # status cache daily # 160.clean-hammer daily_clean_hammer_enable="YES" # HAMMER maintenance @@ -97,17 +101,18 @@ daily_news_expire_enable="YES" # Run news.expire # 400.status-disks daily_status_disks_enable="YES" # Check disk status -daily_status_disks_df_flags="-k -l -h" # df(1) flags for check +daily_status_disks_df_flags="-l -h" # df(1) flags for check -# 410.logincheck # Check /etc/login.conf -daily_status_security_logincheck_enable="YES" +# 410.status-mfi +daily_status_mfi_enable="NO" # Check mfiutil(8) # 420.status-network daily_status_network_enable="YES" # Check network status daily_status_network_usedns="YES" # DNS lookups are ok +daily_status_network_netstat_flags="-d" # netstat(1) flags -# 430.status-rwho -daily_status_rwho_enable="YES" # Check system status +# 430.status-uptime +daily_status_uptime_enable="YES" # Check system uptime # 440.status-mailq daily_status_mailq_enable="YES" # Check mail status @@ -116,69 +121,23 @@ daily_status_include_submit_mailq="YES" # Also submit queue # 450.status-security daily_status_security_enable="YES" # Security check -# See "Security options" below for more options +# See also "Security options" below for more options +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file # 460.status-mail-rejects daily_status_mail_rejects_enable="YES" # Check mail rejects daily_status_mail_rejects_logs=3 # How many logs to check +daily_status_mail_rejects_shorten="NO" # Shorten output # 500.queuerun daily_queuerun_enable="YES" # Run mail queue -daily_submit_queuerun="NO" # Also submit queue +daily_submit_queuerun="YES" # Also submit queue # 999.local daily_local="/etc/daily.local" # Local scripts -# Security options - -# These options are used by the security periodic(8) scripts spawned in -# 450.status-security above. -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file -daily_status_security_nomfs="NO" # Don't check mfs mounts -daily_status_security_logdir="/var/log" # Directory for logs -daily_status_security_diff_flags="-b" # flags for diff output - -# 100.chksetuid -daily_status_security_chksetuid_enable="YES" - -# 200.chkmounts -daily_status_security_chkmounts_enable="YES" -#daily_status_security_chkmounts_ignore="^mfs:" # Don't check matching - # FS types - -# 300.chkuid0 -daily_status_security_chkuid0_enable="YES" - -# 400.passwdless -daily_status_security_passwdless_enable="YES" - -# 500.ipfwdenied -daily_status_security_ipfwdenied_enable="YES" - -# 520.pfdenied -daily_status_security_pfdenied_enable="YES" - -# 550.ipfwlimit -daily_status_security_ipfwlimit_enable="YES" - -# 600.ip6fwdenied -daily_status_security_ip6fwdenied_enable="YES" - -# 650.ip6fwlimit -daily_status_security_ip6fwlimit_enable="YES" - -# 700.kernelmsg -daily_status_security_kernelmsg_enable="YES" - -# 800.loginfail -daily_status_security_loginfail_enable="YES" - -# 900.tcpwrap -daily_status_security_tcpwrap_enable="YES" - - # Weekly options # These options are used by periodic(8) itself to determine what to do @@ -204,6 +163,12 @@ weekly_catman_enable="NO" # Preformat man pages weekly_noid_enable="NO" # Find unowned files weekly_noid_dirs="/" # Look here +# 450.status-security +weekly_status_security_enable="YES" # Security check +# See also "Security options" below for more options +weekly_status_security_inline="NO" # Run inline ? +weekly_status_security_output="root" # user or /file + # 999.local weekly_local="/etc/weekly.local" # Local scripts @@ -223,28 +188,197 @@ monthly_show_badconfig="NO" # scripts returning 2 # 200.accounting monthly_accounting_enable="YES" # Login accounting +# 450.status-security +monthly_status_security_enable="YES" # Security check +# See also "Security options" below for more options +monthly_status_security_inline="NO" # Run inline ? +monthly_status_security_output="root" # user or /file # 999.local monthly_local="/etc/monthly.local" # Local scripts +# Security options + +security_show_success="YES" # scripts returning 0 +security_show_info="YES" # scripts returning 1 +security_show_badconfig="NO" # scripts returning 2 + +# These options are used by the security periodic(8) scripts spawned in +# daily and weekly 450.status-security. +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output + +# Each of the security_status_*_period options below can have one of the +# following values: +# - NO: do not run at all +# - daily: only run during the daily security status +# - weekly: only run during the weekly security status +# - monthly: only run during the monthly security status +# Note that if periodic security scripts are run from crontab(5) directly, +# they will be run unless _enable or _period is set to "NO". + +# 100.chksetuid +security_status_chksetuid_enable="YES" +security_status_chksetuid_period="daily" + +# 110.neggrpperm +security_status_neggrpperm_enable="YES" +security_status_neggrpperm_period="daily" + +# 200.chkmounts +security_status_chkmounts_enable="YES" +security_status_chkmounts_period="daily" +#security_status_chkmounts_ignore="^mfs:" # Don't check matching + # FS types +security_status_nomfs="NO" # Don't check mfs mounts + +# 300.chkuid0 +security_status_chkuid0_enable="YES" +security_status_chkuid0_period="daily" + +# 400.passwdless +security_status_passwdless_enable="YES" +security_status_passwdless_period="daily" + +# 410.logincheck +security_status_logincheck_enable="YES" +security_status_logincheck_period="daily" + +# 500.ipfwdenied +security_status_ipfwdenied_enable="YES" +security_status_ipfwdenied_period="daily" + +# 520.pfdenied +security_status_pfdenied_enable="YES" +security_status_pfdenied_period="daily" + +# 550.ipfwlimit +security_status_ipfwlimit_enable="YES" +security_status_ipfwlimit_period="daily" + +# 600.ip6fwdenied +security_status_ip6fwdenied_enable="YES" +security_status_ip6fwdenied_period="daily" + +# 650.ip6fwlimit +security_status_ip6fwlimit_enable="YES" +security_status_ip6fwlimit_period="daily" + +# 700.kernelmsg +security_status_kernelmsg_enable="YES" +security_status_kernelmsg_period="daily" + +# 800.loginfail +security_status_loginfail_enable="YES" +security_status_loginfail_period="daily" + +# 900.tcpwrap +security_status_tcpwrap_enable="YES" +security_status_tcpwrap_period="daily" + + + # Define source_periodic_confs, the mechanism used by /etc/periodic/*/* # scripts to source defaults/periodic.conf overrides safely. if [ -z "${source_periodic_confs_defined}" ]; then - source_periodic_confs_defined=yes - source_periodic_confs () { - local i sourced_files - - for i in ${periodic_conf_files}; do - case ${sourced_files} in - *:$i:*) - ;; - *) - sourced_files="${sourced_files}:$i:" - [ -r $i ] && . $i - ;; - esac - done - } + source_periodic_confs_defined=yes + source_periodic_confs() { + local i sourced_files + + for i in ${periodic_conf_files}; do + case ${sourced_files} in + *:$i:*) + ;; + *) + sourced_files="${sourced_files}:$i:" + [ -r $i ] && . $i + ;; + esac + done + } + + # Sleep for a random amount of time in order to mitigate the thundering + # herd problem of multiple hosts running periodic simultaneously. + # Will not sleep when used interactively. + # Will sleep at most once per invocation of periodic + anticongestion() { + [ -n "$PERIODIC_IS_INTERACTIVE" ] && return + if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then + rm -f $PERIODIC_ANTICONGESTION_FILE + sleep `jot -r 1 0 ${anticongestion_sleeptime}` + fi + } + + # Compatibility with old daily variable names. + # They can be removed in stable/11. + security_daily_compat_var() { + local var=$1 dailyvar value + + dailyvar=daily_status_security${var#security_status} + periodvar=${var%enable}period + eval value=\"\$$dailyvar\" + [ -z "$value" ] && return + echo "Warning: Variable \$$dailyvar is deprecated," \ + "use \$$var instead." >&2 + case "$value" in + [Yy][Ee][Ss]) + eval $var=YES + eval $periodvar=daily + ;; + *) + eval $var=\"$value\" + ;; + esac + } + + check_yesno_period() { + local var="$1" periodvar value period + + eval value=\"\$$var\" + case "$value" in + [Yy][Ee][Ss]) ;; + *) return 1 ;; + esac + + periodvar=${var%enable}period + eval period=\"\$$periodvar\" + case "$PERIODIC" in + "security daily") + case "$period" in + [Dd][Aa][Ii][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security weekly") + case "$period" in + [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security monthly") + case "$period" in + [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + security) + # Run directly from crontab(5). + case "$period" in + [Nn][Oo]) return 1 ;; + *) return 0 ;; + esac + ;; + '') + # Script run manually. + return 0 + ;; + *) + echo "ASSERTION FAILED: Unexpected value for" \ + "\$PERIODIC: '$PERIODIC'" >&2 + exit 127 + ;; + esac + } fi diff --git a/etc/periodic/daily/100.clean-disks b/etc/periodic/daily/100.clean-disks