Long ago, there was just /etc/daily. Then /etc/security was split out
of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
This commit is contained in:
parent
f4af1f0785
commit
2204f3ce42
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=87514
@ -14,7 +14,7 @@ BIN1= amd.map apmd.conf auth.conf \
|
||||
phones printcap profile protocols \
|
||||
rc rc.atm rc.devfs rc.diskless1 rc.diskless2 rc.firewall rc.firewall6 \
|
||||
rc.network rc.network6 rc.pccard rc.serial rc.shutdown \
|
||||
rc.syscons rc.sysctl remote rpc security services shells sysctl.conf \
|
||||
rc.syscons rc.sysctl remote rpc services shells sysctl.conf \
|
||||
syslog.conf usbd.conf \
|
||||
etc.${MACHINE_ARCH}/disktab \
|
||||
etc.${MACHINE_ARCH}/rc.${MACHINE_ARCH} \
|
||||
|
@ -105,9 +105,7 @@ daily_status_mailq_shorten="NO" # Shorten output
|
||||
|
||||
# 450.status-security
|
||||
daily_status_security_enable="YES" # Security check
|
||||
daily_status_security_inline="NO" # Run inline ?
|
||||
daily_status_security_output="root" # user or /file
|
||||
daily_status_security_noamd="NO" # Don't check amd mounts
|
||||
# See "Security options" below for more options
|
||||
|
||||
# 460.status-mail-rejects
|
||||
daily_status_mail_rejects_enable="YES" # Check mail rejects
|
||||
@ -124,6 +122,51 @@ daily_queuerun_enable="YES" # Run mail queue
|
||||
daily_local="/etc/daily.local" # Local scripts
|
||||
|
||||
|
||||
# Security options
|
||||
|
||||
# These options are used by the security periodic(8) scripts spawned in
|
||||
# 450.status-security above.
|
||||
daily_status_security_inline="NO" # Run inline ?
|
||||
daily_status_security_output="root" # user or /file
|
||||
daily_status_security_noamd="NO" # Don't check amd mounts
|
||||
daily_status_security_logdir="/var/log" # Directory for logs
|
||||
|
||||
# 100.chksetuid
|
||||
daily_status_security_chksetuid_enable="YES"
|
||||
|
||||
# 200.chkmounts
|
||||
daily_status_security_chkmounts_enable="YES"
|
||||
#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching
|
||||
# FS types
|
||||
|
||||
# 300.chkuid0
|
||||
daily_status_security_chkuid0_enable="YES"
|
||||
|
||||
# 400.passwdless
|
||||
daily_status_security_passwdless_enable="YES"
|
||||
|
||||
# 500.ipfwdenied
|
||||
daily_status_security_ipfwdenied_enable="YES"
|
||||
|
||||
# 550.ipfwlimit
|
||||
daily_status_security_ipfwlimit_enable="YES"
|
||||
|
||||
# 600.ip6fwdenied
|
||||
daily_status_security_ip6fwdenied_enable="YES"
|
||||
|
||||
# 650.ip6fwlimit
|
||||
daily_status_security_ip6fwlimit_enable="YES"
|
||||
|
||||
# 700.kernelmsg
|
||||
daily_status_security_kernelmsg_enable="YES"
|
||||
|
||||
# 800.loginfail
|
||||
daily_status_security_loginfail_enable="YES"
|
||||
|
||||
# 900.tcpwrap
|
||||
daily_status_security_tcpwrap_enable="YES"
|
||||
|
||||
|
||||
# Weekly options
|
||||
|
||||
# These options are used by periodic(8) itself to determine what to do
|
||||
|
@ -45,6 +45,8 @@
|
||||
..
|
||||
monthly
|
||||
..
|
||||
security
|
||||
..
|
||||
weekly
|
||||
..
|
||||
..
