d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make the period of each periodic security script configurable.

Browse Source 
There are now six additional variables
  weekly_status_security_enable
  weekly_status_security_inline
  weekly_status_security_output
  monthly_status_security_enable
  monthly_status_security_inline
  monthly_status_security_output
alongside their existing daily counterparts.  They all have the same
default values.

All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.

"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script.  The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".

Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.

When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
  myfbsd security run output ->  myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.

Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section.  I left them in
place for this commit to make reviewing easier.

Reviewed by:	hackers@
This commit is contained in:
Jeremie Le Hen 2013-08-27 21:20:28 +00:00
parent f729ede69e
commit 69b55c23cb
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=254974
21 changed files with 476 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
etc/defaults/periodic.conf
View File

@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # Also submit queue
# 450.status-security # 450.status-security
daily_status_security_enable="YES" # Security check daily_status_security_enable="YES" # Security check
# See "Security options" below for more options # See also "Security options" below for more options
daily_status_security_inline="NO" # Run inline ?
daily_status_security_output="root" # user or /file
# 460.status-mail-rejects # 460.status-mail-rejects
daily_status_mail_rejects_enable="YES" # Check mail rejects daily_status_mail_rejects_enable="YES" # Check mail rejects
@ -163,59 +165,78 @@ daily_local="/etc/daily.local" # Local scripts
# Security options # Security options
# These options are used by the security periodic(8) scripts spawned in # These options are used by the security periodic(8) scripts spawned in
# 450.status-security above. # daily and weekly 450.status-security.
daily_status_security_inline="NO" # Run inline ? security_status_logdir="/var/log" # Directory for logs
daily_status_security_output="root" # user or /file security_status_diff_flags="-b -u" # flags for diff output
daily_status_security_logdir="/var/log" # Directory for logs
daily_status_security_diff_flags="-b -u" # flags for diff output # Each of the security_status_*_enable options below can have one of the
# following values:
# - NO
# - daily: only run during the daily security status
# - weekly: only run during the weekly security status
# 100.chksetuid # 100.chksetuid
daily_status_security_chksetuid_enable="YES" security_status_chksetuid_enable="YES"
security_status_chksetuid_period="daily"
# 110.neggrpperm # 110.neggrpperm
daily_status_security_neggrpperm_enable="YES" security_status_neggrpperm_enable="YES"
security_status_neggrpperm_period="daily"
# 200.chkmounts # 200.chkmounts
daily_status_security_chkmounts_enable="YES" security_status_chkmounts_enable="YES"
#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching security_status_chkmounts_period="daily"
#security_status_chkmounts_ignore="^amd:" # Don't check matching
# FS types # FS types
daily_status_security_noamd="NO" # Don't check amd mounts security_status_noamd="NO" # Don't check amd mounts
# 300.chkuid0 # 300.chkuid0
daily_status_security_chkuid0_enable="YES" security_status_chkuid0_enable="YES"
security_status_chkuid0_period="daily"
# 400.passwdless # 400.passwdless
daily_status_security_passwdless_enable="YES" security_status_passwdless_enable="YES"
security_status_passwdless_period="daily"
# 410.logincheck # 410.logincheck
daily_status_security_logincheck_enable="YES" security_status_logincheck_enable="YES"
security_status_logincheck_period="daily"
# 460.chkportsum # 460.chkportsum
daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum
security_status_chkportsum_period="daily"
# 500.ipfwdenied # 500.ipfwdenied
daily_status_security_ipfwdenied_enable="YES" security_status_ipfwdenied_enable="YES"
security_status_ipfwdenied_period="daily"
# 510.ipfdenied # 510.ipfdenied
daily_status_security_ipfdenied_enable="YES" security_status_ipfdenied_enable="YES"