index 78fd80f968..9353e4eba7 100644 --- a/etc/periodic/daily/100.clean-disks +++ b/etc/periodic/daily/100.clean-disks @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/100.clean-disks,v 1.3.2.6 2001/04/25 12:13:12 ru Exp $ -# $DragonFly: src/etc/periodic/daily/100.clean-disks,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/100.clean-disks 193302 2009-06-02 07:35:51Z brian $ # # Remove garbage files more than $daily_clean_disks_days days old # @@ -30,7 +29,7 @@ case "$daily_clean_disks_enable" in echo "" echo "Cleaning disks:" set -f noglob - args="$args -name "`echo "$daily_clean_disks_files" | + args="-name "`echo "$daily_clean_disks_files" | sed -e 's/^[ ]*//' \ -e 's/[ ]*$//' \ -e 's/[ ][ ]*/ -o -name /g'` @@ -42,9 +41,9 @@ case "$daily_clean_disks_enable" in print=;; esac - rc=$(find / \( ! -fstype local -o -fstype rdonly \) -a -prune -o \ - \( $args \) -atime +$daily_clean_disks_days -delete $print | - tee /dev/stderr | wc -l) + rc=$(find / \( ! -fstype local -o -fstype rdonly \) -prune -o \ + \( $args \) -atime +$daily_clean_disks_days \ + -execdir rm -df {} \; $print | tee /dev/stderr | wc -l) [ -z "$print" ] && rc=0 [ $rc -gt 1 ] && rc=1 set -f glob diff --git a/etc/periodic/daily/110.clean-tmps b/etc/periodic/daily/110.clean-tmps index 1643afe3a2..ca8f2088cf 100644 --- a/etc/periodic/daily/110.clean-tmps +++ b/etc/periodic/daily/110.clean-tmps @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/110.clean-tmps,v 1.13 2004/02/28 04:58:40 ache Exp $ -# $DragonFly: src/etc/periodic/daily/110.clean-tmps,v 1.3 2007/12/29 21:44:44 matthias Exp $ +# $FreeBSD: head/etc/periodic/daily/110.clean-tmps 271321 2014-09-09 17:03:58Z bdrewery $ # # Perform temporary directory cleaning so that long-lived systems # don't end up with excessively old files there. @@ -46,8 +45,8 @@ case "$daily_clean_tmps_enable" in rc=$(for dir in $daily_clean_tmps_dirs do [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && { - find -d . -type f $args -delete $print - find -d . ! -name . -type d $dargs -delete $print + find -x -d . -type f $args -delete $print + find -x -d . ! -name . -type d $dargs -delete $print } | sed "s,^\\., $dir," done | tee /dev/stderr | wc -l) [ -z "$print" ] && rc=0 diff --git a/etc/periodic/daily/120.clean-preserve b/etc/periodic/daily/120.clean-preserve index ef83891411..45518cea50 100644 --- a/etc/periodic/daily/120.clean-preserve +++ b/etc/periodic/daily/120.clean-preserve @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/120.clean-preserve,v 1.4.2.2 2000/09/20 02:46:15 jkh Exp $ -# $DragonFly: src/etc/periodic/daily/120.clean-preserve,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/120.clean-preserve 65843 2000-09-14 17:19:15Z brian $ # # Remove stale files in /var/preserve # diff --git a/etc/periodic/daily/130.clean-msgs b/etc/periodic/daily/130.clean-msgs index b30b86c6bb..6584ca1f64 100644 --- a/etc/periodic/daily/130.clean-msgs +++ b/etc/periodic/daily/130.clean-msgs @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/130.clean-msgs,v 1.3.2.2 2000/09/20 02:46:15 jkh Exp $ -# $DragonFly: src/etc/periodic/daily/130.clean-msgs,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/130.clean-msgs 65843 2000-09-14 17:19:15Z brian $ # # Remove system messages # diff --git a/etc/periodic/daily/140.clean-rwho b/etc/periodic/daily/140.clean-rwho index 1c4ac7d778..a2a1f9b50c 100644 --- a/etc/periodic/daily/140.clean-rwho +++ b/etc/periodic/daily/140.clean-rwho @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/140.clean-rwho,v 1.4.2.2 2000/09/20 02:46:15 jkh Exp $ -# $DragonFly: src/etc/periodic/daily/140.clean-rwho,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/140.clean-rwho 65843 2000-09-14 17:19:15Z brian $ # # Remove stale files in /var/rwho # diff --git a/etc/periodic/daily/150.clean-hoststat b/etc/periodic/daily/150.clean-hoststat index c5091be73a..7d9e58ebaf 100644 --- a/etc/periodic/daily/150.clean-hoststat +++ b/etc/periodic/daily/150.clean-hoststat @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/150.clean-hoststat,v 1.8 2004/01/02 18:50:22 gshapiro Exp $ -# $DragonFly: src/etc/periodic/daily/150.clean-hoststat,v 1.3 2005/07/25 00:24:31 gshapiro Exp $ +# $FreeBSD: head/etc/periodic/daily/150.clean-hoststat 124080 2004-01-02 18:50:22Z gshapiro $ # # Remove stale persistent host status files # diff --git a/etc/periodic/daily/200.backup-passwd b/etc/periodic/daily/200.backup-passwd index b15f952bfc..f85df48230 100644 --- a/etc/periodic/daily/200.backup-passwd +++ b/etc/periodic/daily/200.backup-passwd @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/200.backup-passwd,v 1.6.2.3 2001/11/17 22:42:46 cjc Exp $ -# $DragonFly: src/etc/periodic/daily/200.backup-passwd,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/200.backup-passwd 326074 2017-11-21 20:31:54Z emaste $ # # If there is a global system configuration file, suck it in. @@ -42,8 +41,8 @@ case "$daily_backup_passwd_enable" in then [ $rc -lt 1 ] && rc=1 echo "$host passwd diffs:" - diff -I '^#' $bak/master.passwd.bak /etc/master.passwd |\ - sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/' + diff -uI '^#' $bak/master.passwd.bak /etc/master.passwd |\ + sed 's/^\([-+ ][^-+:]*\):[^:]*:/\1:(password):/' mv $bak/master.passwd.bak $bak/master.passwd.bak2 cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 fi @@ -59,7 +58,7 @@ case "$daily_backup_passwd_enable" in then [ $rc -lt 1 ] && rc=1 echo "$host group diffs:" - diff $bak/group.bak /etc/group + diff -u $bak/group.bak /etc/group mv $bak/group.bak $bak/group.bak2 cp -p /etc/group $bak/group.bak || rc=3 fi diff --git a/etc/periodic/daily/210.backup-aliases b/etc/periodic/daily/210.backup-aliases index 656a582804..9c1dc6e61e 100644 --- a/etc/periodic/daily/210.backup-aliases +++ b/etc/periodic/daily/210.backup-aliases @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/210.backup-aliases,v 1.3.2.3 2000/09/20 02:46:15 jkh Exp $ -# $DragonFly: src/etc/periodic/daily/210.backup-aliases,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/210.backup-aliases 65843 2000-09-14 17:19:15Z brian $ # # If there is a global system configuration file, suck it in. diff --git a/etc/periodic/daily/300.calendar b/etc/periodic/daily/300.calendar index ac32a90f6b..f962f9832d 100644 --- a/etc/periodic/daily/300.calendar +++ b/etc/periodic/daily/300.calendar @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/300.calendar,v 1.3.2.2 2000/09/20 02:46:15 jkh Exp $ -# $DragonFly: src/etc/periodic/daily/300.calendar,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/300.calendar 65843 2000-09-14 17:19:15Z brian $ # # `calendar -a' needs to die. Why? Because it's a bad idea, particular # with networked home directories, but also in general. If you want the diff --git a/etc/periodic/daily/310.accounting b/etc/periodic/daily/310.accounting index b7ff5705f9..eaf3acd144 100644 --- a/etc/periodic/daily/310.accounting +++ b/etc/periodic/daily/310.accounting @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/310.accounting,v 1.3.2.3 2001/06/13 19:36:50 brian Exp $ -# $DragonFly: src/etc/periodic/daily/310.accounting,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/310.accounting 227482 2011-11-13 03:01:58Z dougb $ # # If there is a global system configuration file, suck it in. @@ -30,9 +29,14 @@ case "$daily_accounting_enable" in cd /var/account rc=0 - - n=$daily_accounting_save - rm -f acct.$n.gz acct.$n || rc=3 + + n=$(( $daily_accounting_save - 1 )) + for f in acct.*; do + case "$f" in acct.\*) continue ;; esac # No files match + m=${f%.gz} ; m=${m#acct.} + [ $m -ge $n ] && { rm $f || rc=3; } + done + m=$n n=$(($n - 1)) while [ $n -ge 0 ] @@ -42,8 +46,12 @@ case "$daily_accounting_enable" in m=$n n=$(($n - 1)) done - cp -pf acct acct.0 || rc=3 - sa -s $daily_accounting_flags || rc=3 + + /etc/rc.d/accounting rotate_log || rc=3 + + rm -f acct.merge && cp acct.0 acct.merge || rc=3 + sa -s $daily_accounting_flags /var/account/acct.merge || rc=3 + rm acct.merge case "$daily_accounting_compress" in [Yy][Ee][Ss]) diff --git a/etc/periodic/daily/330.news b/etc/periodic/daily/330.news index 7f300e3804..736ff35132 100644 --- a/etc/periodic/daily/330.news +++ b/etc/periodic/daily/330.news @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/330.news,v 1.2.2.2 2000/09/20 02:46:15 jkh Exp $ -# $DragonFly: src/etc/periodic/daily/330.news,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/330.news 65843 2000-09-14 17:19:15Z brian $ # # Expire news articles # (This is present only for backwards compatibility, usually the news diff --git a/etc/periodic/daily/400.status-disks b/etc/periodic/daily/400.status-disks index 430f8f7197..92a91f8d1e 100644 --- a/etc/periodic/daily/400.status-disks +++ b/etc/periodic/daily/400.status-disks @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/400.status-disks,v 1.2.2.3 2002/03/06 12:14:16 brian Exp $ -# $DragonFly: src/etc/periodic/daily/400.status-disks,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/400.status-disks 290743 2015-11-13 06:20:27Z des $ # # If there is a global system configuration file, suck it in. @@ -17,12 +16,23 @@ case "$daily_status_disks_enable" in echo "" echo "Disk status:" - df $daily_status_disks_df_flags && rc=1 || rc=3 + if [ -n "${daily_status_disks_ignore}" ] ; then + ignore="egrep -v ${daily_status_disks_ignore}" + else + ignore="cat" + fi + (df $daily_status_disks_df_flags | ${ignore}) && rc=1 || rc=3 # display which filesystems need backing up + if [ -s /etc/dumpdates ]; then + if ! [ -f /etc/fstab ]; then + export PATH_FSTAB=/dev/null + fi - echo "" - dump W || rc=3;; + echo "" + dump W || rc=3 + fi + ;; *) rc=0;; esac diff --git a/etc/periodic/daily/410.status-mfi b/etc/periodic/daily/410.status-mfi new file mode 100644 index 0000000000..d33a6dd090 --- /dev/null +++ b/etc/periodic/daily/410.status-mfi @@ -0,0 +1,33 @@ +#!