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $FreeBSD$
|
||||
|
||||
SUBDIR= daily weekly monthly
|
||||
SUBDIR= daily security weekly monthly
|
||||
|
||||
.include <bsd.subdir.mk>
|
||||
|
@ -16,30 +16,23 @@ case "$daily_status_security_enable" in
|
||||
echo ""
|
||||
echo "Security check:"
|
||||
|
||||
case "$daily_status_security_noamd" in
|
||||
[Yy][Ee][Ss])
|
||||
args=-a;;
|
||||
*)
|
||||
args=;;
|
||||
esac
|
||||
|
||||
case "$daily_status_security_inline" in
|
||||
[Yy][Ee][Ss])
|
||||
sh /etc/security -s $args
|
||||
rc=$?;;
|
||||
|
||||
export security_output="";;
|
||||
*)
|
||||
case "${daily_status_security_output:=root}" in
|
||||
export security_output="${daily_status_security_output}"
|
||||
case "${daily_status_security_output}" in
|
||||
"")
|
||||
;;
|
||||
/*)
|
||||
echo " (output logged separately)"
|
||||
sh /etc/security -s $args \
|
||||
>$daily_status_security_output 2>&1;;
|
||||
echo " (output logged separately)";;
|
||||
*)
|
||||
echo " (output mailed separately)"
|
||||
sh /etc/security $args 2>&1 |
|
||||
mail -s "`hostname` security check output" $daily_status_security_output;;
|
||||
esac;;
|
||||
echo " (output mailed separately)";;
|
||||
esac;;
|
||||
esac
|
||||
|
||||
periodic security
|
||||
rc=$?;;
|
||||
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
75
etc/periodic/security/100.chksetuid
Executable file
75
etc/periodic/security/100.chksetuid
Executable file
@ -0,0 +1,75 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
TMP=/var/run/_secure.$$
|
||||
LOG="${daily_status_security_logdir}"
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_chksetuid_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
echo ""
|
||||
echo 'Checking setuid files and devices:'
|
||||
# XXX Note that there is the possibility of overrunning the args to ls
|
||||
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
|
||||
set ${MP}
|
||||
while [ $# -ge 1 ]; do
|
||||
mount=$1
|
||||
shift
|
||||
find $mount -xdev -type f \
|
||||
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
|
||||
\( -perm -u+s -or -perm -g+s \) -print0
|
||||
done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
|
||||
|
||||
if [ ! -f ${LOG}/setuid.today ]; then
|
||||
rc=1
|
||||
echo "No ${LOG}/setuid.today"
|
||||
cp ${TMP} ${LOG}/setuid.today || rc=3
|
||||
fi
|
||||
|
||||
if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null
|
||||
then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
echo "${host} setuid diffs:"
|
||||
diff -w ${LOG}/setuid.today ${TMP}
|
||||
mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/setuid.today || rc=3
|
||||
fi
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
73
etc/periodic/security/200.chkmounts
Executable file
73
etc/periodic/security/200.chkmounts
Executable file
@ -0,0 +1,73 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show changes in the way filesystems are mounted
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
TMP=/var/run/_secure.$$
|
||||
LOG="${daily_status_security_logdir}"
|
||||
ignore="${daily_status_security_chkmounts_ignore}"
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_chkmounts_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
case "$daily_status_security_noamd" in
|
||||
[Yy][Ee][Ss])
|
||||
ignore="${ignore}|^amd:"
|
||||
esac
|
||||
[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
|
||||
if mount -p | ${cmd} > ${TMP}; then
|
||||
if [ ! -f ${LOG}/mount.today ]; then
|
||||
rc=1
|
||||
echo ""
|
||||
echo "No ${LOG}/mount.today"
|
||||
cp ${TMP} ${LOG}/mount.today || rc=3
|
||||
fi
|
||||
if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
echo ""
|
||||
echo "${host} changes in mounted filesystems:"
|
||||
diff -b ${LOG}/mount.today ${TMP}
|
||||
mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/mount}.today || rc=3
|
||||
fi
|
||||
fi
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit "$rc"
|
51
etc/periodic/security/300.chkuid0
Executable file
51
etc/periodic/security/300.chkuid0
Executable file
@ -0,0 +1,51 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
case "$daily_status_security_chkuid0_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
echo ""
|
||||
echo 'Checking for uids of 0:'
