From 2204f3ce427f561a4b12919c511b4c9cfcf36fdf Mon Sep 17 00:00:00 2001 From: "Crist J. Clark" Date: Fri, 7 Dec 2001 23:57:39 +0000 Subject: [PATCH] Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru --- etc/Makefile | 2 +- etc/defaults/periodic.conf | 49 +++++- etc/mtree/BSD.root.dist | 2 + etc/periodic/Makefile | 2 +- etc/periodic/daily/450.status-security | 29 ++- etc/periodic/security/100.chksetuid | 75 ++++++++ etc/periodic/security/200.chkmounts | 73 ++++++++ etc/periodic/security/300.chkuid0 | 51 ++++++ etc/periodic/security/400.passwdless | 48 +++++ etc/periodic/security/500.ipfwdenied | 69 ++++++++ etc/periodic/security/550.ipfwlimit | 61 +++++++ etc/periodic/security/600.ip6fwdenied | 69 ++++++++ etc/periodic/security/650.ip6fwlimit | 61 +++++++ etc/periodic/security/700.kernelmsg | 68 +++++++ etc/periodic/security/800.loginfail | 62 +++++++ etc/periodic/security/900.tcpwrap | 62 +++++++ etc/periodic/security/Makefile | 15 ++ etc/security | 234 ------------------------- share/man/man5/periodic.conf.5 | 101 ++++++++++- usr.sbin/periodic/periodic.8 | 5 + 20 files changed, 872 insertions(+), 266 deletions(-) create mode 100755 etc/periodic/security/100.chksetuid create mode 100755 etc/periodic/security/200.chkmounts create mode 100755 etc/periodic/security/300.chkuid0 create mode 100755 etc/periodic/security/400.passwdless create mode 100755 etc/periodic/security/500.ipfwdenied create mode 100755 etc/periodic/security/550.ipfwlimit create mode 100755 etc/periodic/security/600.ip6fwdenied create mode 100755 etc/periodic/security/650.ip6fwlimit create mode 100755 etc/periodic/security/700.kernelmsg create mode 100755 etc/periodic/security/800.loginfail create mode 100755 etc/periodic/security/900.tcpwrap create mode 100644 etc/periodic/security/Makefile delete mode 100644 etc/security diff --git a/etc/Makefile b/etc/Makefile index fea950b3aedb..c693a1a0cb46 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -14,7 +14,7 @@ BIN1= amd.map apmd.conf auth.conf \ phones printcap profile protocols \ rc rc.atm rc.devfs rc.diskless1 rc.diskless2 rc.firewall rc.firewall6 \ rc.network rc.network6 rc.pccard rc.serial rc.shutdown \ - rc.syscons rc.sysctl remote rpc security services shells sysctl.conf \ + rc.syscons rc.sysctl remote rpc services shells sysctl.conf \ syslog.conf usbd.conf \ etc.${MACHINE_ARCH}/disktab \ etc.${MACHINE_ARCH}/rc.${MACHINE_ARCH} \ diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index c14a4a007d68..19c25dc2e1cd 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -105,9 +105,7 @@ daily_status_mailq_shorten="NO" # Shorten output # 450.status-security daily_status_security_enable="YES" # Security check -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file -daily_status_security_noamd="NO" # Don't check amd mounts +# See "Security options" below for more options # 460.status-mail-rejects daily_status_mail_rejects_enable="YES" # Check mail rejects @@ -124,6 +122,51 @@ daily_queuerun_enable="YES" # Run mail queue daily_local="/etc/daily.local" # Local scripts +# Security options + +# These options are used by the security periodic(8) scripts spawned in +# 450.status-security above. +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file +daily_status_security_noamd="NO" # Don't check amd mounts +daily_status_security_logdir="/var/log" # Directory for logs + +# 100.chksetuid +daily_status_security_chksetuid_enable="YES" + +# 200.chkmounts +daily_status_security_chkmounts_enable="YES" +#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching + # FS types + +# 300.chkuid0 +daily_status_security_chkuid0_enable="YES" + +# 400.passwdless +daily_status_security_passwdless_enable="YES" + +# 500.ipfwdenied +daily_status_security_ipfwdenied_enable="YES" + +# 550.ipfwlimit +daily_status_security_ipfwlimit_enable="YES" + +# 600.ip6fwdenied +daily_status_security_ip6fwdenied_enable="YES" + +# 650.ip6fwlimit +daily_status_security_ip6fwlimit_enable="YES" + +# 700.kernelmsg +daily_status_security_kernelmsg_enable="YES" + +# 800.loginfail +daily_status_security_loginfail_enable="YES" + +# 900.tcpwrap +daily_status_security_tcpwrap_enable="YES" + + # Weekly