/bin/sh +# +# $FreeBSD: head/etc/periodic/daily/410.status-mfi 316945 2017-04-14 22:59:14Z asomers $ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mfi_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of mfi(4) devices:' + + if mfiutil show volumes; then + if mfiutil show volumes | grep -q DEGRADED; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/daily/420.status-network b/etc/periodic/daily/420.status-network index f28a33b81f..3da2d6ba12 100644 --- a/etc/periodic/daily/420.status-network +++ b/etc/periodic/daily/420.status-network @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/420.status-network,v 1.3.2.2 2000/09/20 02:46:15 jkh Exp $ -# $DragonFly: src/etc/periodic/daily/420.status-network,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/420.status-network 280721 2015-03-27 00:37:41Z jhb $ # # If there is a global system configuration file, suck it in. @@ -17,12 +16,14 @@ case "$daily_status_network_enable" in echo "" echo "Network interface status:" + flags="${daily_status_network_netstat_flags}" case "$daily_status_network_usedns" in [Yy][Ee][Ss]) - netstat -i && rc=0 || rc=3;; + ;; *) - netstat -in && rc=0 || rc=3;; - esac;; + flags="${flags} -n";; + esac + netstat -i ${flags} && rc=0 || rc=3;; *) rc=0;; esac diff --git a/etc/periodic/daily/430.status-rwho b/etc/periodic/daily/430.status-uptime similarity index 71% rename from etc/periodic/daily/430.status-rwho rename to etc/periodic/daily/430.status-uptime index b90fa276e3..d390a2beab 100644 --- a/etc/periodic/daily/430.status-rwho +++ b/etc/periodic/daily/430.status-uptime @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/430.status-rwho,v 1.3.2.2 2000/09/20 02:46:15 jkh Exp $ -# $DragonFly: src/etc/periodic/daily/430.status-rwho,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/430.status-uptime 290252 2015-11-02 01:05:34Z ngie $ # # If there is a global system configuration file, suck it in. @@ -12,7 +11,7 @@ then source_periodic_confs fi -case "$daily_status_rwho_enable" in +case "$daily_status_uptime_enable" in [Yy][Ee][Ss]) rwho=$(echo /var/rwho/*) if [ -f "${rwho%% *}" ] diff --git a/etc/periodic/daily/440.status-mailq b/etc/periodic/daily/440.status-mailq index e60a0be354..0886edbe4e 100644 --- a/etc/periodic/daily/440.status-mailq +++ b/etc/periodic/daily/440.status-mailq @@ -59,7 +59,7 @@ case "$daily_status_mailq_enable" in fi;; esac fi;; - + *) rc=0;; esac diff --git a/etc/periodic/daily/450.status-security b/etc/periodic/daily/450.status-security index f78eda6c34..75913be484 100644 --- a/etc/periodic/daily/450.status-security +++ b/etc/periodic/daily/450.status-security @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/450.status-security,v 1.3.2.7 2002/05/21 03:20:49 brian Exp $ -# $DragonFly: src/etc/periodic/daily/450.status-security,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/450.status-security 316548 2017-04-06 01:37:03Z asomers $ # # If there is a global system configuration file, suck it in. @@ -19,22 +18,29 @@ case "$daily_status_security_enable" in case "$daily_status_security_inline" in [Yy][Ee][Ss]) - export security_output="";; - *) - export security_output="${daily_status_security_output}" - case "${daily_status_security_output}" in - "") - ;; - /*) - echo " (output logged separately)";; - *) - echo " (output mailed separately)";; - esac;; + daily_status_security_output="";; esac - periodic security - rc=3;; - + export security_output="${daily_status_security_output}" + rc=0 + case "${daily_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; *) rc=0;; esac diff --git a/etc/periodic/daily/460.status-mail-rejects b/etc/periodic/daily/460.status-mail-rejects index 87cc8b3a86..63a6466773 100644 --- a/etc/periodic/daily/460.status-mail-rejects +++ b/etc/periodic/daily/460.status-mail-rejects @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/460.status-mail-rejects,v 1.20 2005/01/12 01:31:21 brian Exp $ -# $DragonFly: src/etc/periodic/daily/460.status-mail-rejects,v 1.4 2007/12/29 21:44:44 matthias Exp $ +# $FreeBSD: head/etc/periodic/daily/460.status-mail-rejects 192970 2009-05-28 07:43:06Z brian $ # # If there is a global system configuration file, suck it in. @@ -12,6 +11,11 @@ then source_periodic_confs fi +case "$daily_status_mail_rejects_shorten" in +[Yy][Ee][Ss]) shorten='cut -d" " -f2,3';; +*) shorten=cat;; +esac + case "$daily_status_mail_rejects_enable" in [Yy][Ee][Ss]) if [ ! -d /etc/mail ] @@ -33,7 +37,8 @@ case "$daily_status_mail_rejects_enable" in echo echo Checking for rejected mail hosts: - start=`date -v-1d '+%b %e'` + yesterday=$(date -v-1d '+%b %e') + today=$(date '+%b %e') n=$(($daily_status_mail_rejects_logs - 2)) rc=$({ while [ $n -ge 0 ] @@ -51,9 +56,14 @@ case "$daily_status_mail_rejects_enable" in n=$(($n - 1)) done cat /var/log/maillog - } | - sed -n -E "s/^$start"'.*ruleset=check_[^ ]+, +arg1=,]+).*reject=([^ ]+) .* ([^ ]+)$/\2 (\3... \4)/p' | - sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l) + } | sed -Ene "/^$today/q" -e "/^$yesterday/{"' + s/.*ruleset=check_relay,.* relay=([^,]+), reject=([^ ]*).*/\2 check_relay \1/p + t end + s/.*ruleset=check_rcpt,.* arg1=,]+).* reject=([^ ]+) .* ([^ ]+)/\2 check_rcpt \1 \3/p + t end + s/.*ruleset=check_([^,]+),.* arg1=,]+).* reject=([^ ]+) .* ([^ ]+)/\4 check_\1 \3 \5/p + :end + }' | eval $shorten | sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l) [ $rc -gt 0 ] && rc=1 fi;; diff --git a/etc/periodic/daily/500.queuerun b/etc/periodic/daily/500.queuerun index 7e2c8faa64..24c96631da 100644 --- a/etc/periodic/daily/500.queuerun +++ b/etc/periodic/daily/500.queuerun @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/500.queuerun,v 1.1.2.3 2002/04/15 01:56:15 gshapiro Exp $ -# $DragonFly: src/etc/periodic/daily/500.queuerun,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/500.queuerun 94342 2002-04-10 03:58:40Z gshapiro $ # # If there is a global system configuration file, suck it in. diff --git a/etc/periodic/daily/999.local b/etc/periodic/daily/999.local index 63e9a3a0de..17358ecfe5 100644 --- a/etc/periodic/daily/999.local +++ b/etc/periodic/daily/999.local @@ -1,7 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/999.local,v 1.2.2.3 2001/08/01 20:38:03 obrien Exp $ -# $DragonFly: src/etc/periodic/daily/999.local,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/daily/999.local 313069 2017-02-01 23:22:54Z asomers $ # # Run the old /etc/daily.local script. This is really for backwards # compatibility more than anything else. @@ -21,7 +20,12 @@ do echo '' case "$script" in /*) - if [ -f "$script" ] + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] then echo "Running $script:" diff --git a/etc/periodic/daily/Makefile b/etc/periodic/daily/Makefile index 466fd9b026..ccc68ea18f 100644 --- a/etc/periodic/daily/Makefile +++ b/etc/periodic/daily/Makefile @@ -15,7 +15,7 @@ FILES= 100.clean-disks \ 330.news \ 400.status-disks \ 420.status-network \ - 430.status-rwho \ + 430.status-uptime \ 440.status-mailq \ 450.status-security \ 460.status-mail-rejects \ diff --git a/etc/periodic/monthly/200.accounting b/etc/periodic/monthly/200.accounting index c5b37249eb..6071a1354b 100644 --- a/etc/periodic/monthly/200.accounting +++ b/etc/periodic/monthly/200.accounting @@ -1,7 +1,6 @@ #!