Commit Graph

55 Commits

Author SHA1 Message Date
Hajimu UMEMOTO
cefe8a2051 Show IPv6 denied packets.
MFC after:	1 week
2001-07-04 12:49:17 +00:00
Crist J. Clark
ab26031ac2 Fixing a bug reported on freebsd-security. It is possible for
non-printable characters to sneak into /var/log/messages (e.g.
someone aims a Solaris/Linux RCP exploit at your FreeBSD box and
you end up with his shellcode as part of a log entry). You might
get something like,

  host.mydom.org login failures:
  Binary file (standard input) matches

In the daily security script as a result. Allowing attackers to
mess with your security script's ability to accurately report
is a Bad Thing. Tell grep(1) to treat /var/log/messages like a
text file even if it has non-printable characters.

Submitted by:	Tim Zingelman <zingelman@fnal.gov> on freebsd-security
Approved by:	ru
MFC after:	1 week
2001-06-21 19:17:15 +00:00
Dima Dorfman
84d86fba8d Pass -a to dmesg(8).
PR:		26870
Submitted by:	Tomonobu AKIMOTO <akimoto@xephion.ne.jp>
2001-06-14 04:30:46 +00:00
Ruslan Ermilov
0b381bf1fd Remove vestiges of MFS. 2001-06-01 10:07:28 +00:00
Dirk Froemberg
624fe60635 Checking of denied zone transfers is now done in
periodic/daily/470.status-named.
2001-04-21 22:37:54 +00:00
Dirk Froemberg
0f8af26fe3 Log denied IXFR, too.
MFC canidate.
2001-04-14 10:05:01 +00:00
Nate Williams
991bcf5c04 - Newer versions of bind log denied secondary zone tranfers with
'denied AXFR', not 'unapproved AXFR'.

This is an MFC candidate.

PR:		misc/26529
Submitted by:	duwde@duwde.com.br
2001-04-13 15:13:15 +00:00
Brian Somers
d552710cfb Ignore comments in /etc/passwd
PR:		25845
Submitted by:	Udo Schweigert <ust@cert.siemens.de>
2001-03-17 21:22:29 +00:00
Brian Somers
5a5bb7591b Show denied secondary bind transfer attempts
Submitted by:		inTEXT Communications <glenn@intextonline.com>
Ok'd by:		imp, kris
Not objected to by:	freebsd-audit
2001-02-08 20:31:21 +00:00
Brian Somers
38fb35db09 Pick up all messages* files less than two days old rather than
just messages{,.0*} when looking for login failures and refused
connections.

PR: 23415
Mostly submitted by: phk

Convert a few "  "s to tabs while I'm here - for consistency.
2001-02-03 01:28:46 +00:00
Doug Barton
e14563a3f3 Apply a more consistent style to the echo statements in /etc/ scripts.
* Put quotes around each line
* Single quotes for lines with no variable interpolation
* Double quotes if there is
* Capitalize each word that begins a line
* Make echo -n 'Doing foo:' ... echo '.' more of a standard

No functionality changes
2000-12-17 08:16:06 +00:00
David E. O'Brien
a1c43e3fbb Add copyright notices. Other systems have been barrowing our /etc files
w/o giving any credit.
2000-10-08 19:20:36 +00:00
Brian Somers
48a7635f95 Sort the output of mount
Requested by: des

Remove a redundant sed
2000-09-18 18:35:07 +00:00
Brian Somers
9ed55d1192 Another overhaul of the periodic stuff.
All periodic sub-scripts <larf> now have their return codes interpreted
by periodic(8).  Output may be masked based on variable values in
periodic.conf.

It's also now possible to email periodic output to arbitrary addresses,
or to send it to a log file, examples of which can be found in
newsyslog.conf.

The upshot of it all should be no discernable changes to the default
behaviour of periodic(8).

PR:	21250
2000-09-14 17:19:15 +00:00
Brian Somers
bc8617937e Use ``diff -w'' for setuid.{to,yester}day comparisons
rather than ``diff -b''.
2000-08-07 09:08:35 +00:00
David Malone
7c76474a64 Get the security script to list the indoe numbers of the suid files.
I've seen some script kiddie tools out there that fake the timestamps
but don't preserve the inode number.