options # These options are used by periodic(8) itself to determine what to do diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index 53a6770300bd..559527cf7bcd 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -45,6 +45,8 @@ .. monthly .. + security + .. weekly .. .. diff --git a/etc/periodic/Makefile b/etc/periodic/Makefile index 4c1fda48ae91..8fb56dff051a 100644 --- a/etc/periodic/Makefile +++ b/etc/periodic/Makefile @@ -1,5 +1,5 @@ # $FreeBSD$ -SUBDIR= daily weekly monthly +SUBDIR= daily security weekly monthly .include diff --git a/etc/periodic/daily/450.status-security b/etc/periodic/daily/450.status-security index ce3288a45c7d..00889aa5eadb 100755 --- a/etc/periodic/daily/450.status-security +++ b/etc/periodic/daily/450.status-security @@ -16,30 +16,23 @@ case "$daily_status_security_enable" in echo "" echo "Security check:" - case "$daily_status_security_noamd" in - [Yy][Ee][Ss]) - args=-a;; - *) - args=;; - esac - case "$daily_status_security_inline" in [Yy][Ee][Ss]) - sh /etc/security -s $args - rc=$?;; - + export security_output="";; *) - case "${daily_status_security_output:=root}" in + export security_output="${daily_status_security_output}" + case "${daily_status_security_output}" in + "") + ;; /*) - echo " (output logged separately)" - sh /etc/security -s $args \ - >$daily_status_security_output 2>&1;; + echo " (output logged separately)";; *) - echo " (output mailed separately)" - sh /etc/security $args 2>&1 | - mail -s "`hostname` security check output" $daily_status_security_output;; + echo " (output mailed separately)";; esac;; - esac;; + esac + + periodic security + rc=$?;; *) rc=0;; esac diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid new file mode 100755 index 000000000000..df0ce8c59529 --- /dev/null +++ b/etc/periodic/security/100.chksetuid @@ -0,0 +1,75 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +TMP=/var/run/_secure.$$ +LOG="${daily_status_security_logdir}" +rc=0 + +case "$daily_status_security_chksetuid_enable" in + [Yy][Ee][Ss]) + echo "" + echo 'Checking setuid files and devices:' + # XXX Note that there is the possibility of overrunning the args to ls + MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` + set ${MP} + while [ $# -ge 1 ]; do + mount=$1 + shift + find $mount -xdev -type f \ + \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ + \( -perm -u+s -or -perm -g+s \) -print0 + done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP} + + if [ ! -f ${LOG}/setuid.today ]; then + rc=1 + echo "No ${LOG}/setuid.today" + cp ${TMP} ${LOG}/setuid.today || rc=3 + fi + + if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null + then + [ $rc -lt 1 ] && rc=1 + echo "${host} setuid diffs:" + diff -w ${LOG}/setuid.today ${TMP} + mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3 + mv ${TMP} ${LOG}/setuid.today || rc=3 + fi + rm -f ${TMP};; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts new file mode 100755 index 000000000000..9b19675f726e --- /dev/null +++ b/etc/periodic/security/200.chkmounts @@ -0,0 +1,73 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show changes in the way filesystems are mounted +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +TMP=/var/run/_secure.$$ +LOG="${daily_status_security_logdir}" +ignore="${daily_status_security_chkmounts_ignore}" +rc=0 + +case "$daily_status_security_chkmounts_enable" in + [Yy][Ee][Ss]) + case "$daily_status_security_noamd" in + [Yy][Ee][Ss]) + ignore="${ignore}|^amd:" + esac + [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat + if mount -p | ${cmd} > ${TMP}; then + if [ ! -f ${LOG}/mount.today ]; then + rc=1 + echo "" + echo "No ${LOG}/mount.today" + cp ${TMP} ${LOG}/mount.today || rc=3 + fi + if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then + [ $rc -lt 1 ] && rc=1 + echo "" + echo "${host} changes in mounted filesystems:" + diff -b ${LOG}/mount.today ${TMP} + mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3 + mv ${TMP} ${LOG}/mount}.today || rc=3 + fi + fi + rm -f ${TMP};; + *) rc=0;; +esac + +exit "$rc" diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0 new file mode 100755 index 000000000000..32cc16c846c3 --- /dev/null +++ b/etc/periodic/security/300.chkuid0 @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_security_chkuid0_enable" in + [Yy][Ee][Ss]) + echo "" + echo 'Checking for uids of 0:' + n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | + tee /dev/stderr | + sed -e '/^root 0$/d' -e '/^toor 0$/d' | + wc -l) + [ $n -gt 0 ] && rc=1 || rc=0;; + *) rc=0;; +esac + +exit "$rc" diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless new file mode 100755 index 000000000000..42ece0453ccd --- /dev/null +++ b/etc/periodic/security/400.passwdless @@ -0,0 +1,48 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_security_passwdless_enable" in + [Yy][Ee][Ss]) + echo "" + echo 'Checking for passwordless accounts:' + n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0;; + *) rc=0;; +esac + +exit "$rc" diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied new file mode 100755 index 000000000000..ac08b4b44940 --- /dev/null +++ b/etc/periodic/security/500.ipfwdenied @@ -0,0 +1,69 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show denied packets +# + + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +TMP=/var/run/_secure.$$ +LOG="${daily_status_security_logdir}" +rc=0 + +case "$daily_status_security_ipfwdenied_enable" in + [Yy][Ee][Ss]) + if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then + if [ ! -f ${LOG}/ipfw.today ]; then + rc=1 + echo "" + echo "No ${LOG}/ipfw.today" + cp ${TMP} ${LOG}/ipfw.today || rc=3 + fi + + if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then + [ $rc -lt 1 ] && rc=1 + echo "" + echo "${host} denied packets:" + diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" + mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3 + mv ${TMP} ${LOG}/ipfw.today || rc=3 + fi + fi + rm -f ${TMP};; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit new file mode 100755 index 000000000000..3bc13b8376db --- /dev/null +++ b/etc/periodic/security/550.ipfwlimit @@ -0,0 +1,61 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show ipfw rules which have reached the log limit +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +TMP=/var/run/_secure.$$ +rc=0 + +case "$daily_status_security_ipfwlimit_enable" in + [Yy][Ee][Ss]) + IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` + if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then + ipfw -a l | grep " log " | perl -n -e \ + '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} + if [ -s "${TMP}" ]; then + rc=1 + echo "" + echo 'ipfw log limit reached:' + cat ${TMP} + fi + fi + rm -f ${TMP};; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/600.ip6fwdenied b/etc/periodic/security/600.ip6fwdenied new file mode 100755 index 000000000000..36315c2ade1e --- /dev/null +++ b/etc/periodic/security/600.ip6fwdenied @@ -0,0 +1,69 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show IPv6 denied packets +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +TMP=/var/run/_secure.$$ +LOG="${daily_status_security_logdir}" +rc=0 + +case "$daily_status_security_ip6fwdenied_enable" in + [Yy][Ee][Ss]) + if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then + if [ ! -f ${LOG}/ip6fw.today ]; then + rc=1 + echo "" + echo "No ${LOG}/ip6fw.today" + cp ${TMP} ${LOG}/ip6fw.today || rc=3 + fi + + if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then + [ $rc -lt 1 ] && rc=1 + echo "" + echo "${host} IPv6 denied packets:" + diff -b ${LOG}/ip6fw.today ${TMP} | + egrep "^>" + mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3 + mv ${TMP} ${LOG}/ip6fw.today || rc=3 + fi + fi + rm -f ${TMP};; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/650.ip6fwlimit b/etc/periodic/security/650.ip6fwlimit new file mode 100755 index 000000000000..96af389e7c71 --- /dev/null +++ b/etc/periodic/security/650.ip6fwlimit @@ -0,0 +1,61 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show ip6fw rules which have reached the log limit +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +TMP=/var/run/_secure.