security_status_ipfdenied_period="daily"
# 520.pfdenied # 520.pfdenied
daily_status_security_pfdenied_enable="YES" security_status_pfdenied_enable="YES"
security_status_pfdenied_period="daily"
# 550.ipfwlimit # 550.ipfwlimit
daily_status_security_ipfwlimit_enable="YES" security_status_ipfwlimit_enable="YES"
security_status_ipfwlimit_period="daily"
# 610.ipf6denied # 610.ipf6denied
daily_status_security_ipf6denied_enable="YES" security_status_ipf6denied_enable="YES"
security_status_ipf6denied_period="daily"
# 700.kernelmsg # 700.kernelmsg
daily_status_security_kernelmsg_enable="YES" security_status_kernelmsg_enable="YES"
security_status_kernelmsg_period="daily"
# 800.loginfail # 800.loginfail
daily_status_security_loginfail_enable="YES" security_status_loginfail_enable="YES"
security_status_loginfail_period="daily"
# 900.tcpwrap # 900.tcpwrap
daily_status_security_tcpwrap_enable="YES" security_status_tcpwrap_enable="YES"
security_status_tcpwrap_period="daily"
# Weekly options # Weekly options
@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO" # Find out-of-date pkgs
pkg_version=pkg_version # Use this program pkg_version=pkg_version # Use this program
pkg_version_index=/usr/ports/INDEX-10 # Use this index file pkg_version_index=/usr/ports/INDEX-10 # Use this index file
# 450.status-security
weekly_status_security_enable="YES" # Security check
# See also "Security options" above for more options
weekly_status_security_inline="NO" # Run inline ?
weekly_status_security_output="root" # user or /file
# 999.local # 999.local
weekly_local="/etc/weekly.local" # Local scripts weekly_local="/etc/weekly.local" # Local scripts
@ -267,6 +294,12 @@ monthly_show_badconfig="NO" # scripts returning 2
# 200.accounting # 200.accounting
monthly_accounting_enable="YES" # Login accounting monthly_accounting_enable="YES" # Login accounting
# 450.status-security
monthly_status_security_enable="YES" # Security check
# See also "Security options" above for more options
monthly_status_security_inline="NO" # Run inline ?
monthly_status_security_output="root" # user or /file
# 999.local # 999.local
monthly_local="/etc/monthly.local" # Local scripts monthly_local="/etc/monthly.local" # Local scripts
@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local" # Local scripts
if [ -z "${source_periodic_confs_defined}" ]; then if [ -z "${source_periodic_confs_defined}" ]; then
source_periodic_confs_defined=yes source_periodic_confs_defined=yes
# Compatibility with old daily variable names.
# They can be removed in stable/11.
security_daily_compat_var() {
local var=$1 dailyvar value
dailyvar=daily_status_security${#status_security}
periodvar=${var%enable}period
eval value=\"\$$dailyvar\"
[ -z "$value" ] && return
echo "Warning: Variable \$$dailyvar is deprecated," \
"use \$$var instead." >&2
case "$value" in
[Yy][Ee][Ss])
$var=YES
$periodvar=daily
;;
*)
$var="$value"
;;
esac
}
check_yesno_period() {
local var="$1" periodvar value period
eval value=\"\$$var\"
case "$value" in
[Yy][Ee][Ss]) ;;
*) return 1 ;;
esac
periodvar=${var%enable}period
eval period=\"\$$periodvar\"
case "$PERIODIC" in
"security daily")
case "$period" in
[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
*) return 1 ;;
esac
;;
"security weekly")
case "$period" in
[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
*) return 1 ;;
esac
;;
"security monthly")
case "$period" in
[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
*) return 1 ;;
esac
;;
security)
# Run directly from crontab(5).
case "$period" in
[Nn][Oo]) return 1 ;;
*) return 0 ;;
esac
;;
*)
echo "ASSERTION FAILED: Unexpected value for " \
"\$PERIODIC: '$PERIODIC'" >&2
exit 127
;;
esac
}
source_periodic_confs() { source_periodic_confs() {
local i sourced_files local i sourced_files

41
etc/periodic/monthly/450.status-security Executable file
View File

@ -0,0 +1,41 @@
#!/bin/sh
#
# $FreeBSD$
#
# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$monthly_status_security_enable" in
[Yy][Ee][Ss])
echo ""
echo "Security check:"
case "$monthly_status_security_inline" in
[Yy][Ee][Ss])
monthly_status_security_output="";;
esac
export security_output="${monthly_status_security_output}"
case "${monthly_status_security_output}" in
"")
rc=3;;
/*)
echo " (output logged separately)"
rc=0;;
*)
echo " (output mailed separately)"
rc=0;;
esac
periodic security || rc=3;;
*) rc=0;;
esac
exit $rc

