Commit Graph

108 Commits

Author SHA1 Message Date
Thomas Quinot
77ee1b9798 Add newly-added sripts to FILES.
Reviewed by:	roberto
2002-10-25 15:23:26 +00:00
Thomas Quinot
7644e396f3 Add a new /etc/periodic/security script to check for packets
rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf
knob (daily_status_security_ipfdenied_enable).

Reviewed by:	roberto
Approved by:	re@
2002-10-25 15:16:54 +00:00
Thomas Quinot
cb9eff8a9e Factor out code across various /etc/periodic/security scripts into a
separate file, /etc/periodic/security/security.functions.

Reviewed by:	roberto (mentor)
Approved by:	re@
2002-10-25 15:14:16 +00:00
Joerg Wunsch
6e84ba78c1 When considering temporary files for deletion, don't examine the mtime
and atime only, but also the ctime.  Otherwise, files extracted from
tar or zip archives will immediately be declared stale since they've
got their mtime reset to the original mtime.

Reviewed by:	brian
MFC after:	1 week
2002-10-06 18:48:20 +00:00
Brian Somers
df93d794dc Add a pkg_version variable so that it's possible to run portsversion instead
of pkg_version in periodic/weekly/400.status-pkg.
2002-09-25 03:01:42 +00:00
Andrey A. Chernov
15897030c6 Make it work with POSIX sort (POS arg).
All old sorts understand -k too.
2002-09-24 18:53:46 +00:00
Crist J. Clark
10f23b4ad0 Only create a temporary file if we are actually going to do something
in the script. Eliminates a bug where we create a temp file, but don't
delete it since the rm(1) is only done if the check is enabled.

PR:		bin/40960
Submitted by:	frf <frf@xocolatl.com>
MFC after:	3 days
2002-08-25 04:09:17 +00:00
Jens Schweikhardt
f017edb1bf o Test and change to the correct directory, /var/spool/.hoststat
o Bring if/then style in sync with /etc/rc scripts

PR:		conf/41570
Submitted by:	Konstantin M Volevatch <cox@rosnet.ru>
MFC after:	1 week
2002-08-12 11:09:01 +00:00
Gregory Neil Shapiro
b31d4126e3 If all file systems are marked nosuid, the line:
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`

sets ${MP} to an empty string so the next line:

	set ${MP}

actually just dumps all of the shells variables to stdout (and therefore
the security report).  Fixed by surrounding the code which goes through the
mounts with a test for an empty string before using ${MP}.

Reviewed by:	brian
MFC after:	3 days
2002-08-03 22:33:34 +00:00
Ruslan Ermilov
bff0acee63 Install scripts via FILES (purposedly not via SCRIPTS that would
strip the suffixes).
2002-07-18 12:33:01 +00:00
Ruslan Ermilov
0b87f79976 s/${INSTALL} -c/${INSTALL} ${COPY}/ 2002-07-18 12:07:49 +00:00
Brian Somers
103efc95e8 Mention that we're checking kernel log messages, even if there's
no output.

PR:		39618
MFC after:	1 week
2002-06-28 10:32:18 +00:00
Brian Somers
9e280368ad Temporarily change our umask to 066 so that the potential creation
of wtmp.0 is done as mode 600.

This ensures that tight permissions set in /etc/newsyslog.conf for
wtmp logging aren't ``betrayed''.

Suggested by:	lumpy <lumpy@the.whole.net>
MFC after:	3 days
2002-05-17 14:05:08 +00:00
Brian Somers
740b91b560 Change `dmesg -a'' to `dmesg''.
The change was introduced in src/etc/security 1.53 almost a year ago
in an attempt to see ipfw deny message logs.

However, ipfw deny/reject logs have been displayed since version 1.13
of the same file as a separate ``job'' and have since moved to
src/etc/periodic/security/500.ipfwdenied.

MFC after:	3 days
2002-05-17 13:38:36 +00:00
Brian Somers
db1d04d6d9 Tighten up temporary file permissions and move them to ${TMPDIR:-/tmp}
Problem reported by:	lumpy <lumpy@the.whole.net>
MFC after:		3 days
2002-05-17 11:34:12 +00:00
Brian Somers
afa3985979 Return 3 unless $daily_status_security_enable != YES.
Returning $? masks security output when ``periodic security'' is successful !

