Add login.conf checking to periodic security scripts. If the login.conf file
is not UID/GID 0, limits will be ignored and a strange error sent to auth.log. Head nod: ru, rwatson
This commit is contained in:
Tom Rhodes
parent
568b77a439
commit
b5aea37f80
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=161602
@ -159,6 +159,9 @@ daily_status_security_chkuid0_enable="YES"
|
||||
# 400.passwdless
|
||||
daily_status_security_passwdless_enable="YES"
|
||||
|
||||
# 410.logincheck
|
||||
daily_status_security_logincheck_enable="YES"
|
||||
|
||||
# 500.ipfwdenied
|
||||
daily_status_security_ipfwdenied_enable="YES"
|
||||
|
||||
|
||||
52
etc/periodic/security/410.logincheck
Normal file
52
etc/periodic/security/410.logincheck
Normal file
@ -0,0 +1,52 @@
|
||||
#!/bin/sh -
|
||||
#
|
||||
# Copyright (c) 2006 Tom Rhodes
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
#
|
||||
|
||||
# If there is a global system configuration file, suck it in.
|
||||
#
|
||||
if [ -r /etc/defaults/periodic.conf ]
|
||||
then
|
||||
. /etc/defaults/periodic.conf
|
||||
source_periodic_confs
|
||||
fi
|
||||
|
||||
case "$daily_status_security_logincheck_enable" in
|
||||
[Yy][Ee][Ss])
|
||||
echo ""
|
||||
echo 'Checking login.conf permissions:'
|
||||
if [ -G /etc/login.conf -a -O /etc/login.conf ] then
|
||||
n=0
|
||||
else
|
||||
echo "Bad ownership of /etc/login.conf"
|
||||
n=1
|
||||
fi
|
||||
[ $n -gt 0 ] && rc=1 || rc=0;;
|
||||
*) rc=0;;
|
||||
esac
|
||||
|
||||
exit "$rc"
|
||||
@ -4,6 +4,7 @@ FILES= 100.chksetuid \
|
||||
200.chkmounts \
|
||||
300.chkuid0 \
|
||||
400.passwdless \
|
||||
410.logincheck \
|
||||
500.ipfwdenied \
|
||||
510.ipfdenied \
|
||||
520.pfdenied \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user