It relies on output from inetd that is triggered by MK_TCP_WRAPPERS=yes.
We need to check for both knobs being set -- otherwise the script doesn't
have much value.
PR: 217577
Submitted by: Sergey <kpect@protonmail.com> (MK_TCP_WRAPPERS piece)
MFC after: 1 week
Sponsored by: Dell EMC Isilon
This change is needed to make the 520.pfdenied script find the new
blacklistd/* anchor points for reporting blocked traffic.
Reviewed by: kp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
100.chksetuid and 110.neggrpperm try to search through all UFS and ZFS
filesystems. But their logic contains an error. They also search through
remote filesystems that are mounted on top of the root of a local
filesystem. For example, if a user installs a FreeBSD system with the
default ZFS layout, he'll get a zroot/usr/home filesystem. If he then mounts
/usr/home over NFS, these scripts would search through /usr/home.
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D7482
Zero pf rule counters so that each daily report lists an absolute
number of rejected packets, not the total since the last time the
machine rebooted (or the counters were manually cleared).
PR: 206467
Submitted by: Rick Adams
Approved by: rpaulo (mentor)
Differential Revision: https://reviews.freebsd.org/D5172
diff(1) output between two files in "new_only"-mode. Otherwise,
with the default of using unified format a remnant of the header
in the output is the result. This is especially irritating when
the two files differ but the second one is empty, amounting to the
vestige of the header being the only readout.
Reported by: Stefan Haemmerl
MFC after: 3 days
Before this change, the 520.pfdenied script listed all rules that
matched /^block/ in the rule. Restrict the printed output to only
those rules that result in packets being dropped.
PR: conf/187224
Approved by: rpaulo (mentor)
Differential Revision: https://reviews.freebsd.org/D4068
reduce false positives.
The committed patch was provided by Christian Marg.
PR: 91732
Submitted by: Daniel O'Connor <doconnor at gsoft.com.au>
Skye Poier <spoier at gmail.com>
Alan Amesbury <amesbury at umn.edu>
Christian Marg <marg at rz.tu-clausthal.de>
MFC after: 1 month
There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.
All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.
"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".
Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.
When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.
Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.
Reviewed by: hackers@
group on a object has less permissions that everyone). These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.
MFC after: 1 week
fstab: /etc/fstab:0: No such file or directory
and from dump(8) when setfsent(3) fails due to /etc/fstab not existing:
DUMP: Can't open /etc/fstab for dump table information: No such...
This makes daily and security periodic runs somewhat cleaner in jails
which lack /etc/fstab files.
MFC after: 1 month
I noticed on a system at home that restarting named(8) causes the
/var/named/dev mount to be moved to the bottom of the mount list,
because it gets remounted. When I received the daily security email this
morning, I was quite amazed to see that the security report listed the
differences, while it was nothing out of the ordinary.
If we just throw the `mount -p' output through sort(1), we'll only
receive notifications about changes to mounts if something has really
changed.
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd
Reviewed by: various (posted to arch)
MFC after: 1 month
- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")
PR: conf/126060 [1]
MFC after: 1 month
find | sort. As a bonus, this simplifies the logic considerably. Also
remove the bogus "overruning the args to ls" comment and the corresponding
"-n 20" argument to xargs; the whole point with xargs is precisely that it
knows how large the argument list can safely get.
Note that the first run of the updated script may hypotheticall produce
false positives due to differences between find's and sort's sorting
algorithm. I haven't seen this during testing, but others might.
MFC after: 2 weeks
bad or illegal. This prevents matching on systems that
have a name that matches the query.
PR: conf/107560
Submitted by: Christian Laursen <cfsl at pil dot dk>
MFC after: 3 days
Approved by: imp (mentor)
rule itself, not in verbose_limit sysctl. [1]
- Do check rules, even if verbose_limit is set 0. Rules may have
their own log limits.
PR: conf/77929
Submitted by: Andriy Gapon [1]
Reviewed by: matteo
packet counts by pf(4).
This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.
The output will look like this (line wrapped):
pf denied packets:
> block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
Bytes: 0 States: 0 ]
> block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
States: 0 ]
Submitted by: clive (thanks a lot!)
MFC after: 2 weeks