|
||||
n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
|
||||
tee /dev/stderr |
|
||||
sed -e '/^root 0$/d' -e '/^toor 0$/d' |
|
||||
wc -l)
|
||||
[ $n -gt 0 ] && rc=1 || rc=0;;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit "$rc"
|
48
etc/periodic/security/400.passwdless
Executable file
48
etc/periodic/security/400.passwdless
Executable file
@ -0,0 +1,48 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
case "$daily_status_security_passwdless_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
echo ""
|
||||
echo 'Checking for passwordless accounts:'
|
||||
n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
|
||||
tee /dev/stderr | wc -l)
|
||||
[ $n -gt 0 ] && rc=1 || rc=0;;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit "$rc"
|
69
etc/periodic/security/500.ipfwdenied
Executable file
69
etc/periodic/security/500.ipfwdenied
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show denied packets
|
||||
#
|
||||
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
TMP=/var/run/_secure.$$
|
||||
LOG="${daily_status_security_logdir}"
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_ipfwdenied_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
|
||||
if [ ! -f ${LOG}/ipfw.today ]; then
|
||||
rc=1
|
||||
echo ""
|
||||
echo "No ${LOG}/ipfw.today"
|
||||
cp ${TMP} ${LOG}/ipfw.today || rc=3
|
||||
fi
|
||||
|
||||
if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
echo ""
|
||||
echo "${host} denied packets:"
|
||||
diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
|
||||
mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/ipfw.today || rc=3
|
||||
fi
|
||||
fi
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
61
etc/periodic/security/550.ipfwlimit
Executable file
61
etc/periodic/security/550.ipfwlimit
Executable file
@ -0,0 +1,61 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show ipfw rules which have reached the log limit
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
TMP=/var/run/_secure.$$
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_ipfwlimit_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
|
||||
if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
|
||||
ipfw -a l | grep " log " | perl -n -e \
|
||||
'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
|
||||
if [ -s "${TMP}" ]; then
|
||||
rc=1
|
||||
echo ""
|
||||
echo 'ipfw log limit reached:'
|
||||
cat ${TMP}
|
||||
fi
|
||||
fi
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
69
etc/periodic/security/600.ip6fwdenied
Executable file
69
etc/periodic/security/600.ip6fwdenied
Executable file
@ -0,0 +1,69 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show IPv6 denied packets
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
TMP=/var/run/_secure.$$
|
||||
LOG="${daily_status_security_logdir}"
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_ip6fwdenied_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
|
||||
if [ ! -f ${LOG}/ip6fw.today ]; then
|
||||
rc=1
|
||||
echo ""
|
||||
echo "No ${LOG}/ip6fw.today"
|
||||
cp ${TMP} ${LOG}/ip6fw.today || rc=3
|
||||
fi
|
||||
|
||||
if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
echo ""
|
||||
echo "${host} IPv6 denied packets:"
|
||||
diff -b ${LOG}/ip6fw.today ${TMP} |
|
||||
egrep "^>"
|
||||
mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/ip6fw.today || rc=3
|
||||
fi
|
||||
fi
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
61
etc/periodic/security/650.ip6fwlimit
Executable file
61
etc/periodic/security/650.ip6fwlimit
Executable file
@ -0,0 +1,61 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show ip6fw rules which have reached the log limit
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
TMP=/var/run/_secure.$$
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_ip6fwlimit_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
|
||||
if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
|
||||
ip6fw -a l | grep " log " | perl -n -e \
|
||||
'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
|
||||
if [ -s "${TMP}" ]; then
|
||||
rc=1
|
||||
echo ""
|
||||
echo 'ip6fw log limit reached:'
|
||||
cat ${TMP}
|
||||
fi
|
||||
fi
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
