diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index 4dc247812879..5dd7fa974e2a 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # Also submit queue # 450.status-security daily_status_security_enable="YES" # Security check -# See "Security options" below for more options +# See also "Security options" below for more options +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file # 460.status-mail-rejects daily_status_mail_rejects_enable="YES" # Check mail rejects @@ -163,59 +165,78 @@ daily_local="/etc/daily.local" # Local scripts # Security options # These options are used by the security periodic(8) scripts spawned in -# 450.status-security above. -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file -daily_status_security_logdir="/var/log" # Directory for logs -daily_status_security_diff_flags="-b -u" # flags for diff output +# daily and weekly 450.status-security. +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output + +# Each of the security_status_*_enable options below can have one of the +# following values: +# - NO +# - daily: only run during the daily security status +# - weekly: only run during the weekly security status # 100.chksetuid -daily_status_security_chksetuid_enable="YES" +security_status_chksetuid_enable="YES" +security_status_chksetuid_period="daily" # 110.neggrpperm -daily_status_security_neggrpperm_enable="YES" +security_status_neggrpperm_enable="YES" +security_status_neggrpperm_period="daily" # 200.chkmounts -daily_status_security_chkmounts_enable="YES" -#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching +security_status_chkmounts_enable="YES" +security_status_chkmounts_period="daily" +#security_status_chkmounts_ignore="^amd:" # Don't check matching # FS types -daily_status_security_noamd="NO" # Don't check amd mounts +security_status_noamd="NO" # Don't check amd mounts # 300.chkuid0 -daily_status_security_chkuid0_enable="YES" +security_status_chkuid0_enable="YES" +security_status_chkuid0_period="daily" # 400.passwdless -daily_status_security_passwdless_enable="YES" +security_status_passwdless_enable="YES" +security_status_passwdless_period="daily" # 410.logincheck -daily_status_security_logincheck_enable="YES" +security_status_logincheck_enable="YES" +security_status_logincheck_period="daily" # 460.chkportsum -daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_period="daily" # 500.ipfwdenied -daily_status_security_ipfwdenied_enable="YES" +security_status_ipfwdenied_enable="YES" +security_status_ipfwdenied_period="daily" # 510.ipfdenied -daily_status_security_ipfdenied_enable="YES" +security_status_ipfdenied_enable="YES" +security_status_ipfdenied_period="daily" # 520.pfdenied -daily_status_security_pfdenied_enable="YES" +security_status_pfdenied_enable="YES" +security_status_pfdenied_period="daily" # 550.ipfwlimit -daily_status_security_ipfwlimit_enable="YES" +security_status_ipfwlimit_enable="YES" +security_status_ipfwlimit_period="daily" # 610.ipf6denied -daily_status_security_ipf6denied_enable="YES" +security_status_ipf6denied_enable="YES" +security_status_ipf6denied_period="daily" # 700.kernelmsg -daily_status_security_kernelmsg_enable="YES" +security_status_kernelmsg_enable="YES" +security_status_kernelmsg_period="daily" # 800.loginfail -daily_status_security_loginfail_enable="YES" +security_status_loginfail_enable="YES" +security_status_loginfail_period="daily" # 900.tcpwrap -daily_status_security_tcpwrap_enable="YES" +security_status_tcpwrap_enable="YES" +security_status_tcpwrap_period="daily" # Weekly options @@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO" # Find out-of-date pkgs pkg_version=pkg_version # Use this program pkg_version_index=/usr/ports/INDEX-10 # Use this index file +# 450.status-security +weekly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +weekly_status_security_inline="NO" # Run inline ? +weekly_status_security_output="root" # user or /file + # 999.local weekly_local="/etc/weekly.local" # Local scripts @@ -267,6 +294,12 @@ monthly_show_badconfig="NO" # scripts returning 2 # 200.accounting monthly_accounting_enable="YES" # Login accounting +# 450.status-security +monthly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +monthly_status_security_inline="NO" # Run inline ? +monthly_status_security_output="root" # user or /file + # 999.local monthly_local="/etc/monthly.local" # Local scripts @@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local" # Local scripts if [ -z "${source_periodic_confs_defined}" ]; then source_periodic_confs_defined=yes + + # Compatibility with old daily variable names. + # They can be removed in