/bin/sh - # -# $FreeBSD: src/etc/periodic/monthly/200.accounting,v 1.4.2.5 2002/05/21 03:17:08 brian Exp $ -# $DragonFly: src/etc/periodic/monthly/200.accounting,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/monthly/200.accounting 202218 2010-01-13 19:07:48Z ed $ # # If there is a global system configuration file, suck it in. @@ -40,7 +39,7 @@ case "$monthly_accounting_enable" in echo "" echo "Doing login accounting:" - rc=$(ac -p -w $W.0 | sort -nr +1 | tee /dev/stderr | wc -l) + rc=$(ac -p -w $W.0 | sort -nr -k 2 | tee /dev/stderr | wc -l) [ $rc -gt 0 ] && rc=1 fi [ $remove = YES ] && rm -f $W.0;; diff --git a/etc/periodic/monthly/450.status-security b/etc/periodic/monthly/450.status-security new file mode 100644 index 0000000000..25712e011d --- /dev/null +++ b/etc/periodic/monthly/450.status-security @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD: head/etc/periodic/monthly/450.status-security 316548 2017-04-06 01:37:03Z asomers $ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$monthly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$monthly_status_security_inline" in + [Yy][Ee][Ss]) + monthly_status_security_output="";; + esac + + export security_output="${monthly_status_security_output}" + rc=0 + case "${monthly_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/monthly/999.local b/etc/periodic/monthly/999.local index ec1f0165ab..67de68d19d 100644 --- a/etc/periodic/monthly/999.local +++ b/etc/periodic/monthly/999.local @@ -1,7 +1,6 @@ #!/bin/sh - # -# $FreeBSD: src/etc/periodic/monthly/999.local,v 1.2.2.3 2001/08/01 20:38:39 obrien Exp $ -# $DragonFly: src/etc/periodic/monthly/999.local,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/monthly/999.local 313069 2017-02-01 23:22:54Z asomers $ # # If there is a global system configuration file, suck it in. @@ -18,7 +17,12 @@ do echo '' case "$script" in /*) - if [ -f "$script" ] + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] then echo "Running $script:" diff --git a/etc/periodic/monthly/Makefile b/etc/periodic/monthly/Makefile index ad7d870abf..7961e178a3 100644 --- a/etc/periodic/monthly/Makefile +++ b/etc/periodic/monthly/Makefile @@ -1,6 +1,7 @@ # $FreeBSD: src/etc/periodic/monthly/Makefile,v 1.2.2.1 2002/07/18 12:36:07 ru Exp $ FILES= 200.accounting \ + 450.status-security \ 999.local .include diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid index 875dff3891..9620d9b4b9 100644 --- a/etc/periodic/security/100.chksetuid +++ b/etc/periodic/security/100.chksetuid @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.1.2.6 2002/11/07 19:38:46 thomas Exp $ -# $DragonFly: src/etc/periodic/security/100.chksetuid,v 1.3 2008/07/09 20:33:32 swildner Exp $ +# $FreeBSD: head/etc/periodic/security/100.chksetuid 322868 2017-08-25 00:28:56Z asomers $ # # If there is a global system configuration file, suck it in. @@ -38,28 +37,26 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chksetuid_enable + rc=0 -case "$daily_status_security_chksetuid_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_chksetuid_enable +then echo "" echo 'Checking setuid files and devices:' - # XXX Note that there is the possibility of overrunning the args to ls - MP=`mount -t hammer,ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` - if [ -n "${MP}" ] - then - set ${MP} - while [ $# -ge 1 ]; do - mount=$1 - shift - find $mount -xdev -type f \ - \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ - \( -perm -u+s -or -perm -g+s \) -print0 - done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 | - check_diff setuid - "${host} setuid diffs:" - rc=$? - fi;; - *) rc=0;; -esac + IFS=$'\n' # Don't split mount points with spaces or tabs + MP=`mount -t ufs,hammer,hammer2 | awk ' + $0 !~ /no(suid|exec)/ { + sub(/^.* on \//, "/"); + sub(/ \(.*\)/, ""); + print $0 + }'` + find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ + \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ + \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | + check_diff setuid - "${host} setuid diffs:" + rc=$? +fi exit $rc diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/110.neggrpperm similarity index 67% copy from etc/periodic/security/900.tcpwrap copy to etc/periodic/security/110.neggrpperm index 13ee77029a..9ede6641be 100644 --- a/etc/periodic/security/900.tcpwrap +++ b/etc/periodic/security/110.neggrpperm @@ -24,11 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/900.tcpwrap,v 1.1.2.1 2002/02/25 10:53:47 cjc Exp $ -# $DragonFly: src/etc/periodic/security/900.tcpwrap,v 1.2 2003/06/17 04:24:48 dillon Exp $ -# - -# Show tcp_wrapper warning messages +# $FreeBSD: head/etc/periodic/security/110.neggrpperm 322868 2017-08-25 00:28:56Z asomers $ # # If there is a global system configuration file, suck it in. @@ -39,25 +35,27 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" - -yesterday=`date -v-1d "+%b %e "` +security_daily_compat_var security_status_neggrpperm_enable -catmsgs() { - find ${LOG} -name 'messages.*' -mtime -2 | - sort -t. -r -n +1 -2 | - xargs zcat -f - [ -f ${LOG}/messages ] && cat $LOG/messages -} +rc=0 -case "$daily_status_security_tcpwrap_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_neggrpperm_enable +then echo "" - echo "${host} refused connections:" - n=$(catmsgs | grep -i "^$yesterday.*refused connect" | - tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + echo 'Checking negative group permissions:' + IFS=$'\n' # Don't split mount points with spaces or tabs + MP=`mount -t ufs,hammer,hammer2 | awk ' + $0 !~ /no(suid|exec)/ { + sub(/^.* on \//, "/"); + sub(/ \(.*\)/, ""); + print $0 + }'` + n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ + \( \( ! -perm +010 -and -perm +001 \) -or \ + \( ! -perm +020 -and -perm +002 \) -or \ + \( ! -perm +040 -and -perm +004 \) \) \ + -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts index 42df9a113b..c1cfbf42fa 100644 --- a/etc/periodic/security/200.chkmounts +++ b/etc/periodic/security/200.chkmounts @@ -24,7 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/200.chkmounts,v 1.2.2.4 2002/11/07 19:38:46 thomas Exp $ +# $FreeBSD: head/etc/periodic/security/200.chkmounts 254974 2013-08-27 21:20:28Z jlh $ # # Show changes in the way filesystems are mounted @@ -40,20 +40,26 @@ fi . /etc/periodic/security/security.functions -ignore="${daily_status_security_chkmounts_ignore}" +security_daily_compat_var security_status_chkmounts_enable +security_daily_compat_var security_status_chkmounts_ignore +security_daily_compat_var security_status_nomfs + +ignore="${security_status_chkmounts_ignore}" rc=0 -case "$daily_status_security_chkmounts_enable" in - [Yy][Ee][Ss]) - case "$daily_status_security_nomfs" in +if check_yesno_period security_status_chkmounts_enable +then + case "$security_status_nomfs" in [Yy][Ee][Ss]) ignore="${ignore}|^mfs:" esac [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat - mount -p | ${cmd} | + if ! [ -f /etc/fstab ]; then + export PATH_FSTAB=/dev/null + fi + mount -p | sort | ${cmd} | check_diff mount - "${host} changes in mounted filesystems:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit "$rc" diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0 index bc26724cd5..beabb7c24f 100644 --- a/etc/periodic/security/300.chkuid0 +++ b/etc/periodic/security/300.chkuid0 @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/300.chkuid0,v 1.1.2.1 2002/02/25 10:53:47 cjc Exp $ -# $DragonFly: src/etc/periodic/security/300.chkuid0,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/security/300.chkuid0 254974 2013-08-27 21:20:28Z jlh $ # @@ -37,16 +36,19 @@ then source_periodic_confs fi -case "$daily_status_security_chkuid0_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_chkuid0_enable + +rc=0 + +if check_yesno_period security_status_chkuid0_enable +then echo "" echo 'Checking for uids of 0:' n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr | sed -e '/^root 0$/d' -e '/^toor 0$/d' | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless index ed9af7af15..aa4fc2e4e4 100644 --- a/etc/periodic/security/400.passwdless +++ b/etc/periodic/security/400.passwdless @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/400.passwdless,v 1.1.2.1 2002/02/25 10:53:47 cjc Exp $ -# $DragonFly: src/etc/periodic/security/400.passwdless,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/security/400.passwdless 254974 2013-08-27 21:20:28Z jlh $ # # If there is a global system configuration file, suck it in. @@ -36,14 +35,17 @@ then source_periodic_confs fi -case "$daily_status_security_passwdless_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_passwdless_enable + +rc=0 + +if check_yesno_period security_status_passwdless_enable +then echo "" echo 'Checking for passwordless accounts:' n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/410.logincheck b/etc/periodic/security/410.logincheck index 2690c894b5..b480e10367 100644 --- a/etc/periodic/security/410.logincheck +++ b/etc/periodic/security/410.logincheck @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/410.logincheck,v 1.1 2006/08/25 07:34:36 trhodes Exp $ -# $DragonFly: src/etc/periodic/security/410.logincheck,v 1.2 2008/06/14 15:30:19 matthias Exp $ +# $FreeBSD: head/etc/periodic/security/410.logincheck 254974 2013-08-27 21:20:28Z jlh $ # # If there is a global system configuration file, suck it