MFC after:	3 days
2002-05-17 11:31:45 +00:00
Brian Somers
9472aac628 Fix the output when daily_status_mailq_shorten is set to YES
PR:			23766
Mostly submitted by:	lambert@ssabsd.csw.net
MFC after:		3 days
2002-05-07 13:11:05 +00:00
Crist J. Clark
f5a8f1482c Remove leading whitespace from the setuid file lists.
Due to the way we run ls(1), through xargs(1), the leading whitespace
can change even when the setuid files haven't. To avoid displaying
these lines, we currently run diff(1) with the '-w' option. However,
this is probably not the ideal way to go; there is a very, very small
possibility for diff(1) to miss things is shouldn't. So, with the
leading space cleaned, we can revert to the '-b' option which is
"safer."

PR:		conf/37618
Reviewed by:	brian
MFC after:	3 days
2002-05-05 00:59:37 +00:00
Brian Somers
ee9336d9b7 Handle .bz2 files created by newsyslog
PR:			37529
Partially submitted by:	Peter Hollaubek <fifteen@inext.hu>
MFC after:		1 week
2002-04-30 17:07:32 +00:00
Gregory Neil Shapiro
14a349d554 Update mail queue related periodic scripts to account for sendmail 8.12's
clientmqueue (submit mail queue).

The new mailq display is only active if both the old
daily_status_mailq_enable is set to "YES" and the new
daily_status_include_submit_mailq is set to "YES" so people who disabled
440.status-mailq won't have any surprises.

Likewise, the new queue run is only active if both the old
daily_queuerun_enable is set to "YES" and the new daily_submit_queuerun
is set to "YES" so people who disabled 500.queuerun won't have any
surprises.

While I am here, remove the [ ! -d /var/spool/mqueue ] checks from
both scripts as the queue directory isn't always /var/spool/mqueue for
the main daemon -- it can be set to anything in the sendmail.cf file.

MFC after:	1 week
2002-04-10 03:58:40 +00:00
Robert Watson
2e1fc052bc No need to explicitly check for both cases when using grep -i. 2002-03-12 21:44:33 +00:00
Robert Watson
cd9281b380 Update login failure checking to check auth.log instead of messages,
and teach it to look for more general classes of failures, including
SSH login failures.  This is similar but not identical to a patch
submitted by aeonflux@synapse.subneural.net.
2002-03-11 19:39:08 +00:00
Crist J. Clark
90bbf5454c Environmental variable was not being passed to a subshell as intended.
PR:		bin/35558
Submitted by:	Nicolas Rachinsky <list@rachinsky.de>
2002-03-05 19:13:05 +00:00
Brian Somers
55ade43025 Set rc=1 rather than 0 so that setting daily_show_success=YES masks
the output of all goes well.

PR:		34825
Submitted by:	Valentin Nechayev <netch@netch.kiev.ua>
MFC after:	3 weeks
2002-02-13 19:10:07 +00:00
Crist J. Clark
d15413fe2f Fix a stray character that found its way into a filename. 2001-12-14 22:25:04 +00:00
Ruslan Ermilov
ac47c95eea Work around the bugfeature of test(1).
PR:		bin/32822
2001-12-14 08:58:21 +00:00
Crist J. Clark
2204f3ce42 Long ago, there was just /etc/daily. Then /etc/security was split out
of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.

Reviewed by:	ru
Approved by:	ru
2001-12-07 23:57:39 +00:00
Mike Silbersack
b5c013b6b9 Make sure the security check output includes a To: line in the
same way the daily run output does.
2001-11-28 04:07:03 +00:00
Brian Somers
6eb9bd2d1f Handle wtmp.0 being compressed
PR:		32113
Submitted by:	Yar Tikhiy <yar@comp.chem.msu.su>
MFC after:	1 week
2001-11-20 15:01:24 +00:00
Crist J. Clark
6d852b5bdb After further discussion on -CURRENT, some people (jhb) do not like
the idea of not masking passwords on comments in case the
administrator comments out an entry without clearing the
password. Instead completely ignore comments (since they have no
security impact) when doing the diff of the old and new passwd file.