12
etc/periodic/security/100.chksetuid
View File

@ -37,10 +37,12 @@ fi
. /etc/periodic/security/security.functions . /etc/periodic/security/security.functions
security_daily_compat_var security_status_chksetuid_enable
rc=0 rc=0
case "$daily_status_security_chksetuid_enable" in if check_yesno_period security_status_chksetuid_enable
[Yy][Ee][Ss]) then
echo "" echo ""
echo 'Checking setuid files and devices:' echo 'Checking setuid files and devices:'
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_enable" in
\( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
check_diff setuid - "${host} setuid diffs:" check_diff setuid - "${host} setuid diffs:"
rc=$? rc=$?
;; fi
*)
rc=0
;;
esac
exit $rc exit $rc

9
etc/periodic/security/110.neggrpperm
View File

@ -35,10 +35,12 @@ then
source_periodic_confs source_periodic_confs
fi fi
security_daily_compat_var security_status_neggrpperm_enable
rc=0 rc=0
case "$daily_status_security_neggrpperm_enable" in if check_yesno_period security_status_neggrpperm_enable
[Yy][Ee][Ss]) then
echo "" echo ""
echo 'Checking negative group permissions:' echo 'Checking negative group permissions:'
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_enable" in
\( ! -perm +040 -and -perm +004 \) \) \ \( ! -perm +040 -and -perm +004 \) \) \
-exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0 [ $n -gt 0 ] && rc=1 || rc=0
;; fi
esac
exit $rc exit $rc

17
etc/periodic/security/200.chkmounts
View File

@ -40,12 +40,16 @@ fi
. /etc/periodic/security/security.functions . /etc/periodic/security/security.functions
ignore="${daily_status_security_chkmounts_ignore}" security_daily_compat_var security_status_chkmounts_enable
security_daily_compat_var security_status_chkmounts_ignore
security_daily_compat_var security_status_noamd
ignore="${security_status_chkmounts_ignore}"
rc=0 rc=0
case "$daily_status_security_chkmounts_enable" in if check_yesno_period security_status_chkmounts_enable
[Yy][Ee][Ss]) then
case "$daily_status_security_noamd" in case "$security_status_noamd" in
[Yy][Ee][Ss]) [Yy][Ee][Ss])
ignore="${ignore}|^amd:" ignore="${ignore}|^amd:"
esac esac
@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_enable" in
fi fi
mount -p | sort | ${cmd} | mount -p | sort | ${cmd} |
check_diff mount - "${host} changes in mounted filesystems:" check_diff mount - "${host} changes in mounted filesystems:"
rc=$?;; rc=$?
*) rc=0;; fi
esac
exit "$rc" exit "$rc"

13
etc/periodic/security/300.chkuid0
View File

@ -36,16 +36,19 @@ then
source_periodic_confs source_periodic_confs
fi fi
case "$daily_status_security_chkuid0_enable" in security_daily_compat_var security_status_chkuid0_enable
[Yy][Ee][Ss])
rc=0
if check_yesno_period security_status_chkuid0_enable
then
echo "" echo ""
echo 'Checking for uids of 0:' echo 'Checking for uids of 0:'
n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
tee /dev/stderr | tee /dev/stderr |
sed -e '/^root 0$/d' -e '/^toor 0$/d' | sed -e '/^root 0$/d' -e '/^toor 0$/d' |
wc -l) wc -l)
[ $n -gt 0 ] && rc=1 || rc=0;; [ $n -gt 0 ] && rc=1 || rc=0
*) rc=0;; fi
esac
exit "$rc" exit "$rc"

13
etc/periodic/security/400.passwdless
View File

@ -35,14 +35,17 @@ then
source_periodic_confs source_periodic_confs
fi fi
case "$daily_status_security_passwdless_enable" in security_daily_compat_var security_status_passwdless_enable
[Yy][Ee][Ss])
rc=0
if check_yesno_period security_status_passwdless_enable
then
echo "" echo ""
echo 'Checking for passwordless accounts:' echo 'Checking for passwordless accounts:'
n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
tee /dev/stderr | wc -l) tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0;; [ $n -gt 0 ] && rc=1 || rc=0
*) rc=0;; fi
esac
exit "$rc" exit "$rc"

