- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")
PR: conf/126060 [1]
MFC after: 1 month
find | sort. As a bonus, this simplifies the logic considerably. Also
remove the bogus "overruning the args to ls" comment and the corresponding
"-n 20" argument to xargs; the whole point with xargs is precisely that it
knows how large the argument list can safely get.
Note that the first run of the updated script may hypotheticall produce
false positives due to differences between find's and sort's sorting
algorithm. I haven't seen this during testing, but others might.
MFC after: 2 weeks
the rejected mail reports to tally the rejects per blacklist without
providing details about individual sender hosts. The default configuration
keeps the reports in their original form.
MFC after: 1 week
bad or illegal. This prevents matching on systems that
have a name that matches the query.
PR: conf/107560
Submitted by: Christian Laursen <cfsl at pil dot dk>
MFC after: 3 days
Approved by: imp (mentor)
Simplify the shell scripting a bit, and remove a useless grep | sed
The problem was pointed out by the PR, and I used part of the solution
suggested there, but the semantics changed again for 9.2.x -> 9.3.x.
PR: conf/74228
Submitted by: Jeremy Chadwick <freebsd@jdc.parodius.com>
rule itself, not in verbose_limit sysctl. [1]
- Do check rules, even if verbose_limit is set 0. Rules may have
their own log limits.
PR: conf/77929
Submitted by: Andriy Gapon [1]
Reviewed by: matteo
reject. For example:
Checking for rejected mail hosts:
48 getherbalnow.info (451... resolve)
46 absorb.com (451... resolve)
4 tgmart01.codns.com (553... exist)
3 kali.com.cn (451... resolve)
2 genie.com (451... resolve)
1 zv.qy (553... exist)
1 zd.hinet.hr (553... exist)
....
The bit in parenthesis is the reject code and the last word on the line -
enough to give the admin a better chance of seeing real problems (hopefully!).
While I'm here, remove the "<" at the start of rejects coming from "from"
addresses without a name@ part.
I had to rewrite the patch given by the submitter as this script has been
sed'ified (used to be perl) and I think the reject code is useful....
PR: 17377
Idea from: root at ns dot internet dot dk
MFC after: 7 days
packet counts by pf(4).
This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.
The output will look like this (line wrapped):
pf denied packets:
> block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
Bytes: 0 States: 0 ]
> block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
States: 0 ]
Submitted by: clive (thanks a lot!)
MFC after: 2 weeks
and atime only, but also the ctime. Otherwise, files extracted from
tar or zip archives will immediately be declared stale since they've
got their mtime reset to the original mtime.
Reviewed by: brian
MFC after: 1 week
in the script. Eliminates a bug where we create a temp file, but don't
delete it since the rm(1) is only done if the check is enabled.
PR: bin/40960
Submitted by: frf <frf@xocolatl.com>
MFC after: 3 days
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
sets ${MP} to an empty string so the next line:
set ${MP}
actually just dumps all of the shells variables to stdout (and therefore
the security report). Fixed by surrounding the code which goes through the
mounts with a test for an empty string before using ${MP}.
Reviewed by: brian
MFC after: 3 days
of wtmp.0 is done as mode 600.
This ensures that tight permissions set in /etc/newsyslog.conf for
wtmp logging aren't ``betrayed''.
Suggested by: lumpy <lumpy@the.whole.net>
MFC after: 3 days
The change was introduced in src/etc/security 1.53 almost a year ago
in an attempt to see ipfw deny message logs.
However, ipfw deny/reject logs have been displayed since version 1.13
of the same file as a separate ``job'' and have since moved to
src/etc/periodic/security/500.ipfwdenied.
MFC after: 3 days
Due to the way we run ls(1), through xargs(1), the leading whitespace
can change even when the setuid files haven't. To avoid displaying
these lines, we currently run diff(1) with the '-w' option. However,
this is probably not the ideal way to go; there is a very, very small
possibility for diff(1) to miss things is shouldn't. So, with the
leading space cleaned, we can revert to the '-b' option which is
"safer."
PR: conf/37618
Reviewed by: brian
MFC after: 3 days
clientmqueue (submit mail queue).
The new mailq display is only active if both the old
daily_status_mailq_enable is set to "YES" and the new
daily_status_include_submit_mailq is set to "YES" so people who disabled
440.status-mailq won't have any surprises.
Likewise, the new queue run is only active if both the old
daily_queuerun_enable is set to "YES" and the new daily_submit_queuerun
is set to "YES" so people who disabled 500.queuerun won't have any
surprises.
While I am here, remove the [ ! -d /var/spool/mqueue ] checks from
both scripts as the queue directory isn't always /var/spool/mqueue for
the main daemon -- it can be set to anything in the sendmail.cf file.
MFC after: 1 week
and teach it to look for more general classes of failures, including
SSH login failures. This is similar but not identical to a patch
submitted by aeonflux@synapse.subneural.net.
of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.
Reviewed by: ru
Approved by: ru
the idea of not masking passwords on comments in case the
administrator comments out an entry without clearing the
password. Instead completely ignore comments (since they have no
security impact) when doing the diff of the old and new passwd file.
Suggested by: rwatson