stable/11. + security_daily_compat_var() { + local var=$1 dailyvar value + + dailyvar=daily_status_security${#status_security} + periodvar=${var%enable}period + eval value=\"\$$dailyvar\" + [ -z "$value" ] && return + echo "Warning: Variable \$$dailyvar is deprecated," \ + "use \$$var instead." >&2 + case "$value" in + [Yy][Ee][Ss]) + $var=YES + $periodvar=daily + ;; + *) + $var="$value" + ;; + esac + } + + check_yesno_period() { + local var="$1" periodvar value period + + eval value=\"\$$var\" + case "$value" in + [Yy][Ee][Ss]) ;; + *) return 1 ;; + esac + + periodvar=${var%enable}period + eval period=\"\$$periodvar\" + case "$PERIODIC" in + "security daily") + case "$period" in + [Dd][Aa][Ii][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security weekly") + case "$period" in + [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security monthly") + case "$period" in + [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + security) + # Run directly from crontab(5). + case "$period" in + [Nn][Oo]) return 1 ;; + *) return 0 ;; + esac + ;; + *) + echo "ASSERTION FAILED: Unexpected value for " \ + "\$PERIODIC: '$PERIODIC'" >&2 + exit 127 + ;; + esac + } + source_periodic_confs() { local i sourced_files diff --git a/etc/periodic/monthly/450.status-security b/etc/periodic/monthly/450.status-security new file mode 100755 index 000000000000..027c896d4d2f --- /dev/null +++ b/etc/periodic/monthly/450.status-security @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$monthly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$monthly_status_security_inline" in + [Yy][Ee][Ss]) + monthly_status_security_output="";; + esac + + export security_output="${monthly_status_security_output}" + case "${monthly_status_security_output}" in + "") + rc=3;; + /*) + echo " (output logged separately)" + rc=0;; + *) + echo " (output mailed separately)" + rc=0;; + esac + + periodic security || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid index 5b93b2043dc0..95920a6faf90 100755 --- a/etc/periodic/security/100.chksetuid +++ b/etc/periodic/security/100.chksetuid @@ -37,10 +37,12 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chksetuid_enable + rc=0 -case "$daily_status_security_chksetuid_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_chksetuid_enable +then echo "" echo 'Checking setuid files and devices:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` @@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_enable" in \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | check_diff setuid - "${host} setuid diffs:" rc=$? - ;; - *) - rc=0 - ;; -esac +fi exit $rc diff --git a/etc/periodic/security/110.neggrpperm b/etc/periodic/security/110.neggrpperm index 68d1e7b24d77..1d545ac5f7b6 100755 --- a/etc/periodic/security/110.neggrpperm +++ b/etc/periodic/security/110.neggrpperm @@ -35,10 +35,12 @@ then source_periodic_confs fi +security_daily_compat_var security_status_neggrpperm_enable + rc=0 -case "$daily_status_security_neggrpperm_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_neggrpperm_enable +then echo "" echo 'Checking negative group permissions:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` @@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_enable" in \( ! -perm +040 -and -perm +004 \) \) \ -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 - ;; -esac +fi exit $rc diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts index 17b114ef0a8c..7b14866869bb 100755 --- a/etc/periodic/security/200.chkmounts +++ b/etc/periodic/security/200.chkmounts @@ -40,12 +40,16 @@ fi . /etc/periodic/security/security.functions -ignore="${daily_status_security_chkmounts_ignore}" +security_daily_compat_var security_status_chkmounts_enable +security_daily_compat_var security_status_chkmounts_ignore +security_daily_compat_var security_status_noamd + +ignore="${security_status_chkmounts_ignore}" rc=0 -case "$daily_status_security_chkmounts_enable" in - [Yy][Ee][Ss]) - case "$daily_status_security_noamd" in +if check_yesno_period security_status_chkmounts_enable +then + case "$security_status_noamd" in [Yy][Ee][Ss]) ignore="${ignore}|^amd:" esac @@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_enable" in fi mount -p | sort | ${cmd} | check_diff mount - "${host} changes in mounted filesystems:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit "$rc" diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0 index 32cc16c846c3..73578e241553 100755 --- a/etc/periodic/security/300.chkuid0 +++ b/etc/periodic/security/300.chkuid0 @@ -36,16 +36,19 @@ then source_periodic_confs fi -case "$daily_status_security_chkuid0_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_chkuid0_enable + +rc=0 + +if check_yesno_period security_status_chkuid0_enable +then echo "" echo 'Checking for uids of 0:' n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr | sed -e '/^root 0$/d' -e '/^toor 0$/d' | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless index 42ece0453ccd..5e851ac847c7 100755 --- a/etc/periodic/security/400.passwdless +++ b/etc/periodic/security/400.passwdless @@ -35,14 +35,17 @@ then source_periodic_confs fi -case "$daily_status_security_passwdless_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_passwdless_enable + +rc=0 + +if check_yesno_period security_status_passwdless_enable +then echo "" echo 'Checking for passwordless accounts:' n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/410.logincheck b/etc/periodic/security/410.logincheck index f6cf4052bd7a..41e7f65ebf1b 100755 --- a/etc/periodic/security/410.logincheck +++ b/etc/periodic/security/410.logincheck @@ -35,8 +35,12 @@ then source_periodic_confs fi -case "$daily_status_security_logincheck_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_logincheck_enable + +rc=0 + +if check_yesno_period security_status_logincheck_enable +then echo "" echo 'Checking login.conf permissions:' if [ -G /etc/login.conf -a -O /etc/login.conf ]; then @@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in echo "Bad ownership of /etc/login.conf" n=1 fi - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/460.chkportsum b/etc/periodic/security/460.chkportsum index 3a39c84d0835..18a12ecbadb3 100755 --- a/etc/periodic/security/460.chkportsum +++ b/etc/periodic/security/460.chkportsum @@ -35,13 +35,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chkportsum_enable + rc=0 echo "" echo 'Checking for ports with mismatched checksums:' -case "${daily_status_security_chkportsum_enable}" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_chkportsum_enable +then set -f pkg_info -ga 2>/dev/null | \ while IFS= read -r line; do @@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum_enable}" in ;; esac done - ;; - *) - rc=0 - ;; -esac +fi exit $rc diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied index 6a6fb8b4f6a6..f39ca0ed9531 100755 --- a/etc/periodic/security/500.ipfwdenied +++ b/etc/periodic/security/500.ipfwdenied @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfwdenied_enable + rc=0 -case "$daily_status_security_ipfwdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfwdenied_enable +then TMP=`mktemp -t security` if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/510.ipfdenied b/etc/periodic/security/510.ipfdenied index 2058d2b1cb94..bed75e645c2a 100755 --- a/etc/periodic/security/510.ipfdenied +++ b/etc/periodic/security/510.ipfdenied @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfdenied_enable + rc=0 -case "$daily_status_security_ipfdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfdenied_enable +then TMP=`mktemp -t security` if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf ${TMP} "${host} ipf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied index 5e5139363028..7a32bf2a193b 100755 --- a/etc/periodic/security/520.pfdenied +++ b/etc/periodic/security/520.pfdenied @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_pfdenied_enable + rc=0 -case "$daily_status_security_pfdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_pfdenied_enable +then TMP=`mktemp -t security` if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit index daa0f86321f8..86932c676c7a 100755 --- a/etc/periodic/security/550.ipfwlimit +++ b/etc/periodic/security/550.ipfwlimit @@ -38,10 +38,12 @@ then source_periodic_confs fi +security_daily_compat_var security_status_ipfwlimit_enable + rc=0 -case "$daily_status_security_ipfwlimit_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfwlimit_enable +then IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then exit 0 @@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_enable" in echo 'ipfw log limit reached:' cat ${TMP} fi - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/610.ipf6denied b/etc/periodic/security/610.ipf6denied index 6c64d92eee7e..7e02cfc583f3 100755 --- a/etc/periodic/security/610.ipf6denied +++ b/etc/periodic/security/610.ipf6denied @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipf6denied_enable + rc=0 -case "$daily_status_security_ipf6denied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipf6denied_enable +then TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg index fb5ed633f461..8bf6491901ed 100755 --- a/etc/periodic/security/700.kernelmsg +++ b/etc/periodic/security/700.kernelmsg @@ -40,14 +40,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_kernelmsg_enable + rc=0 -case "$daily_status_security_kernelmsg_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_kernelmsg_enable +then dmesg 2>/dev/null | check_diff new_only dmesg - "${host} kernel log messages:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit $rc diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail index 767b9597ad41..a0de96dec10e 100755 --- a/etc/periodic/security/800.loginfail +++ b/etc/periodic/security/800.loginfail @@ -38,7 +38,10 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_loginfail_enable + +LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` @@ -55,14 +58,15 @@ catmsgs() { [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } -case "$daily_status_security_loginfail_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_yesno_period security_status_loginfail_enable +then echo "" echo "${host} login failures:" n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap index 55f77099bb7c..10b02e9e2bb6 100755 --- a/etc/periodic/security/900.tcpwrap +++ b/etc/periodic/security/900.tcpwrap @@ -38,7 +38,10 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_tcpwrap_enable + +LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` @@ -55,14 +58,15 @@ catmsgs() { [ -f ${LOG}/messages ] && cat $LOG/messages } -case "$daily_status_security_tcpwrap_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_yesno_period security_status_tcpwrap_enable +then echo "" echo "${host} refused connections:" n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc diff --git a/etc/periodic/security/security.functions b/etc/periodic/security/security.functions index f5b8dcd203d4..bc2bcba16877 100644 --- a/etc/periodic/security/security.functions +++ b/etc/periodic/security/security.functions @@ -27,11 +27,19 @@ # $FreeBSD$ # +# This is a library file, so we only try to do something when sourced. +case "$0" in +*/security.functions) exit 0 ;; +esac + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_diff_flags + # # Show differences in the output of an audit command # -LOG="${daily_status_security_logdir}" +LOG="${security_status_logdir}" rc=0 # Usage: COMMAND | check_diff [new_only] LABEL - MSG @@ -67,7 +75,7 @@ check_diff() { [ $rc -lt 1 ] && rc=1 echo "" echo "${msg}" - diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \ + diff ${security_status_diff_flags} ${LOG}/${label}.today \ ${tmpf} | eval "${filter}" mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3 diff --git a/etc/periodic/weekly/450.status-security b/etc/periodic/weekly/450.status-security new file mode 100755 index 000000000000..513fbda7b60d --- /dev/null +++ b/etc/periodic/weekly/450.status-security @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$weekly_status_security_inline" in + [Yy][Ee][Ss]) + weekly_status_security_output="";; + esac + + export security_output="${weekly_status_security_output}" + case "${weekly_status_security_output}" in + "") + rc=3;; + /*) + echo " (output logged separately)" + rc=0;; + *) + echo " (output mailed separately)" + rc=0;; + esac + + periodic security || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/weekly/Makefile b/etc/periodic/weekly/Makefile index 7f2eae22de3e..057653d590f3 100644 --- a/etc/periodic/weekly/Makefile +++ b/etc/periodic/weekly/Makefile @@ -3,6 +3,7 @@ .include FILES= 340.noid \ + 450.status-security \ 999.local # NB: keep these sorted by MK_* knobs diff --git a/share/man/man5/periodic.conf.5 b/share/man/man5/periodic.conf.5 index 4543532cfdba..e9acec0a0015 100644 --- a/share/man/man5/periodic.conf.5 +++ b/share/man/man5/periodic.conf.5 @@ -1,4 +1,4 @@ -.\"- +\"- .\" Copyright (c) 2000 Brian Somers .\" All rights reserved. .\" @@ -482,26 +482,42 @@ This variable behaves in the same way as the .Va *_output variables above, namely it can be set either to one or more email addresses or to an absolute file name. -.It Va daily_status_security_diff_flags +.It Va security_status_diff_flags .Pq Vt str Set to the arguments to pass to the .Xr diff 1 utility when generating differences. The default is .Fl b u . -.It Va daily_status_security_chksetuid_enable +.It Va security_status_chksetuid_enable .Pq Vt bool Set to .Dq Li YES to compare the modes and modification times of setuid executables with the previous day's values. -.It Va daily_status_security_chkportsum_enable +.It Va security_status_chksetuid_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_chkportsum_enable .Pq Vt bool Set to .Dq Li YES to verify checksums of all installed packages against the known checksums in .Pa /var/db/pkg . -.It Va daily_status_security_neggrpperm_enable +.It Va