in. @@ -36,8 +35,12 @@ then source_periodic_confs fi -case "$daily_status_security_logincheck_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_logincheck_enable + +rc=0 + +if check_yesno_period security_status_logincheck_enable +then echo "" echo 'Checking login.conf permissions:' if [ -G /etc/login.conf -a -O /etc/login.conf ]; then @@ -46,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in echo "Bad ownership of /etc/login.conf" n=1 fi - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied index fa4b2d70c9..59265e91a3 100644 --- a/etc/periodic/security/500.ipfwdenied +++ b/etc/periodic/security/500.ipfwdenied @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/500.ipfwdenied,v 1.1.2.4 2002/11/07 19:38:46 thomas Exp $ -# $DragonFly: src/etc/periodic/security/500.ipfwdenied,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/security/500.ipfwdenied 254974 2013-08-27 21:20:28Z jlh $ # # If there is a global system configuration file, suck it in. @@ -38,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfwdenied_enable + rc=0 -case "$daily_status_security_ipfwdenied_enable" in - [Yy][Ee][Ss]) - TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` - if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then +if check_yesno_period security_status_ipfwdenied_enable +then + TMP=`mktemp -t security` + if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied index 1e5b9494ff..e313117e23 100644 --- a/etc/periodic/security/520.pfdenied +++ b/etc/periodic/security/520.pfdenied @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/520.pfdenied,v 1.1.2.1 2004/12/08 00:37:50 mlaier Exp $ -# $DragonFly: src/etc/periodic/security/520.pfdenied,v 1.1 2007/12/29 21:44:44 matthias Exp $ +# $FreeBSD: head/etc/periodic/security/520.pfdenied 306696 2016-10-04 23:12:35Z lidl $ # # If there is a global system configuration file, suck it in. @@ -38,17 +37,28 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_pfdenied_enable + rc=0 -case "$daily_status_security_pfdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_pfdenied_enable +then TMP=`mktemp -t security` - if pfctl -sr -v 2>/dev/null | awk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then - check_diff new_only pf ${TMP} "${host} pf denied packets:" + pfctl -sr -v -z 2>/dev/null | \ + awk '{ + if (/^block/) { + buf=$0 + getline + gsub(" +"," ",$0) + if ($5 > 0) + print buf$0 + } + }' > ${TMP} + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit index 3a06a07b95..a263b5d527 100644 --- a/etc/periodic/security/550.ipfwlimit +++ b/etc/periodic/security/550.ipfwlimit @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.6 2003/06/30 22:06:26 mtm Exp $ -# $DragonFly: src/etc/periodic/security/550.ipfwlimit,v 1.3 2004/11/15 08:11:59 joerg Exp $ +# $FreeBSD: head/etc/periodic/security/550.ipfwlimit 254974 2013-08-27 21:20:28Z jlh $ # # Show ipfw rules which have reached the log limit @@ -39,26 +38,32 @@ then source_periodic_confs fi +security_daily_compat_var security_status_ipfwlimit_enable + rc=0 -case "$daily_status_security_ipfwlimit_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfwlimit_enable +then + IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` + if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then + exit 0 + fi TMP=`mktemp -t security` - IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` - if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then - ipfw -a l | grep " log " | \ - grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ - awk -v limit="$IPFW_LOG_LIMIT" \ - '{if ($2 > limit) {print $0}}' > ${TMP} - if [ -s "${TMP}" ]; then + ipfw -a list | grep " log " | \ + grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ + awk \ + '{if ($6 == "logamount") { + if ($2 > $7) + {print $0}} + }' > ${TMP} + + if [ -s "${TMP}" ]; then rc=1 echo "" echo 'ipfw log limit reached:' cat ${TMP} - fi fi - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/600.ip6fwdenied b/etc/periodic/security/600.ip6fwdenied index a89b55177f..64530c4a67 100644 --- a/etc/periodic/security/600.ip6fwdenied +++ b/etc/periodic/security/600.ip6fwdenied @@ -25,7 +25,6 @@ # SUCH DAMAGE. # # $FreeBSD: src/etc/periodic/security/600.ip6fwdenied,v 1.1.2.4 2002/11/07 19:38:46 thomas Exp $ -# $DragonFly: src/etc/periodic/security/600.ip6fwdenied,v 1.2 2003/06/17 04:24:48 dillon Exp $ # # If there is a global system configuration file, suck it in. @@ -38,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ip6fwdenied_enable + rc=0 -case "$daily_status_security_ip6fwdenied_enable" in - [Yy][Ee][Ss]) - TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` - if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then +if check_yesno_period security_status_ip6fwdenied_enable +then + TMP=`mktemp -t security` + if ip6fw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then check_diff new_only ip6fw ${TMP} "${host} ip6fw denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/650.ip6fwlimit b/etc/periodic/security/650.ip6fwlimit index 63a5415916..c1febe8a1c 100644 --- a/etc/periodic/security/650.ip6fwlimit +++ b/etc/periodic/security/650.ip6fwlimit @@ -25,7 +25,6 @@ # SUCH DAMAGE. # # $FreeBSD: src/etc/periodic/security/650.ip6fwlimit,v 1.6 2003/06/30 22:06:26 mtm Exp $ -# $DragonFly: src/etc/periodic/security/650.ip6fwlimit,v 1.3 2004/11/15 08:11:59 joerg Exp $ # # Show ip6fw rules which have reached the log limit @@ -39,26 +38,32 @@ then source_periodic_confs fi +security_daily_compat_var security_status_ip6fwlimit_enable + rc=0 -case "$daily_status_security_ip6fwlimit_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ip6fwlimit_enable +then + IP6FW_VERBOSE=`sysctl -n net.inet6.ip6.fw.verbose 2> /dev/null` + if [ $? -ne 0 ] || [ "$IP6FW_VERBOSE" -eq 0 ]; then + exit 0 + fi TMP=`mktemp -t security` - IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null` - if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then - ip6fw -a l | grep " log " | \ - grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ - awk -v limit="$IPFW_LOG_LIMIT" \ - '{if ($2 > limit) {print $0}}' > ${TMP} - if [ -s "${TMP}" ]; then + ip6fw -a list | grep " log " | \ + grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ + awk \ + '{if ($6 == "logamount") { + if ($2 > $7) + {print $0}} + }' > ${TMP} + + if [ -s "${TMP}" ]; then rc=1 echo "" echo 'ip6fw log limit reached:' cat ${TMP} - fi fi - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg index cc069d1bd0..4a5fc948ae 100644 --- a/etc/periodic/security/700.kernelmsg +++ b/etc/periodic/security/700.kernelmsg @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/700.kernelmsg,v 1.1.2.7 2002/11/19 18:54:54 thomas Exp $ -# $DragonFly: src/etc/periodic/security/700.kernelmsg,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/security/700.kernelmsg 254974 2013-08-27 21:20:28Z jlh $ # # Show kernel log messages @@ -41,14 +40,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_kernelmsg_enable + rc=0 -case "$daily_status_security_kernelmsg_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_kernelmsg_enable +then dmesg 2>/dev/null | check_diff new_only dmesg - "${host} kernel log messages:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit $rc diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail index c86736a20c..9449e339c9 100644 --- a/etc/periodic/security/800.loginfail +++ b/etc/periodic/security/800.loginfail @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.8 2007/02/23 21:42:54 remko Exp $ -# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.3 2007/12/29 21:44:44 matthias Exp $ +# $FreeBSD: head/etc/periodic/security/800.loginfail 262273 2014-02-20 23:43:49Z brueffer $ # # Show login failures @@ -39,7 +38,10 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_loginfail_enable + +LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` @@ -56,14 +58,15 @@ catmsgs() { [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } -case "$daily_status_security_loginfail_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_yesno_period security_status_loginfail_enable +then echo "" echo "${host} login failures:" - n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" | + n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap index 13ee77029a..4a9e28203f 100644 --- a/etc/periodic/security/900.tcpwrap +++ b/etc/periodic/security/900.tcpwrap @@ -24,8 +24,7 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/900.tcpwrap,v 1.1.2.1 2002/02/25 10:53:47 cjc Exp $ -# $DragonFly: src/etc/periodic/security/900.tcpwrap,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/security/900.tcpwrap 254974 2013-08-27 21:20:28Z jlh $ # # Show tcp_wrapper warning messages @@ -39,25 +38,35 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_tcpwrap_enable + +LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` catmsgs() { find ${LOG} -name 'messages.