68
etc/periodic/security/700.kernelmsg
Executable file
68
etc/periodic/security/700.kernelmsg
Executable file
@ -0,0 +1,68 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show kernel log messages
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
TMP=/var/run/_secure.$$
|
||||
LOG="${daily_status_security_logdir}"
|
||||
rc=0
|
||||
|
||||
case "$daily_status_security_kernelmsg_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
if dmesg -a 2>/dev/null > ${TMP}; then
|
||||
if [ ! -f ${LOG}/dmesg.today ]; then
|
||||
rc=1
|
||||
echo ""
|
||||
echo "No ${LOG}/dmesg.today"
|
||||
cp ${TMP} ${LOG}/dmesg.today || rc=3
|
||||
fi
|
||||
|
||||
if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
echo ""
|
||||
echo "${host} kernel log messages:"
|
||||
diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
|
||||
mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/dmesg.today || rc=3
|
||||
fi
|
||||
fi
|
||||
rm -f ${TMP};;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
62
etc/periodic/security/800.loginfail
Executable file
62
etc/periodic/security/800.loginfail
Executable file
@ -0,0 +1,62 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show login failures
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
LOG="${daily_status_security_logdir}"
|
||||
|
||||
yesterday=`date -v-1d "+%b %e "`
|
||||
|
||||
catmsgs() {
|
||||
find ${LOG} -name 'messages.*' -mtime -2 |
|
||||
sort -t. -r -n +1 -2 |
|
||||
xargs zcat -f
|
||||
[ -f ${LOG}/messages ] && cat $LOG/messages
|
||||
}
|
||||
|
||||
case "$daily_status_security_loginfail_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
echo ""
|
||||
echo "${host} login failures:"
|
||||
n=$(catmsgs | grep -ia "^$yesterday.*login failure" |
|
||||
tee /dev/stderr | wc -l)
|
||||
[ $n -gt 0 ] && rc=1 || rc=0;;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
62
etc/periodic/security/900.tcpwrap
Executable file
62
etc/periodic/security/900.tcpwrap
Executable file
@ -0,0 +1,62 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2001 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# Show tcp_wrapper warning messages
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
LOG="${daily_status_security_logdir}"
|
||||
|
||||
yesterday=`date -v-1d "+%b %e "`
|
||||
|
||||
catmsgs() {
|
||||
find ${LOG} -name 'messages.*' -mtime -2 |
|
||||
sort -t. -r -n +1 -2 |
|
||||
xargs zcat -f
|
||||
[ -f ${LOG}/messages ] && cat $LOG/messages
|
||||
}
|
||||
|
||||
case "$daily_status_security_tcpwrap_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
echo ""
|
||||
echo "${host} refused connections:"
|
||||
n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
|
||||
tee /dev/stderr | wc -l)
|
||||
[ $n -gt 0 ] && rc=1 || rc=0;;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit $rc
|
15
etc/periodic/security/Makefile
Normal file
15
etc/periodic/security/Makefile
Normal file
@ -0,0 +1,15 @@
|
||||
# $FreeBSD$
|
||||
|
||||
BIN= 100.chksetuid \
|
||||
200.chkmounts \
|
||||
300.chkuid0 \
|
||||
400.passwdless \
|
||||
500.ipfwdenied \
|
||||
550.ipfwlimit \
|
||||
600.ip6fwdenied \
|
||||
650.ip6fwlimit \
|
||||
700.kernelmsg \
|
||||
800.loginfail \
|
||||
900.tcpwrap
|
||||
|
||||
.include <bsd.prog.mk>
|
234
etc/security
234
etc/security
@ -1,234 +0,0 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2000 The FreeBSD Project
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# @(#)security 5.3 (Berkeley) 5/28/91
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
PATH=/sbin:/bin:/usr/bin
|
||||
LC_ALL=C; export LC_ALL
|
||||
rc=0
|
||||
LOG=/var/log
|
||||
TMP=/var/run/_secure.$$
|
||||
|
||||
separator () {
|
||||
echo ''
|
||||
echo ''
|
||||
}
|
||||
|
||||
catmsgs() {
|
||||
find $LOG -name 'messages.*' -mtime -2 |
|
||||
sort -t. -r -n +1 -2 |
|
||||
xargs zcat -f
|
||||
[ -f $LOG/messages ] && cat $LOG/messages
|
||||
}
|
||||
|
||||
sflag=FALSE ignore=
|
||||
while getopts as c
|
||||
do
|
||||
case "$c" in
|
||||
a) ignore="$ignore|^amd:";;
|
||||
s) sflag=TRUE;;
|
||||
esac
|
||||
done
|
||||
|
||||
yesterday=`date -v-1d "+%b %e "`
|
||||
|
||||
host=`hostname`
|
||||
|
||||
umask 027
|
||||
|
||||
echo 'Checking setuid files and devices:'