13
etc/periodic/security/410.logincheck
View File

@ -35,8 +35,12 @@ then
source_periodic_confs source_periodic_confs
fi fi
case "$daily_status_security_logincheck_enable" in security_daily_compat_var security_status_logincheck_enable
[Yy][Ee][Ss])
rc=0
if check_yesno_period security_status_logincheck_enable
then
echo "" echo ""
echo 'Checking login.conf permissions:' echo 'Checking login.conf permissions:'
if [ -G /etc/login.conf -a -O /etc/login.conf ]; then if [ -G /etc/login.conf -a -O /etc/login.conf ]; then
@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in
echo "Bad ownership of /etc/login.conf" echo "Bad ownership of /etc/login.conf"
n=1 n=1
fi fi
[ $n -gt 0 ] && rc=1 || rc=0;; [ $n -gt 0 ] && rc=1 || rc=0
*) rc=0;; fi
esac
exit "$rc" exit "$rc"

12
etc/periodic/security/460.chkportsum
View File

@ -35,13 +35,15 @@ fi
. /etc/periodic/security/security.functions . /etc/periodic/security/security.functions
security_daily_compat_var security_status_chkportsum_enable
rc=0 rc=0
echo "" echo ""
echo 'Checking for ports with mismatched checksums:' echo 'Checking for ports with mismatched checksums:'
case "${daily_status_security_chkportsum_enable}" in if check_yesno_period security_status_chkportsum_enable
[Yy][Ee][Ss]) then
set -f set -f
pkg_info -ga 2>/dev/null | \ pkg_info -ga 2>/dev/null | \
while IFS= read -r line; do while IFS= read -r line; do
@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum_enable}" in
;; ;;
esac esac
done done
;; fi
*)
rc=0
;;
esac
exit $rc exit $rc

11
etc/periodic/security/500.ipfwdenied
View File

@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions . /etc/periodic/security/security.functions
security_daily_compat_var security_status_ipfwdenied_enable
rc=0 rc=0
case "$daily_status_security_ipfwdenied_enable" in if check_yesno_period security_status_ipfwdenied_enable
[Yy][Ee][Ss]) then
TMP=`mktemp -t security` TMP=`mktemp -t security`
if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
fi fi
rc=$? rc=$?
rm -f ${TMP};; rm -f ${TMP}
*) rc=0;; fi
esac
exit $rc exit $rc

11
etc/periodic/security/510.ipfdenied
View File

@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions . /etc/periodic/security/security.functions
security_daily_compat_var security_status_ipfdenied_enable
rc=0 rc=0
case "$daily_status_security_ipfdenied_enable" in if check_yesno_period security_status_ipfdenied_enable
[Yy][Ee][Ss]) then
TMP=`mktemp -t security` TMP=`mktemp -t security`
if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then
check_diff new_only ipf ${TMP} "${host} ipf denied packets:" check_diff new_only ipf ${TMP} "${host} ipf denied packets:"
fi fi
rc=$? rc=$?
rm -f ${TMP};; rm -f ${TMP}
*) rc=0;; fi
esac
exit $rc exit $rc

11
etc/periodic/security/520.pfdenied
View File

@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions . /etc/periodic/security/security.functions
security_daily_compat_var security_status_pfdenied_enable
rc=0 rc=0
case "$daily_status_security_pfdenied_enable" in if check_yesno_period security_status_pfdenied_enable
[Yy][Ee][Ss]) then
TMP=`mktemp -t security` TMP=`mktemp -t security`
if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
check_diff new_only pf ${TMP} "${host} pf denied packets:" check_diff new_only pf ${TMP} "${host} pf denied packets:"
fi fi
rc=$? rc=$?
rm -f ${TMP};; rm -f ${TMP}
*) rc=0;; fi
esac
exit $rc exit $rc

11
etc/periodic/security/550.ipfwlimit
View File

@ -38,10 +38,12 @@ then
source_periodic_confs source_periodic_confs
fi fi
security_daily_compat_var security_status_ipfwlimit_enable
rc=0 rc=0
case "$daily_status_security_ipfwlimit_enable" in if check_yesno_period security_status_ipfwlimit_enable
[Yy][Ee][Ss]) then
IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
exit 0 exit 0
@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_enable" in
echo 'ipfw log limit reached:' echo 'ipfw log limit reached:'
cat ${TMP} cat ${TMP}
fi fi
rm -f ${TMP};; rm -f ${TMP}
*) rc=0;; fi
esac
exit $rc exit $rc