Suggested by:	rwatson
2001-11-14 09:30:01 +00:00
Crist J. Clark
c2f9738fda No need to hide stuff in the $FreeBSD$ tag or in other comments like,
Backup passwd and group files:
  1c1
  < # $FreeBSD:(password):09:07 peter Exp $
  ---
  > # $FreeBSD:(password):27:16 ache Exp $

MFC after:	1 week
2001-11-11 07:15:19 +00:00
Kris Kennaway
7080a34335 UUCP removal Phase III. 2001-10-01 06:27:44 +00:00
Kris Kennaway
77fb35234d Run the uustat command as the uucp user, not as root. 2001-09-09 05:53:01 +00:00
Brian Somers
c5f947aa7f Remove $daily_status_named_logs and figure out which /var/log/messages*
files to look an (in the same way that /etc/security does).

Don't single-quote $start, reducing it to an empty string.

MFC after:	3 days
2001-07-26 02:37:12 +00:00
Brian Somers
cce7f73d72 Don't try to remove directories unless we've emptied them first
Submitted by:	NIIMI Satoshi <sa2c@and.or.jp>
PR:		28355
MFC after:	1 week
2001-07-19 12:08:24 +00:00
Anton Berezin
33ea028f0f Recognize and support new output which pkg_version(1) might produce.
PR:             27707
Approved by:    bmah, markm
2001-06-11 21:31:50 +00:00
Doug Barton
ebb4c1b9a4 Small adjustment to whitespace in output 2001-06-01 16:40:57 +00:00
Ruslan Ermilov
0b381bf1fd Remove vestiges of MFS. 2001-06-01 10:07:28 +00:00
Doug Barton
311176d1c5 Truly limit the path to local filesystems. 2001-05-31 09:53:53 +00:00
Brian Somers
f8fb1acb36 Default daily_accounting_flags to -q. I thought this was a typo in the
originally submitted patch (oops!).

Also check for an empty $daily_accounting_save.

Submitted by:	Udo Schweigert <Udo.Schweigert@cert.siemens.de>
2001-05-30 20:23:43 +00:00
Brian Somers
c4d5bb5129 Add $daily_accounting_save and $daily_accounting_flags
Submitted by:	Udo Schweigert <Udo.Schweigert@cert.siemens.de>
MFC after:	2 weeks
2001-05-30 16:46:53 +00:00
Dirk Froemberg
2828b33147 Add 470.status-named.
Reminded by:	gshapiro
2001-05-11 09:32:48 +00:00
Josef Karthauser
dc9c693750 Remind the user that they need to check CPAN manually for updates
to perl5 modules installed by hand.
2001-04-28 16:15:50 +00:00
Ruslan Ermilov
2c1f07ae14 Fixed typo.
PR:		bin/26836
Submitted by:	Matthew Seaman <matthew.seaman@tornadogroup.com>
2001-04-25 12:11:54 +00:00
Dirk Froemberg
56f25ab092 Check for denied zone transfers (AXFR and IXFR). 2001-04-21 22:36:30 +00:00
Brian Somers
a1f792ba64 Identify obsolete ports 2001-03-25 11:35:22 +00:00
Ruslan Ermilov
afcf05e46a setlocale(3) has been fixed to match POSIX standard:
LC_ALL takes precedence over other LC_* envariables.
2001-03-02 16:52:14 +00:00
Andrey A. Chernov
fa94f1388d Add 500.queuerun 2001-02-19 07:12:37 +00:00
Peter Wemm
6edba32695 Move the sendmail -q from cron to periodic, as suggested by a few people.
This has the benefit of adding a random start time element as daily
processing takes a different amount of time on different machines.
2001-02-19 02:47:42 +00:00
Brian Somers
afcf65b56b Allow the output of /etc/security to be logged or mailed to different
users in line with ${daily,weekly,monthly}_output using a new
$daily_status_security_output variable.

PR:	24643
2001-01-30 10:24:18 +00:00