|
||||
|
||||
# Don't have ncheck, but this does the equivalent of the commented out block.
|
||||
# Note that one of the original problems, the possibility of overrunning
|
||||
# the args to ls, is still here...
|
||||
#
|
||||
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
|
||||
set ${MP}
|
||||
while [ $# -ge 1 ]; do
|
||||
mount=$1
|
||||
shift
|
||||
find $mount -xdev -type f \
|
||||
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
|
||||
\( -perm -u+s -or -perm -g+s \) -print0
|
||||
done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
|
||||
|
||||
if [ ! -f ${LOG}/setuid.today ]; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "No ${LOG}/setuid.today"
|
||||
cp ${TMP} ${LOG}/setuid.today || rc=3
|
||||
fi
|
||||
|
||||
if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "${host} setuid diffs:"
|
||||
diff -w ${LOG}/setuid.today ${TMP}
|
||||
mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/setuid.today || rc=3
|
||||
fi
|
||||
|
||||
# Show changes in the way filesystems are mounted
|
||||
#
|
||||
[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
|
||||
if mount -p | $cmd > $TMP; then
|
||||
if [ ! -f $LOG/mount.today ]; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "No $LOG/mount.today"
|
||||
cp $TMP $LOG/mount.today || rc=3
|
||||
fi
|
||||
if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "$host changes in mounted filesystems:"
|
||||
diff -b $LOG/mount.today $TMP
|
||||
mv $LOG/mount.today $LOG/mount.yesterday || rc=3
|
||||
mv $TMP $LOG/mount.today || rc=3
|
||||
fi
|
||||
fi
|
||||
|
||||
separator
|
||||
echo 'Checking for uids of 0:'
|
||||
n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
|
||||
tee /dev/stderr |
|
||||
sed -e '/^root 0$/d' -e '/^toor 0$/d' |
|
||||
wc -l)
|
||||
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
|
||||
|
||||
separator
|
||||
echo 'Checking for passwordless accounts:'
|
||||
n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
|
||||
tee /dev/stderr | wc -l)
|
||||
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
|
||||
|
||||
# Show denied packets
|
||||
#
|
||||
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
|
||||
if [ ! -f ${LOG}/ipfw.today ]; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "No ${LOG}/ipfw.today"
|
||||
cp ${TMP} ${LOG}/ipfw.today || rc=3
|
||||
fi
|
||||
|
||||
if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "${host} denied packets:"
|
||||
diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
|
||||
mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/ipfw.today || rc=3
|
||||
fi
|
||||
fi
|
||||
|
||||
# Show ipfw rules which have reached the log limit
|
||||
#
|
||||
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
|
||||
if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
|
||||
ipfw -a l | grep " log " | perl -n -e \
|
||||
'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
|
||||
if [ -s "${TMP}" ]; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo 'ipfw log limit reached:'
|
||||
cat ${TMP}
|
||||
fi
|
||||
fi
|
||||
|
||||
# Show IPv6 denied packets
|
||||
#
|
||||
if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
|
||||
if [ ! -f ${LOG}/ip6fw.today ]; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "No ${LOG}/ip6fw.today"
|
||||
cp ${TMP} ${LOG}/ip6fw.today || rc=3
|
||||
fi
|
||||
|
||||
if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "${host} IPv6 denied packets:"
|
||||
diff -b ${LOG}/ip6fw.today ${TMP} | egrep "^>"
|
||||
mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/ip6fw.today || rc=3
|
||||
fi
|
||||
fi
|
||||
|
||||
# Show ip6fw rules which have reached the log limit
|
||||
#
|
||||
IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
|
||||
if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
|
||||
ip6fw -a l | grep " log " | perl -n -e \
|
||||
'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
|
||||
if [ -s "${TMP}" ]; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo 'ip6fw log limit reached:'
|
||||
cat ${TMP}
|
||||
fi
|
||||
fi
|
||||
|
||||
# Show kernel log messages
|
||||
#
|
||||
if dmesg -a 2>/dev/null > ${TMP}; then
|
||||
if [ ! -f ${LOG}/dmesg.today ]; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "No ${LOG}/dmesg.today"
|
||||
cp ${TMP} ${LOG}/dmesg.today || rc=3
|
||||
fi
|
||||
|
||||
if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
|
||||
[ $rc -lt 1 ] && rc=1
|
||||
separator
|
||||
echo "${host} kernel log messages:"
|
||||
diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
|
||||
mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
|
||||
mv ${TMP} ${LOG}/dmesg.today || rc=3
|
||||
fi
|
||||
fi
|
||||
|
||||
# Show login failures
|
||||
#
|
||||
separator
|
||||
echo "${host} login failures:"
|
||||
n=$(catmsgs | grep -ia "^$yesterday.*login failure" | tee /dev/stderr | wc -l)
|
||||
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
|
||||
|
||||
# Show tcp_wrapper warning messages
|
||||
#
|
||||
separator
|
||||
echo "${host} refused connections:"
|
||||
n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l)
|
||||
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
|
||||
|
||||
rm -f ${TMP}
|
||||
|
||||
exit $rc
|
@ -401,22 +401,27 @@ is set to
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
if you want to run
|
||||
.Pa /etc/security .