security_status_chkportsum_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_neggrpperm_enable .Pq Vt bool Set to .Dq Li YES @@ -509,35 +525,67 @@ to check for files where the group of a file has less permissions than the world at large. When users are in more than 14 supplemental groups these negative permissions may not be enforced via NFS shares. -.It Va daily_status_security_chkmounts_enable +.It Va security_status_neggrpperm_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_chkmounts_enable .Pq Vt bool Set to .Dq Li YES to check for changes mounted file systems to the previous day's values. -.It Va daily_status_security_noamd +.It Va security_status_chkmounts_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_noamd .Pq Vt bool Set to .Dq Li YES if you want to ignore .Xr amd 8 mounts when comparing against yesterday's file system mounts in the -.Va daily_status_security_chkmounts_enable +.Va security_status_chkmounts_enable check. -.It Va daily_status_security_chkuid0_enable +.It Va security_status_chkuid0_enable .Pq Vt bool Set to .Dq Li YES to check .Pa /etc/master.passwd for accounts with UID 0. -.It Va daily_status_security_passwdless_enable +.It Va security_status_chkuid0_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_passwdless_enable .Pq Vt bool Set to .Dq Li YES to check .Pa /etc/master.passwd for accounts with empty passwords. -.It Va daily_status_security_logincheck_enable +.It Va security_status_passwdless_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_logincheck_enable .Pq Vt bool Set to .Dq Li YES @@ -546,49 +594,105 @@ to check ownership, see .Xr login.conf 5 for more information. -.It Va daily_status_security_ipfwdenied_enable +.It Va security_status_logincheck_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ipfwdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr ipfw 8 since yesterday's check. -.It Va daily_status_security_ipfdenied_enable +.It Va security_status_ipfwdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ipfdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr ipf 8 since yesterday's check. -.It Va daily_status_security_pfdenied_enable +.It Va security_status_ipfdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_pfdenied_enable .Pq Vt bool Set to .Dq Li YES to show log entries for packets denied by .Xr pf 4 since yesterday's check. -.It Va daily_status_security_ipfwlimit_enable +.It Va security_status_pfdenied_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_ipfwlimit_enable .Pq Vt bool Set to .Dq Li YES to display .Xr ipfw 8 rules that have reached their verbosity limit. -.It Va daily_status_security_kernelmsg_enable +.It Va security_status_ipfwlimit_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_kernelmsg_enable .Pq Vt bool Set to .Dq Li YES to show new .Xr dmesg 8 entries since yesterday's check. -.It Va daily_status_security_loginfail_enable +.It Va security_status_kernelmsg_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_loginfail_enable .Pq Vt bool Set to .Dq Li YES to display failed logins from .Pa /var/log/messages in the previous day. -.It Va daily_status_security_tcpwrap_enable +.It Va security_status_loginfail_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . +.It Va security_status_tcpwrap_enable .Pq Vt bool Set to .Dq Li YES @@ -597,6 +701,14 @@ to display connections denied by tcpwrappers (see from .Pa /var/log/messages during the previous day. +.It Va security_status_tcpwrap_period +.Pq Vt str +Set to either +.Dq Li daily , +.Dq Li weekly , +.Dq Li monthly +or +.Dq Li NO . .It Va daily_status_mail_rejects_enable .Pq Vt bool Set to @@ -709,6 +821,18 @@ An orphaned file is one with an invalid owner or group. A list of directories under which orphaned files are searched for. This would usually be set to .Pa / . +.It Va weekly_status_security_enable +.Pq Vt bool +Weekly counterpart of +.Va daily_status_securiy_enable . +.It Va weekly_status_security_inline +.Pq Vt bool +Weekly counterpart of +.Va daily_status_securiy_inline . +.It Va weekly_status_security_output +.Pq Vt str +Weekly counterpart of +.Va daily_status_securiy_output . .It Va weekly_status_pkg_enable .Pq Vt bool Set to @@ -776,6 +900,18 @@ Set to if you want to do login accounting using the .Xr ac 8 command. +.It Va monthly_status_security_enable +.Pq Vt bool +Monthly counterpart of +.Va daily_status_securiy_enable . +.It Va monthly_status_security_inline +.Pq Vt bool +Monthly counterpart of +.Va daily_status_securiy_inline . +.It Va monthly_status_security_output +.Pq Vt str +Monthly counterpart of +.Va daily_status_securiy_output . .It Va monthly_local .Pq Vt str Set to a list of extra scripts that should be run after all other