*' -mtime -2 | - sort -t. -r -n +1 -2 | - xargs zcat -f + sort -t. -r -n -k 2,2 | + while read f + do + case $f in + *.gz) zcat -f $f;; + *.bz2) bzcat -f $f;; + esac + done [ -f ${LOG}/messages ] && cat $LOG/messages } -case "$daily_status_security_tcpwrap_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_yesno_period security_status_tcpwrap_enable +then echo "" echo "${host} refused connections:" n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile index 92e74e2569..8ef847cc9d 100644 --- a/etc/periodic/security/Makefile +++ b/etc/periodic/security/Makefile @@ -1,6 +1,7 @@ # $FreeBSD: src/etc/periodic/security/Makefile,v 1.6 2006/08/25 07:34:36 trhodes Exp $ FILES= 100.chksetuid \ + 110.neggrpperm \ 200.chkmounts \ 300.chkuid0 \ 400.passwdless \ diff --git a/etc/periodic/security/security.functions b/etc/periodic/security/security.functions index deb7ef2c41..49011ee95e 100644 --- a/etc/periodic/security/security.functions +++ b/etc/periodic/security/security.functions @@ -24,15 +24,22 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/security.functions,v 1.5 2005/08/22 09:33:36 cperciva Exp $ -# $DragonFly: src/etc/periodic/security/security.functions,v 1.3 2007/12/29 21:44:44 matthias Exp $ +# $FreeBSD: head/etc/periodic/security/security.functions 322868 2017-08-25 00:28:56Z asomers $ # +# This is a library file, so we only try to do something when sourced. +case "$0" in +*/security.functions) exit 0 ;; +esac + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_diff_flags + # # Show differences in the output of an audit command # -LOG="${daily_status_security_logdir}" +LOG="${security_status_logdir}" rc=0 # Usage: COMMAND | check_diff [new_only] LABEL - MSG @@ -41,10 +48,11 @@ rc=0 # LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files. check_diff() { + unset IFS rc=0 if [ "$1" = "new_only" ]; then shift - filter="grep '^[>+]'" + filter="grep '^[>+][^+]'" else filter="cat" fi @@ -68,7 +76,7 @@ check_diff() { [ $rc -lt 1 ] && rc=1 echo "" echo "${msg}" - diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \ + diff ${security_status_diff_flags} ${LOG}/${label}.today \ ${tmpf} | eval "${filter}" mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3 diff --git a/etc/periodic/weekly/310.locate b/etc/periodic/weekly/310.locate index b4eff9ea32..82c7ceb635 100644 --- a/etc/periodic/weekly/310.locate +++ b/etc/periodic/weekly/310.locate @@ -1,7 +1,6 @@ #!/bin/sh - # -# $FreeBSD: src/etc/periodic/weekly/310.locate,v 1.7 2007/02/23 18:44:20 remko Exp $ -# $DragonFly: src/etc/periodic/weekly/310.locate,v 1.3 2007/12/29 21:44:44 matthias Exp $ +# $FreeBSD: head/etc/periodic/weekly/310.locate 166912 2007-02-23 18:44:20Z remko $ # # If there is a global system configuration file, suck it in. diff --git a/etc/periodic/weekly/320.whatis b/etc/periodic/weekly/320.whatis index e2dfcd7de8..fd6949ff2f 100644 --- a/etc/periodic/weekly/320.whatis +++ b/etc/periodic/weekly/320.whatis @@ -1,7 +1,6 @@ #!/bin/sh - # -# $FreeBSD: src/etc/periodic/weekly/320.whatis,v 1.5.2.3 2001/03/05 13:08:37 ru Exp $ -# $DragonFly: src/etc/periodic/weekly/320.whatis,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/weekly/320.whatis 73349 2001-03-02 16:52:14Z ru $ # # If there is a global system configuration file, suck it in. diff --git a/etc/periodic/weekly/340.noid b/etc/periodic/weekly/340.noid index 305e668f34..2611d444d2 100644 --- a/etc/periodic/weekly/340.noid +++ b/etc/periodic/weekly/340.noid @@ -1,7 +1,6 @@ #!/bin/sh - # -# $FreeBSD: src/etc/periodic/weekly/340.noid,v 1.2.2.4 2002/04/15 00:44:17 dougb Exp $ -# $DragonFly: src/etc/periodic/weekly/340.noid,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/weekly/340.noid 220048 2011-03-27 03:03:29Z dougb $ # # If there is a global system configuration file, suck it in. diff --git a/etc/periodic/weekly/450.status-security b/etc/periodic/weekly/450.status-security new file mode 100644 index 0000000000..72903f7460 --- /dev/null +++ b/etc/periodic/weekly/450.status-security @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD: head/etc/periodic/weekly/450.status-security 316548 2017-04-06 01:37:03Z asomers $ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$weekly_status_security_inline" in + [Yy][Ee][Ss]) + weekly_status_security_output="";; + esac + + export security_output="${weekly_status_security_output}" + rc=0 + case "${weekly_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/weekly/999.local b/etc/periodic/weekly/999.local index 5ef9340e20..7fd6a9eb1a 100644 --- a/etc/periodic/weekly/999.local +++ b/etc/periodic/weekly/999.local @@ -1,7 +1,6 @@ #!/bin/sh - # -# $FreeBSD: src/etc/periodic/weekly/999.local,v 1.3.2.3 2001/08/01 20:41:28 obrien Exp $ -# $DragonFly: src/etc/periodic/weekly/999.local,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: head/etc/periodic/weekly/999.local 313069 2017-02-01 23:22:54Z asomers $ # # If there is a global system configuration file, suck it in. @@ -18,7 +17,12 @@ do echo '' case "$script" in /*) - if [ -f "$script" ] + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] then echo "Running $script:" diff --git a/etc/periodic/weekly/Makefile b/etc/periodic/weekly/Makefile index 3300a6469e..251b202233 100644 --- a/etc/periodic/weekly/Makefile +++ b/etc/periodic/weekly/Makefile @@ -4,6 +4,7 @@ FILES= 310.locate \ 320.whatis \ 330.catman \ 340.noid \ + 450.status-security \ 999.local .include diff --git a/share/man/man5/periodic.conf.5 b/share/man/man5/periodic.conf.5 index 1ad0e8564d..dd6fec28c8 100644 --- a/share/man/man5/periodic.conf.5 +++ b/share/man/man5/periodic.conf.5 @@ -23,9 +23,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man5/periodic.conf.5,v 1.8.2.22 2003/02/08 21:42:01 gshapiro Exp $ +.\" $FreeBSD: head/share/man/man5/periodic.conf.5 323550 2017-09-13 16:35:16Z gordon $ .\" -.Dd September 3, 2017 +.Dd March 12, 2018 .Dt PERIODIC.CONF 5 .Os .Sh NAME @@ -44,7 +44,9 @@ which itself may be overridden by the .Pa /etc/periodic.conf.local file. .Pp +The .Nm +file is actually sourced as a shell script from each of the periodic scripts and is intended to simply provide default configuration variables. .Pp @@ -60,9 +62,9 @@ This list is always prefixed with and is only used when an argument to .Xr periodic 8 is not an absolute directory name. -.It Va dir Ns No _output +.It Ao Ar dir Ac Ns Va _output .Pq Vt path No or Vt list -What to do with the output of the scripts envoked from +What to do with the output of the scripts executed from the directory .Ar dir . If this variable is set to an absolute path name, output is logged to @@ -76,61 +78,65 @@ For an unattended machine, suitable values for and .Va monthly_output might be -.Pa /var/log/daily.log , -.Pa /var/log/weekly.log , +.Dq Li /var/log/daily.log , +.Dq Li /var/log/weekly.log , and -.Pa /var/log/monthly.log +.Dq Li /var/log/monthly.log respectively, as .Xr newsyslog 8 will rotate these files (if they exists) at the appropriate times. -.It Va dir Ns No _show_success -.It Va dir Ns No _show_info -.It Va dir Ns No _show_badconfig +.It Ao Ar dir Ac Ns Va _show_success +.It Ao Ar dir Ac Ns Va _show_info +.It Ao Ar dir Ac Ns Va _show_badconfig .Pq Vt bool These variables control whether .Xr periodic 8 -will mask the output of the envoked scripts based on their return code +will mask the output of the executed scripts based on their return code (where .Ar dir is the base directory name in which each script resides). If the return code of a script is .Sq 0 and -.Va dir Ns No _show_success +.Ao Ar dir Ac Ns Va _show_success is set to -.Dq NO , +.Dq Li NO , .Xr periodic 8 will mask the script's output. If the return code of a script is .Sq 1 and -.Va dir Ns No _show_info +.Ao Ar dir Ac Ns Va _show_info is set to -.Dq NO , +.Dq Li NO , .Xr periodic 8 will mask the script's output. If the return code of a script is .Sq 2 and -.Va dir Ns No _show_badconfig +.Ao Ar dir Ac Ns Va _show_badconfig is set to -.Dq NO , +.Dq Li NO , .Xr periodic 8 will mask the script's output. If these variables are set to neither -.Dq YES +.Dq Li YES nor -.Dq NO , +.Dq Li NO , they default to -.Dq YES , -.Dq YES +.Dq Li YES , +.Dq Li YES and -.Dq NO +.Dq Li NO respectively. .Pp Refer to the .Xr periodic 8 -man page for how script return codes are interpreted. +manual page for how script return codes are interpreted. +.It Va anticongestion_sleeptime +.Pq Vt int +The maximum number of seconds to randomly sleep in order to smooth bursty loads +on a shared resource, such as a download mirror. .El .Pp The following variables are used by the standard scripts that reside in @@ -139,7 +145,7 @@ The following variables are used by the standard scripts that reside in .It Va daily_clean_disks_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to remove all files matching .Va daily_clean_disks_files daily. @@ -152,47 +158,47 @@ Wild cards are permitted. When .Va daily_clean_disks_enable is set to -.Dq YES , +.Dq Li YES , this must also be set to the number of days old that a file's access -and modification times must be before it's deleted. +and modification times must be before it is deleted. .It Va daily_clean_disks_verbose .