Note - this will cause a lot of output the first time it is run!

PR:		18947
Reviewed by:	Sheldon Hearn <sheldonh@uunet.co.za>
2000-07-11 14:24:53 +00:00
Brian Somers
32ee60d7b8 Add -s -a and -m flags for supressing the subject line, ignoring amd
mounts and ignoring mfs mounts.
Default functionality stays the same.
2000-06-23 01:16:49 +00:00
Sheldon Hearn
39e0dbd5fb Add a step for showing changes in the way filesystems are mounted
today from the way they were mounted yesterday.

PR:		17155
Submitted by:	"Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
2000-04-06 10:46:50 +00:00
Sheldon Hearn
fdc6e9bd38 Do not report blocked out NIS password entries as passwordless.
Submitted by:	"Sean O'Connell" <sean@stat.Duke.EDU>
2000-04-05 13:42:48 +00:00
Alexey Zelkin
b271db7f20 Test rotated logs for dangerous messages as well as current
PR:		misc/12228
Submitted by:	Philippe SCHACK <phschak@inba.fr>
1999-12-20 17:33:56 +00:00
Sheldon Hearn
a0468d95ed Do not misinterpret blank and comment lines as passwordless accounts.
PR:	13909
Submitted by:	Peter Jeremy <peter.jeremy@alcatel.com.au>
1999-10-06 10:29:33 +00:00
Sheldon Hearn
023fff94a5 The previous commit missed two unquoted variable expansions. This had
the unfortunate side-effect of breaking the security script for hosts
without kernel support for IPFW. Fix.

Reported by:	jhay
1999-10-04 14:54:34 +00:00
Sheldon Hearn
321704296f Apply a consistent style to most of the etc scripts. Particularly, use
case instead of test where appropriate, since case allows case is a sh
builtin and (as a side-effect) allows case-insensitivity.

Changes discussed on freebsd-hackers.

Submitted by:	Doug Barton <Doug@gorean.org>
1999-09-13 15:44:20 +00:00
Peter Wemm
9b7a44a60e $Id$ -> $FreeBSD$ 1999-08-27 23:37:10 +00:00
Sheldon Hearn
b68adff6b7 Style clean-up:
* All variables are now embraced: ${foo}

	* All comparisons against some value now take the form:
	  [ "${foo}" ? "value" ]
	  where ? is a comparison operator

	* All empty string tests now take the form:
	  [ -z "${foo}" ]

	* All non-empty string tests now take the form:
	  [ -n "${foo}" ]

Submitted by:	jkh
1999-08-25 16:01:45 +00:00
Sheldon Hearn
450f806ba3 Ignore NIS accounts when checking for passwordless accounts.
PR:     9639
Reported by:    Bob Willcox <bob@pmr.com>
Submitted by:   des
1999-06-23 14:23:54 +00:00
Daniel O'Callaghan
b7fe2b6dab Fix typo: "login failures" -> "login failure"
PR:	9424
Submitted by:	Lars K*ller <root@cc.fh-lippe.de>
1999-01-10 11:18:59 +00:00
Bill Fumerola
54724311ee Make periodic(8) and the security mailings reflect the full FQDN, as opposed
to a hostname. This will help those who keep a cluster of machines all with
the same hostname but different domain names.

PR:		bin/9091
Submitted By:	Heikki Suonsivu <hsu@clinet.fi>
No Response From: -current mailing list
1999-01-01 17:37:33 +00:00
Dag-Erling Smørgrav
9338e8728b Fix typo in previous commit.
PR:		7621
Submitted by:	Mark Huizer
1998-08-16 10:38:02 +00:00
Dag-Erling Smørgrav
9a29cee2bd Make /etc/security bitch about passwordless accounts.
Use awk -F: rather than 'BEGIN {FS=":"}'
1998-08-11 08:48:54 +00:00
Alexander Langer
e375f2fa06 Detect user id 0 as a number instead of a string. String comparisons
fail to detect 00.