11
etc/periodic/security/610.ipf6denied
View File

@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions . /etc/periodic/security/security.functions
security_daily_compat_var security_status_ipf6denied_enable
rc=0 rc=0
case "$daily_status_security_ipf6denied_enable" in if check_yesno_period security_status_ipf6denied_enable
[Yy][Ee][Ss]) then
TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then
check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:"
fi fi
rc=$? rc=$?
rm -f ${TMP};; rm -f ${TMP}
*) rc=0;; fi
esac
exit $rc exit $rc

11
etc/periodic/security/700.kernelmsg
View File

@ -40,14 +40,15 @@ fi
. /etc/periodic/security/security.functions . /etc/periodic/security/security.functions
security_daily_compat_var security_status_kernelmsg_enable
rc=0 rc=0
case "$daily_status_security_kernelmsg_enable" in if check_yesno_period security_status_kernelmsg_enable
[Yy][Ee][Ss]) then
dmesg 2>/dev/null | dmesg 2>/dev/null |
check_diff new_only dmesg - "${host} kernel log messages:" check_diff new_only dmesg - "${host} kernel log messages:"
rc=$?;; rc=$?
*) rc=0;; fi
esac
exit $rc exit $rc

16
etc/periodic/security/800.loginfail
View File

@ -38,7 +38,10 @@ then
source_periodic_confs source_periodic_confs
fi fi
LOG="${daily_status_security_logdir}" security_daily_compat_var security_status_logdir
security_daily_compat_var security_status_loginfail_enable
LOG="${security_status_logdir}"
yesterday=`date -v-1d "+%b %e "` yesterday=`date -v-1d "+%b %e "`
@ -55,14 +58,15 @@ catmsgs() {
[ -f ${LOG}/auth.log ] && cat $LOG/auth.log [ -f ${LOG}/auth.log ] && cat $LOG/auth.log
} }
case "$daily_status_security_loginfail_enable" in rc=0
[Yy][Ee][Ss])
if check_yesno_period security_status_loginfail_enable
then
echo "" echo ""
echo "${host} login failures:" echo "${host} login failures:"
n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
tee /dev/stderr | wc -l) tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0;; [ $n -gt 0 ] && rc=1 || rc=0
*) rc=0;; fi
esac
exit $rc exit $rc

16
etc/periodic/security/900.tcpwrap
View File

@ -38,7 +38,10 @@ then
source_periodic_confs source_periodic_confs
fi fi
LOG="${daily_status_security_logdir}" security_daily_compat_var security_status_logdir
security_daily_compat_var security_status_tcpwrap_enable
LOG="${security_status_logdir}"
yesterday=`date -v-1d "+%b %e "` yesterday=`date -v-1d "+%b %e "`
@ -55,14 +58,15 @@ catmsgs() {
[ -f ${LOG}/messages ] && cat $LOG/messages [ -f ${LOG}/messages ] && cat $LOG/messages
} }
case "$daily_status_security_tcpwrap_enable" in rc=0
[Yy][Ee][Ss])
if check_yesno_period security_status_tcpwrap_enable
then
echo "" echo ""
echo "${host} refused connections:" echo "${host} refused connections:"
n=$(catmsgs | grep -i "^$yesterday.*refused connect" | n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
tee /dev/stderr | wc -l) tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0;; [ $n -gt 0 ] && rc=1 || rc=0
*) rc=0;; fi
esac
exit $rc exit $rc