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want the removed files to be reported in your daily output. .It Va daily_clean_tmps_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to clear temporary directories daily. .It Va daily_clean_tmps_dirs .Pq Vt str Set to the list of directories to clear if .Va daily_clean_tmps_enable is set to -.Dq YES . +.Dq Li YES . .It Va daily_clean_tmps_days .Pq Vt num When .Va daily_clean_tmps_enable is set, this must also be set to the number of days old that a file's access -and modification times must be before it's deleted. +and modification times must be before it is deleted. .It Va daily_clean_tmps_ignore .Pq Vt str Set to the list of files that should not be deleted when .Va daily_clean_tmps_enable is set to -.Dq YES . +.Dq Li YES . Wild card characters are permitted. .It Va daily_clean_tmps_verbose .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want the removed files to be reported in your daily output. .It Va daily_clean_preserve_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you wish to remove old files from .Pa /var/preserve . .It Va daily_clean_preserve_days @@ -202,12 +208,12 @@ they are deleted. .It Va daily_clean_preserve_verbose .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want the removed files to be reported in your daily output. .It Va daily_clean_msgs_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you wish old system messages to be purged. .It Va daily_clean_msgs_days .Pq Vt num @@ -219,7 +225,7 @@ default is used. .It Va daily_clean_rwho_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you wish old files in .Pa /var/who to be purged. @@ -230,12 +236,12 @@ they are deleted. .It Va daily_clean_rwho_verbose .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want the removed files to be reported in your daily output. .It Va daily_clean_hoststat_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES to run .Nm sendmail Fl bH to automatically purge stale entries from @@ -249,14 +255,14 @@ as configured in .It Va daily_clean_hammer_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want .Xr HAMMER 5 file systems to be snapshot, pruned and reblocked. .It Va daily_clean_hammer_verbose .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you wish more verbose output. .It Va daily_clean_hammer_pfslist .Pq Vt str @@ -270,7 +276,7 @@ actions occur. .It Va daily_clean_hammer2_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run .Xr hammer2 8 @@ -282,7 +288,7 @@ file systems. .It Va daily_clean_hammer2_verbose .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you wish more verbose output. .It Va daily_clean_hammer2_pfslist .Pq Vt str @@ -296,7 +302,7 @@ actions occur. .It Va daily_backup_passwd_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want the .Pa /etc/master.passwd and @@ -310,21 +316,21 @@ file. .It Va daily_backup_aliases_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want the .Pa /etc/mail/aliases file backed up and modifications to be displayed in your daily output. .It Va daily_calendar_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run -.Ic calendar -a +.Nm calendar Fl a daily. .It Va daily_accounting_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to rotate your daily accounting files. No rotations are necessary unless .Va accounting_enable @@ -333,7 +339,7 @@ is enabled in .It Va daily_accounting_compress .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want your daily accounting files to be compressed using .Xr gzip 1 . .It Va daily_accounting_save @@ -343,7 +349,7 @@ When is set, this may also be set to the number of daily accounting files that are to be saved. The default is -.Dq 3 . +.Dq Li 3 . .It Va daily_accounting_flags .Pq Vt str Set to the arguments to pass to the @@ -353,25 +359,25 @@ utility (in addition to when .Va daily_accounting_enable is set to -.Dq YES . +.Dq Li YES . The default is .Fl q . .It Va daily_news_expire_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run .Pa /etc/news.expire . .It Va daily_status_disks_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run .Xr df 1 (with the arguments supplied in .Va daily_status_disks_df_flags ) and -.Ic dump -W . +.Nm dump Fl W . .It Va daily_status_disks_df_flags .Pq Vt str Set to the arguments for the @@ -379,26 +385,36 @@ Set to the arguments for the utility when .Va daily_status_disks_enable is set to -.Dq YES . +.Dq Li YES . .It Va daily_status_network_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run -.Ic netstat -i . +.Nm netstat Fl i . +.It Va daily_status_network_netstat_flags +.Pq Vt str +Set to additional arguments for the +.Xr netstat 1 +utility when +.Va daily_status_network_enable +is set to +.Dq Li YES . +The default is +.Fl d . .It Va daily_status_network_usedns .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run .Xr netstat 1 without the .Fl n option (to do DNS lookups). -.It Va daily_status_rwho_enable +.It Va daily_status_uptime_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run .Xr uptime 1 (or @@ -406,41 +422,41 @@ if you want to run if .Va rwhod_enable is set to -.Dq YES +.Dq Li YES in .Pa /etc/rc.conf ) . .It Va daily_status_mailq_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run .Xr mailq 1 . .It Va daily_status_mailq_shorten .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to shorten the -.Nm mailq +.Xr mailq 1 output when .Va daily_status_mailq_enable is set to -.Dq YES . +.Dq Li YES . .It Va daily_status_include_submit_mailq .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you also want to run .Xr mailq 1 on the submit mail queue when .Va daily_status_mailq_enable is set to -.Dq YES . +.Dq Li YES . This may not work with MTAs other than .Xr sendmail 8 . .It Va daily_status_security_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run the security check. The security check is another set of .Xr periodic 8 @@ -455,140 +471,24 @@ manual page for more information. .It Va daily_status_security_inline .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want the security check output inline. The default is to either mail or log the output according to the value of .Va daily_status_security_output . -.It Va daily_status_security_logdir -.Pq Vt str -The directory where the security scripts expect the system's log files. .It Va daily_status_security_output .Pq Vt str Where to send the output of the security check if .Va daily_status_security_inline is set to -.Dq NO . +.Dq Li NO . This variable behaves in the same way as the .Va *_output variables above, namely it can be set either to one or more email addresses or to an absolute file name. -.It Va daily_status_security_diff_flags -.Pq Vt str -Set to the arguments to pass to the -.Xr diff 1 -utility when generating differences. -The default is -.Fl u . -.It Va daily_status_security_chksetuid_enable -.Pq Vt bool -Set to -.Dq YES -to compare the modes and modification times of setuid executables with -the previous day's values. -.It Va daily_status_security_chkmounts_enable -.Pq Vt bool -Set to -.Dq YES -to check for changes in mounted filesystems to the previous day's values. -.It Va daily_status_security_chkmounts_ignore -Set to the list of filesystem types that should not be checked when -.Va daily_status_security_chkmounts_enable -is set to -.Dq YES . -.It Va daily_status_security_nomfs -.Pq Vt bool -Set to -.Dq YES -if you want to ignore -.Xr mfs 8 -mounts when comparing against yesterdays filesystem mounts in the -.Va daily_status_security_chkmounts_enable -check. -.It Va daily_status_security_chkuid0_enable -.Pq Vt bool -Set to -.Dq YES -to check -.Pa /etc/master.passwd -for accounts with uid 0. -.It Va daily_status_security_passwdless_enable -.Pq Vt bool -Set to -.Dq YES -to check -.Pa /etc/master.passwd -for accounts with empty passwords. -.It Va daily_status_security_logincheck_enable -.Pq Vt bool -Set to -.Dq Li YES -to check -.Pa /etc/login.conf -ownership, see -.Xr login.conf 5 -for more information. -.It Va daily_status_security_ipfwdenied_enable -.Pq Vt bool -Set to -.Dq YES -to show log entries for packets denied by -.Xr ipfw 8 -since yesterday's check. -.It Va daily_status_security_pfdenied_enable -.Pq Vt bool -Set to -.Dq YES -to show log entries for packets denied by -.Xr pf 4 -since yesterday's check. -.It Va daily_status_security_ipfwlimit_enable -.Pq Vt bool -Set to -.Dq YES -to display -.Xr ipfw 8 -rules that have reached their verbosity limit. -.It Va daily_status_security_ip6fwdenied_enable -.Pq Vt bool -Set to -.Dq YES -to show log entries for packets denied by -.Xr ip6fw 8 -since yesterday's check. -.It Va daily_status_security_ip6fwlimit_enable -.Pq Vt bool -Set to -.Dq YES -to display -.Xr ip6fw 8 -rules that have reached their verbosity limit. -.It Va daily_status_security_kernelmsg_enable -.Pq Vt bool -Set to -.Dq YES -to show new -.Xr dmesg 8 -entries since yesterday's check. -.It Va daily_status_security_loginfail_enable -.Pq Vt bool -Set to -.Dq YES -to display failed logins from -.Pa /var/log/messages -in the previous day. -.It Va daily_status_security_tcpwrap_enable -.Pq Vt bool -Set to -.Dq YES -to display connections denied by tcpwrappers (see -.Xr hosts_access 5 ) -from -.Pa /var/log/messages -during the previous day. .It Va daily_status_mail_rejects_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to summarise mail rejections logged to .Pa /var/log/maillog for the previous day. @@ -599,17 +499,17 @@ for yesterday's mail rejects. .It Va daily_queuerun_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to manually run the mail queue at least once a day. .It Va daily_submit_queuerun .