$$ +rc=0 + +case "$daily_status_security_ip6fwlimit_enable" in + [Yy][Ee][Ss]) + IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null` + if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then + ip6fw -a l | grep " log " | perl -n -e \ + '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP} + if [ -s "${TMP}" ]; then + rc=1 + echo "" + echo 'ip6fw log limit reached:' + cat ${TMP} + fi + fi + rm -f ${TMP};; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg new file mode 100755 index 000000000000..a0b6a0045619 --- /dev/null +++ b/etc/periodic/security/700.kernelmsg @@ -0,0 +1,68 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show kernel log messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +TMP=/var/run/_secure.$$ +LOG="${daily_status_security_logdir}" +rc=0 + +case "$daily_status_security_kernelmsg_enable" in + [Yy][Ee][Ss]) + if dmesg -a 2>/dev/null > ${TMP}; then + if [ ! -f ${LOG}/dmesg.today ]; then + rc=1 + echo "" + echo "No ${LOG}/dmesg.today" + cp ${TMP} ${LOG}/dmesg.today || rc=3 + fi + + if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then + [ $rc -lt 1 ] && rc=1 + echo "" + echo "${host} kernel log messages:" + diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" + mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3 + mv ${TMP} ${LOG}/dmesg.today || rc=3 + fi + fi + rm -f ${TMP};; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail new file mode 100755 index 000000000000..c4446f5f858b --- /dev/null +++ b/etc/periodic/security/800.loginfail @@ -0,0 +1,62 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show login failures +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +LOG="${daily_status_security_logdir}" + +yesterday=`date -v-1d "+%b %e "` + +catmsgs() { + find ${LOG} -name 'messages.*' -mtime -2 | + sort -t. -r -n +1 -2 | + xargs zcat -f + [ -f ${LOG}/messages ] && cat $LOG/messages +} + +case "$daily_status_security_loginfail_enable" in + [Yy][Ee][Ss]) + echo "" + echo "${host} login failures:" + n=$(catmsgs | grep -ia "^$yesterday.*login failure" | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0;; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap new file mode 100755 index 000000000000..0dc61dc0923f --- /dev/null +++ b/etc/periodic/security/900.tcpwrap @@ -0,0 +1,62 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show tcp_wrapper warning messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +LOG="${daily_status_security_logdir}" + +yesterday=`date -v-1d "+%b %e "` + +catmsgs() { + find ${LOG} -name 'messages.*' -mtime -2 | + sort -t. -r -n +1 -2 | + xargs zcat -f + [ -f ${LOG}/messages ] && cat $LOG/messages +} + +case "$daily_status_security_tcpwrap_enable" in + [Yy][Ee][Ss]) + echo "" + echo "${host} refused connections:" + n=$(catmsgs | grep -i "^$yesterday.*refused connect" | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0;; + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile new file mode 100644 index 000000000000..da4152fd326a --- /dev/null +++ b/etc/periodic/security/Makefile @@ -0,0 +1,15 @@ +# $FreeBSD$ + +BIN= 100.chksetuid \ + 200.chkmounts \ + 300.chkuid0 \ + 400.passwdless \ + 500.ipfwdenied \ + 550.ipfwlimit \ + 600.ip6fwdenied \ + 650.ip6fwlimit \ + 700.kernelmsg \ + 800.loginfail \ + 900.tcpwrap + +.include diff --git a/etc/security b/etc/security deleted file mode 100644 index 32d948b364d0..000000000000 --- a/etc/security +++ /dev/null @@ -1,234 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2000 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# @(#)security 5.3 (Berkeley) 5/28/91 -# $FreeBSD$ -# - -PATH=/sbin:/bin:/usr/bin -LC_ALL=C; export LC_ALL -rc=0 -LOG=/var/log -TMP=/var/run/_secure.$$ - -separator () { - echo '' - echo '' -} - -catmsgs() { - find $LOG -name 'messages.