12
etc/periodic/security/security.functions
View File

@ -27,11 +27,19 @@
# $FreeBSD$ # $FreeBSD$
# #
# This is a library file, so we only try to do something when sourced.
case "$0" in
*/security.functions) exit 0 ;;
esac
security_daily_compat_var security_status_logdir
security_daily_compat_var security_status_diff_flags
# #
# Show differences in the output of an audit command # Show differences in the output of an audit command
# #
LOG="${daily_status_security_logdir}" LOG="${security_status_logdir}"
rc=0 rc=0
# Usage: COMMAND | check_diff [new_only] LABEL - MSG # Usage: COMMAND | check_diff [new_only] LABEL - MSG
@ -67,7 +75,7 @@ check_diff() {
[ $rc -lt 1 ] && rc=1 [ $rc -lt 1 ] && rc=1
echo "" echo ""
echo "${msg}" echo "${msg}"
diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \ diff ${security_status_diff_flags} ${LOG}/${label}.today \
${tmpf} | eval "${filter}" ${tmpf} | eval "${filter}"
mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
mv ${tmpf} ${LOG}/${label}.today || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3

41
etc/periodic/weekly/450.status-security Executable file
View File

@ -0,0 +1,41 @@
#!/bin/sh
#
# $FreeBSD$
#
# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$weekly_status_security_enable" in
[Yy][Ee][Ss])
echo ""
echo "Security check:"
case "$weekly_status_security_inline" in
[Yy][Ee][Ss])
weekly_status_security_output="";;
esac
export security_output="${weekly_status_security_output}"
case "${weekly_status_security_output}" in
"")
rc=3;;
/*)
echo " (output logged separately)"
rc=0;;
*)
echo " (output mailed separately)"
rc=0;;
esac
periodic security || rc=3;;
*) rc=0;;
esac
exit $rc

1
etc/periodic/weekly/Makefile
View File

@ -3,6 +3,7 @@
.include <bsd.own.mk> .include <bsd.own.mk>
FILES= 340.noid \ FILES= 340.noid \
450.status-security \
999.local 999.local
# NB: keep these sorted by MK_* knobs # NB: keep these sorted by MK_* knobs