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you also want to manually run the submit mail queue at least once a day when .Va daily_queuerun_enable is set to -.Dq YES . +.Dq Li YES . .It Va daily_local .Pq Vt str Set to a list of extra scripts that should be run after all other @@ -623,20 +523,20 @@ The following variables are used by the standard scripts that reside in .It Va weekly_locate_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run .Pa /usr/libexec/locate.updatedb . This script is run using -.Ic nice -5 +.Nm nice Fl 5 as user -.An nobody , +.Dq Li nobody , and generates the table used by the .Xr locate 1 command. .It Va weekly_whatis_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to run .Pa /usr/libexec/makewhatis.local . This script regenerates the database used by the @@ -654,7 +554,7 @@ command at the expense of disk space. .It Va weekly_noid_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to locate orphaned files on the system. An orphaned file is one with an invalid owner or group. .It Va weekly_noid_dirs @@ -662,6 +562,18 @@ An orphaned file is one with an invalid owner or group. A list of directories under which orphaned files are searched for. This would usually be set to .Pa / . +.It Va weekly_status_security_enable +.Pq Vt bool +Weekly counterpart of +.Va daily_status_security_enable . +.It Va weekly_status_security_inline +.Pq Vt bool +Weekly counterpart of +.Va daily_status_security_inline . +.It Va weekly_status_security_output +.Pq Vt str +Weekly counterpart of +.Va daily_status_security_output . .It Va weekly_local .Pq Vt str Set to a list of extra scripts that should be run after all other @@ -675,30 +587,291 @@ The following variables are used by the standard scripts that reside in .It Va monthly_accounting_enable .Pq Vt bool Set to -.Dq YES +.Dq Li YES if you want to do login accounting using the .Xr ac 8 command. -.It Va monthly_statistics_enable +.It Va monthly_status_security_enable .Pq Vt bool -Set to -.Dq YES -if you want to report non-identifying information about the OS to the -.Pa http://www.bsdstats.org -community site on the internet. -.It Va monthly_statistics_report_devices +Monthly counterpart of +.Va daily_status_security_enable . +.It Va monthly_status_security_inline .Pq Vt bool -When -.Va monthly_statistics_report_devices -is set, this may also be set to report additional device statistics. +Monthly counterpart of +.Va daily_status_security_inline . +.It Va monthly_status_security_output +.Pq Vt str +Monthly counterpart of +.Va daily_status_security_output . .It Va monthly_local .Pq Vt str Set to a list of extra scripts that should be run after all other monthly scripts. All scripts must be absolute path names. .El +.Pp +The following variables are used by the standard scripts that reside in +.Pa /etc/periodic/security . +Those scripts are usually run from daily +.Pq Va daily_status_security_enable , +weekly +.Pq Va weekly_status_security_enable , +and monthly +.Pq Va monthly_status_security_enable +periodic hooks. +The +.Va ..._period +of each script can be configured as +.Dq daily , +.Dq weekly , +.Dq monthly +or +.Dq NO . +Note that when periodic security scripts are run from +.Xr crontab 5 , +they will be always run unless their +.Va ..._enable +or +.Va ..._period +variable is set to +.Dq NO . +.Bl -tag -offset 4n -width 2n +.It Va security_status_logdir +.Pq Vt str +The directory where the security scripts expect the system's log files. +The default is +.Pa /var/log . +.It Va security_status_diff_flags +.Pq Vt str +Set to the arguments to pass to the +.Xr diff 1 +utility when generating differences. +The default is +.Fl b u . +.It Va security_status_chksetuid_enable +.Pq Vt bool +Set to +.Dq Li YES +to compare the modes and modification times of setuid executables with +the previous day's values. +.It Va security_status_chksetuid_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_neggrpperm_enable +.Pq Vt bool +Set to +.Dq Li YES +to check for files where the group of a file has less permissions than +the world at large. +When users are in more than 14 supplemental groups these negative +permissions may not be enforced via NFS shares. +.It Va security_status_neggrpperm_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_chkmounts_enable +.Pq Vt bool +Set to +.Dq Li YES +to check for changes mounted file systems to the previous day's values. +.It Va security_status_chkmounts_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_nomfs +.Pq Vt bool +Set to +.Dq Li YES +if you want to ignore +.Xr mfs 8 +mounts when comparing against yesterday's file system mounts in the +.Va security_status_chkmounts_enable +check. +.It Va security_status_chkuid0_enable +.Pq Vt bool +Set to +.Dq Li YES +to check +.Pa /etc/master.passwd +for accounts with UID 0. +.It Va security_status_chkuid0_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_passwdless_enable +.Pq Vt bool +Set to +.Dq Li YES +to check +.Pa /etc/master.passwd +for accounts with empty passwords. +.It Va security_status_passwdless_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_logincheck_enable +.Pq Vt bool +Set to +.Dq Li YES +to check +.Pa /etc/login.conf +ownership, see +.Xr login.conf 5 +for more information. +.It Va security_status_logincheck_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ipfwdenied_enable +.Pq Vt bool +Set to +.Dq Li YES +to show log entries for packets denied by +.Xr ipfw 8 +since yesterday's check. +.It Va security_status_ipfwdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_pfdenied_enable +.Pq Vt bool +Set to +.Dq Li YES +to show log entries for packets denied by +.Xr pf 4 +since yesterday's check. +.It Va security_status_pfdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ipfwlimit_enable +.Pq Vt bool +Set to +.Dq Li YES +to display +.Xr ipfw 8 +rules that have reached their verbosity limit. +.It Va security_status_ipfwlimit_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ip6fwdenied_enable +.Pq Vt bool +Set to +.Dq Li YES +to show log entries for packets denied by +.Xr ip6fw 8 +since yesterday's check. +.It Va security_status_ip6fwdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ip6fwlimit_enable +.Pq Vt bool +Set to +.Dq Li YES +to display +.Xr ip6fw 8 +rules that have reached their verbosity limit. +.It Va security_status_ip6fwlimit_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_kernelmsg_enable +.Pq Vt bool +Set to +.Dq Li YES +to show new +.Xr dmesg 8 +entries since yesterday's check. +.It Va security_status_kernelmsg_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_loginfail_enable +.Pq Vt bool +Set to +.Dq Li YES +to display failed logins from +.Pa /var/log/messages +in the previous day. +.It Va security_status_loginfail_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_tcpwrap_enable +.Pq Vt bool +Set to +.Dq Li YES +to display connections denied by tcpwrappers (see +.Xr hosts_access 5 ) +from +.Pa /var/log/messages +during the previous day. +.It Va security_status_tcpwrap_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.El .Sh FILES -.Bl -tag -width /etc/defaults/periodic.conf +.Bl -tag -width ".Pa /etc/defaults/periodic.conf" .It Pa /etc/defaults/periodic.conf The default configuration file. This file contains all default variables and values. @@ -721,6 +894,7 @@ is shared or distributed. .Xr netstat 1 , .Xr nice 1 , .Xr HAMMER 5 , +.Xr login.conf 5 , .Xr rc.conf 5 , .Xr ac 8 , .Xr chkgrp 8 , @@ -737,4 +911,4 @@ The file appeared in .Fx 4.1 . .Sh AUTHORS -.An Brian Somers Aq Mt brian@Awfulhak.org . +.An Brian Somers Aq Mt brian@Awfulhak.org -- 2.41.0