*' -mtime -2 | - sort -t. -r -n +1 -2 | - xargs zcat -f - [ -f $LOG/messages ] && cat $LOG/messages -} - -sflag=FALSE ignore= -while getopts as c -do - case "$c" in - a) ignore="$ignore|^amd:";; - s) sflag=TRUE;; - esac -done - -yesterday=`date -v-1d "+%b %e "` - -host=`hostname` - -umask 027 - -echo 'Checking setuid files and devices:' - -# Don't have ncheck, but this does the equivalent of the commented out block. -# Note that one of the original problems, the possibility of overrunning -# the args to ls, is still here... -# -MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` -set ${MP} -while [ $# -ge 1 ]; do - mount=$1 - shift - find $mount -xdev -type f \ - \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ - \( -perm -u+s -or -perm -g+s \) -print0 -done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP} - -if [ ! -f ${LOG}/setuid.today ]; then - [ $rc -lt 1 ] && rc=1 - separator - echo "No ${LOG}/setuid.today" - cp ${TMP} ${LOG}/setuid.today || rc=3 -fi - -if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then - [ $rc -lt 1 ] && rc=1 - separator - echo "${host} setuid diffs:" - diff -w ${LOG}/setuid.today ${TMP} - mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3 - mv ${TMP} ${LOG}/setuid.today || rc=3 -fi - -# Show changes in the way filesystems are mounted -# -[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat -if mount -p | $cmd > $TMP; then - if [ ! -f $LOG/mount.today ]; then - [ $rc -lt 1 ] && rc=1 - separator - echo "No $LOG/mount.today" - cp $TMP $LOG/mount.today || rc=3 - fi - if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then - [ $rc -lt 1 ] && rc=1 - separator - echo "$host changes in mounted filesystems:" - diff -b $LOG/mount.today $TMP - mv $LOG/mount.today $LOG/mount.yesterday || rc=3 - mv $TMP $LOG/mount.today || rc=3 - fi -fi - -separator -echo 'Checking for uids of 0:' -n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | - tee /dev/stderr | - sed -e '/^root 0$/d' -e '/^toor 0$/d' | - wc -l) -[ $n -gt 0 -a $rc -lt 1 ] && rc=1 - -separator -echo 'Checking for passwordless accounts:' -n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | - tee /dev/stderr | wc -l) -[ $n -gt 0 -a $rc -lt 1 ] && rc=1 - -# Show denied packets -# -if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then - if [ ! -f ${LOG}/ipfw.today ]; then - [ $rc -lt 1 ] && rc=1 - separator - echo "No ${LOG}/ipfw.today" - cp ${TMP} ${LOG}/ipfw.today || rc=3 - fi - - if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then - [ $rc -lt 1 ] && rc=1 - separator - echo "${host} denied packets:" - diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" - mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3 - mv ${TMP} ${LOG}/ipfw.today || rc=3 - fi -fi - -# Show ipfw rules which have reached the log limit -# -IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` -if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then - ipfw -a l | grep " log " | perl -n -e \ - '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} - if [ -s "${TMP}" ]; then - [ $rc -lt 1 ] && rc=1 - separator - echo 'ipfw log limit reached:' - cat ${TMP} - fi -fi - -# Show IPv6 denied packets -# -if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then - if [ ! -f ${LOG}/ip6fw.today ]; then - [ $rc -lt 1 ] && rc=1 - separator - echo "No ${LOG}/ip6fw.today" - cp ${TMP} ${LOG}/ip6fw.today || rc=3 - fi - - if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then - [ $rc -lt 1 ] && rc=1 - separator - echo "${host} IPv6 denied packets:" - diff -b ${LOG}/ip6fw.today ${TMP} | egrep "^>" - mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3 - mv ${TMP} ${LOG}/ip6fw.today || rc=3 - fi -fi - -# Show ip6fw rules which have reached the log limit -# -IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null` -if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then - ip6fw -a l | grep " log " | perl -n -e \ - '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP} - if [ -s "${TMP}" ]; then - [ $rc -lt 1 ] && rc=1 - separator - echo 'ip6fw log limit reached:' - cat ${TMP} - fi -fi - -# Show kernel log messages -# -if dmesg -a 2>/dev/null > ${TMP}; then - if [ ! -f ${LOG}/dmesg.today ]; then - [ $rc -lt 1 ] && rc=1 - separator - echo "No ${LOG}/dmesg.today" - cp ${TMP} ${LOG}/dmesg.today || rc=3 - fi - - if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then - [ $rc -lt 1 ] && rc=1 - separator - echo "${host} kernel log messages:" - diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" - mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3 - mv ${TMP} ${LOG}/dmesg.today || rc=3 - fi -fi - -# Show login failures -# -separator -echo "${host} login failures:" -n=$(catmsgs | grep -ia "^$yesterday.