172
share/man/man5/periodic.conf.5
View File

@ -1,4 +1,4 @@
.\"- \"-
.\" Copyright (c) 2000 Brian Somers <brian@Awfulhak.org> .\" Copyright (c) 2000 Brian Somers <brian@Awfulhak.org>
.\" All rights reserved. .\" All rights reserved.
.\" .\"
@ -482,26 +482,42 @@ This variable behaves in the same way as the
.Va *_output .Va *_output
variables above, namely it can be set either to one or more email addresses variables above, namely it can be set either to one or more email addresses
or to an absolute file name. or to an absolute file name.
.It Va daily_status_security_diff_flags .It Va security_status_diff_flags
.Pq Vt str .Pq Vt str
Set to the arguments to pass to the Set to the arguments to pass to the
.Xr diff 1 .Xr diff 1
utility when generating differences. utility when generating differences.
The default is The default is
.Fl b u . .Fl b u .
.It Va daily_status_security_chksetuid_enable .It Va security_status_chksetuid_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to compare the modes and modification times of setuid executables with to compare the modes and modification times of setuid executables with
the previous day's values. the previous day's values.
.It Va daily_status_security_chkportsum_enable .It Va security_status_chksetuid_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_chkportsum_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to verify checksums of all installed packages against the known checksums in to verify checksums of all installed packages against the known checksums in
.Pa /var/db/pkg . .Pa /var/db/pkg .
.It Va daily_status_security_neggrpperm_enable .It Va security_status_chkportsum_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_neggrpperm_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
@ -509,35 +525,67 @@ to check for files where the group of a file has less permissions than
the world at large. the world at large.
When users are in more than 14 supplemental groups these negative When users are in more than 14 supplemental groups these negative
permissions may not be enforced via NFS shares. permissions may not be enforced via NFS shares.
.It Va daily_status_security_chkmounts_enable .It Va security_status_neggrpperm_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_chkmounts_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to check for changes mounted file systems to the previous day's values. to check for changes mounted file systems to the previous day's values.
.It Va daily_status_security_noamd .It Va security_status_chkmounts_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_noamd
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
if you want to ignore if you want to ignore
.Xr amd 8 .Xr amd 8
mounts when comparing against yesterday's file system mounts in the mounts when comparing against yesterday's file system mounts in the
.Va daily_status_security_chkmounts_enable .Va security_status_chkmounts_enable
check. check.
.It Va daily_status_security_chkuid0_enable .It Va security_status_chkuid0_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to check to check
.Pa /etc/master.passwd .Pa /etc/master.passwd
for accounts with UID 0. for accounts with UID 0.
.It Va daily_status_security_passwdless_enable .It Va security_status_chkuid0_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_passwdless_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to check to check
.Pa /etc/master.passwd .Pa /etc/master.passwd
for accounts with empty passwords. for accounts with empty passwords.
.It Va daily_status_security_logincheck_enable .It Va security_status_passwdless_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_logincheck_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
@ -546,49 +594,105 @@ to check
ownership, see ownership, see
.Xr login.conf 5 .Xr login.conf 5
for more information. for more information.
.It Va daily_status_security_ipfwdenied_enable .It Va security_status_logincheck_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_ipfwdenied_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to show log entries for packets denied by to show log entries for packets denied by
.Xr ipfw 8 .Xr ipfw 8
since yesterday's check. since yesterday's check.
.It Va daily_status_security_ipfdenied_enable .It Va security_status_ipfwdenied_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_ipfdenied_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to show log entries for packets denied by to show log entries for packets denied by
.Xr ipf 8 .Xr ipf 8
since yesterday's check. since yesterday's check.
.It Va daily_status_security_pfdenied_enable .It Va security_status_ipfdenied_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_pfdenied_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to show log entries for packets denied by to show log entries for packets denied by
.Xr pf 4 .Xr pf 4
since yesterday's check. since yesterday's check.
.It Va daily_status_security_ipfwlimit_enable .It Va security_status_pfdenied_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_ipfwlimit_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to display to display
.Xr ipfw 8 .Xr ipfw 8
rules that have reached their verbosity limit. rules that have reached their verbosity limit.
.It Va daily_status_security_kernelmsg_enable .It Va security_status_ipfwlimit_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_kernelmsg_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to show new to show new
.Xr dmesg 8 .Xr dmesg 8
entries since yesterday's check. entries since yesterday's check.
.It Va daily_status_security_loginfail_enable .It Va security_status_kernelmsg_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_loginfail_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
to display failed logins from to display failed logins from
.Pa /var/log/messages .Pa /var/log/messages
in the previous day. in the previous day.
.It Va daily_status_security_tcpwrap_enable .It Va security_status_loginfail_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va security_status_tcpwrap_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
.Dq Li YES .Dq Li YES
@ -597,6 +701,14 @@ to display connections denied by tcpwrappers (see
from from
.Pa /var/log/messages .Pa /var/log/messages
during the previous day. during the previous day.
.It Va security_status_tcpwrap_period
.Pq Vt str
Set to either
.Dq Li daily ,
.Dq Li weekly ,
.Dq Li monthly
or
.Dq Li NO .
.It Va daily_status_mail_rejects_enable .It Va daily_status_mail_rejects_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
@ -709,6 +821,18 @@ An orphaned file is one with an invalid owner or group.
A list of directories under which orphaned files are searched for. A list of directories under which orphaned files are searched for.
This would usually be set to This would usually be set to
.Pa / . .Pa / .
.It Va weekly_status_security_enable
.Pq Vt bool
Weekly counterpart of
.Va daily_status_securiy_enable .
.It Va weekly_status_security_inline
.Pq Vt bool
Weekly counterpart of
.Va daily_status_securiy_inline .
.It Va weekly_status_security_output
.Pq Vt str
Weekly counterpart of
.Va daily_status_securiy_output .
.It Va weekly_status_pkg_enable .It Va weekly_status_pkg_enable
.Pq Vt bool .Pq Vt bool
Set to Set to
@ -776,6 +900,18 @@ Set to
if you want to do login accounting using the if you want to do login accounting using the
.Xr ac 8 .Xr ac 8
command. command.
.It Va monthly_status_security_enable
.Pq Vt bool
Monthly counterpart of
.Va daily_status_securiy_enable .
.It Va monthly_status_security_inline
.Pq Vt bool
Monthly counterpart of
.Va daily_status_securiy_inline .
.It Va monthly_status_security_output
.Pq Vt str
Monthly counterpart of
.Va daily_status_securiy_output .
.It Va monthly_local .It Va monthly_local
.Pq Vt str .Pq Vt str
Set to a list of extra scripts that should be run after all other Set to a list of extra scripts that should be run after all other