PR:		7218
Submitted by:	Michal Listos <mcl@Amnesiac.123.org>
		Niall Smart <rotel@indigo.ie>
1998-07-08 22:42:08 +00:00
Andreas Klemm
abbfb2cedc additionally warnings
- login failures
- tcp_wrapper messages about refused connections
1998-06-27 11:13:59 +00:00
Alexander Langer
31ea9a843a Display ipfw rules which have reached the log limit. 1998-02-04 01:53:19 +00:00
Alexander Langer
ba6f0e79c2 Changed ipfw grep string: reject rules are now listed as deny, reset,
or unreach.
1997-09-26 01:38:30 +00:00
Brian Somers
1d554918e8 Remove the annoying "cmp: EOF" message when
dmesg changes.
1997-08-01 01:25:21 +00:00
Mike Pritchard
27117f574e Remove the -g option from the "find ... | xargs -ls ..." line.
The -g option to ls has been depreciated.
1997-03-03 07:03:50 +00:00
Mike Pritchard
ba565fa6ce When looking for setuid files, call find with -print0 and xargs with -0.
This allows find to pass files with "illegal" characters to xargs in a
safe manner.

Note: due to the manner in which the file names are now passed between
find and xargs, the files are now sorted differently than before.
The first /etc/security run after installing this change may result
in a lot of output when nothing did in fact change.

Closes PR# 1910.

2.2 candidate.
1997-02-23 21:34:34 +00:00
Peter Wemm
79403fe300 Revert $FreeBSD$ to $Id$ 1997-02-23 09:21:14 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00
Nate Williams
c79a9ab9e5 Whoops, update the comment field while we're at it. (I *hate* the link
to freefall!)
1996-10-12 04:56:28 +00:00
Nate Williams
7387fdc643 In the same manner that we log the ipfw entries, log the kernel log
messages using the output of dmesg.
1996-10-12 04:51:09 +00:00
Paul Traina
c733dcc306 Move intermediary file generation to /var partition 1996-07-31 06:47:05 +00:00
Alexander Langer
ef1b941ad5 If ipfw is enabled, display packet/byte counters for reject/deny rules
that have changed since the last security check.

Make the spacing between sections more consistent.
1996-06-30 19:35:20 +00:00
Peter Wemm
80ed784ffa If a local ufs filesystem is mounted "nosuid", dont scan it as part of
the /etc/security setuid checks.  This is useful for things like large
news spool partitions that dont have executables.

Reviewed by: pst
1996-06-30 13:16:21 +00:00
Andrey A. Chernov
32d67daa2b Exclude devices. Character ones modes changes often and proper names
guessing involves too much AI.
1996-04-19 22:28:01 +00:00
Andrey A. Chernov
86d34adf67 Use -X to be xargs-friendly
Check devices too, follow original BSD intention
Find only executable files with s-bits, close PR bin/1022
Reset locale to C to have equal results in any case
1996-04-18 10:34:07 +00:00
Andrey A. Chernov
44436d27fe If no $LOG/setuid.today exists (f.e. first time to run), put
warning and make it, all following commands fails in old case
1995-09-15 00:22:31 +00:00
Andrey A. Chernov
ec25d6d6aa Use -b for diff, ls produce different number of spaces 1995-05-27 01:37:44 +00:00
Andreas Schulz
ccca965b89 Fix a bug, that someone has introduced into /etc/security. It has no longer
found SUID files, only SGID files. The find has missed some parantheses.
1995-01-14 13:23:50 +00:00
Rodney W. Grimes
e15e6084f6 From: rich@lamprey.UTMB.EDU (Rich Murphey)
Subject: Re: daily insecurity output (fwd)
|From: rgrimes@agora.rain.com (Rodney Grimes)
|
|This is from the new /etc/security script.  I no longer get the segmentation
|violation, but now the arg list is too long, some /bin/sh program want to
|fix the current /etc/security ls command so that it is a pipe insteal of
|a back quoted arg?
|
|> checking setuid files and devices:
|> /etc/security: ls: argument list too long

This uses xargs instead.  My slip line's down so I can't check it in
at the moment. Rich
1994-01-22 10:54:13 +00:00