*login failure" | tee /dev/stderr | wc -l) -[ $n -gt 0 -a $rc -lt 1 ] && rc=1 - -# Show tcp_wrapper warning messages -# -separator -echo "${host} refused connections:" -n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l) -[ $n -gt 0 -a $rc -lt 1 ] && rc=1 - -rm -f ${TMP} - -exit $rc diff --git a/share/man/man5/periodic.conf.5 b/share/man/man5/periodic.conf.5 index a49aa2b83ec3..7755dab86447 100644 --- a/share/man/man5/periodic.conf.5 +++ b/share/man/man5/periodic.conf.5 @@ -401,22 +401,27 @@ is set to .Pq Vt bool Set to .Dq YES -if you want to run -.Pa /etc/security . +if you want to run the security check. +The security check is another set of +.Xr periodic 8 +scripts. +The system defaults are in +.Pa /etc/periodic/security . +Local scripts should be placed in +.Pa /usr/local/etc/periodic/security . +See the +.Xr periodic 8 +manual page for more information. .It Va daily_status_security_inline .Pq Vt bool Set to .Dq YES -if you want to run -.Pa /etc/security -inline. +if you want the security check output inline. The default is to either mail or log the output according to the value of .Va daily_status_security_output . .It Va daily_status_security_output .Pq Vt str -Where to send the output of -.Pa /etc/security -if +Where to send the output of the security check if .Va daily_status_security_inline is set to .Dq NO . @@ -424,13 +429,91 @@ This variable behaves in the same way as the .Va *_output variables above, namely it can be set either to one or more email addresses or to an absolute file name. +.It Va daily_status_security_chksetuid_enable +.Pq Vt bool +Set to +.Dq YES +to compare the modes and modification times of setuid executables with +the previous day's values. +.It Va daily_status_security_chkmounts_enable +.Pq Vt bool +Set to +.Dq YES +to check for changes mounted filesystems to the previous day's values. .It Va daily_status_security_noamd .Pq Vt bool Set to .Dq YES if you want to ignore .Xr amd 8 -mounts when comparing against yesterdays filesystem mounts. +mounts when comparing against yesterdays filesystem mounts in the +.Va daily_status_security_chkmounts_enable +check. +.It Va daily_status_security_chkuid0_enable +.Pq Vt bool +Set to +.Dq YES +to check +.Pa /etc/master.passwd +for accounts with uid 0. +.It Va daily_status_security_passwdless_enable +.Pq Vt bool +Set to +.Dq YES +to check +.Pa /etc/master.passwd +for accounts with empty passwords. +.It Va daily_status_security_ipfwdenied_enable +.Pq Vt bool +Set to +.Dq YES +to show log entries for packets denied by +.Xr ipfw 8 +since yesterday's check. +.It Va daily_status_security_ipfwlimit_enable +.Pq Vt bool +Set to +.Dq YES +to display +.Xr ipfw 8 +rules that have reached their verbosity limit. +.It Va daily_status_security_ip6fwdenied_enable +.Pq Vt bool +Set to +.Dq YES +to show log entries for packets denied by +.Xr ip6fw 8 +since yesterday's check. +.It Va daily_status_security_ip6fwlimit_enable +.Pq Vt bool +Set to +.Dq YES +to display +.Xr ip6fw 8 +rules that have reached their verbosity limit. +.It Va daily_status_security_kernelmsg_enable +.Pq Vt bool +Set to +.Dq YES +to show new +.Xr dmesg 8 +entries since yesterday's check. +.It Va daily_status_security_loginfail_enable +.Pq Vt bool +Set to +.Dq YES +to display failed logins from +.Pa /var/log/messages +in the previous day. +.It Va daily_status_security_tcpwrap_enable +.Pq Vt bool +Set to +.Dq YES +to display connections denied by tcpwrappers (see +.Xr hosts_access 5 ) +from +.Pa /var/log/messages +during the previous day. .It Va daily_status_mail_rejects_enable .Pq Vt bool Set to diff --git a/usr.sbin/periodic/periodic.8 b/usr.sbin/periodic/periodic.8 index f0c1376310db..4b9b17e33fdd 100644 --- a/usr.sbin/periodic/periodic.8 +++ b/usr.sbin/periodic/periodic.8 @@ -52,6 +52,11 @@ This usually occurs on Sunday mornings. .It Pa monthly Perform the standard monthly periodic executable run. This usually occurs on the first day of the month. +.It Pa security +Perform the standard daily security checks. +This is usually spawned by the +.Pa daily +run. .It Ar path An arbitrary directory containing a set of executables to be run. .El