|
||||
if you want to run the security check.
|
||||
The security check is another set of
|
||||
.Xr periodic 8
|
||||
scripts.
|
||||
The system defaults are in
|
||||
.Pa /etc/periodic/security .
|
||||
Local scripts should be placed in
|
||||
.Pa /usr/local/etc/periodic/security .
|
||||
See the
|
||||
.Xr periodic 8
|
||||
manual page for more information.
|
||||
.It Va daily_status_security_inline
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
if you want to run
|
||||
.Pa /etc/security
|
||||
inline.
|
||||
if you want the security check output inline.
|
||||
The default is to either mail or log the output according to the value of
|
||||
.Va daily_status_security_output .
|
||||
.It Va daily_status_security_output
|
||||
.Pq Vt str
|
||||
Where to send the output of
|
||||
.Pa /etc/security
|
||||
if
|
||||
Where to send the output of the security check if
|
||||
.Va daily_status_security_inline
|
||||
is set to
|
||||
.Dq NO .
|
||||
@ -424,13 +429,91 @@ This variable behaves in the same way as the
|
||||
.Va *_output
|
||||
variables above, namely it can be set either to one or more email addresses
|
||||
or to an absolute file name.
|
||||
.It Va daily_status_security_chksetuid_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to compare the modes and modification times of setuid executables with
|
||||
the previous day's values.
|
||||
.It Va daily_status_security_chkmounts_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to check for changes mounted filesystems to the previous day's values.
|
||||
.It Va daily_status_security_noamd
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
if you want to ignore
|
||||
.Xr amd 8
|
||||
mounts when comparing against yesterdays filesystem mounts.
|
||||
mounts when comparing against yesterdays filesystem mounts in the
|
||||
.Va daily_status_security_chkmounts_enable
|
||||
check.
|
||||
.It Va daily_status_security_chkuid0_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to check
|
||||
.Pa /etc/master.passwd
|
||||
for accounts with uid 0.
|
||||
.It Va daily_status_security_passwdless_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to check
|
||||
.Pa /etc/master.passwd
|
||||
for accounts with empty passwords.
|
||||
.It Va daily_status_security_ipfwdenied_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to show log entries for packets denied by
|
||||
.Xr ipfw 8
|
||||
since yesterday's check.
|
||||
.It Va daily_status_security_ipfwlimit_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to display
|
||||
.Xr ipfw 8
|
||||
rules that have reached their verbosity limit.
|
||||
.It Va daily_status_security_ip6fwdenied_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to show log entries for packets denied by
|
||||
.Xr ip6fw 8
|
||||
since yesterday's check.
|
||||
.It Va daily_status_security_ip6fwlimit_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to display
|
||||
.Xr ip6fw 8
|
||||
rules that have reached their verbosity limit.
|
||||
.It Va daily_status_security_kernelmsg_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to show new
|
||||
.Xr dmesg 8
|
||||
entries since yesterday's check.
|
||||
.It Va daily_status_security_loginfail_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to display failed logins from
|
||||
.Pa /var/log/messages
|
||||
in the previous day.
|
||||
.It Va daily_status_security_tcpwrap_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
.Dq YES
|
||||
to display connections denied by tcpwrappers (see
|
||||
.Xr hosts_access 5 )
|
||||
from
|
||||
.Pa /var/log/messages
|
||||
during the previous day.
|
||||
.It Va daily_status_mail_rejects_enable
|
||||
.Pq Vt bool
|
||||
Set to
|
||||
|
@ -52,6 +52,11 @@ This usually occurs on Sunday mornings.
|
||||
.It Pa monthly
|
||||
Perform the standard monthly periodic executable run.
|
||||
This usually occurs on the first day of the month.
|
||||
.It Pa security
|
||||
Perform the standard daily security checks.
|
||||
This is usually spawned by the
|
||||
.Pa daily
|
||||
run.
|
||||
.It Ar path
|
||||
An arbitrary directory containing a set of executables to be run.
|
||||
.El
|
||||
|
Loading…
Reference in New Issue
Block a user