The periodic 200.backup-passwd script outputs any differences it finds
in master.passwd, relative to the previous backup. It intends to elide
the encrypted password field, but previously did so only for changed
lines (i.e., those beginning with - or + in the diff).
Apply the sed expression also to unchanged lines to also elide their
passwords.
PR: 223461
Reported by: Andre Albsmeier
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
and checks if ntp leapfile needs fetching before entering into the
anticongestion sleep.
Unfortunately some ports still use their own sleeps so, this commit
doesn't address the complete problem which is compounded by every
port that uses its own anticongestion mechanism.
Discussed with: asomers
in favor of just rendering the manpage instead of relying on pre-formatted
catpages. Note, this does not impede the ability to use existing catpages,
it just removes the utility to generate them.
Reviewed by: imp, allanjude
Approved by: emaste (mentor)
Differential Revision: https://reviews.freebsd.org/D12317
/etc/{group,master.passwd}. This was originally turned on for all of
/etc/{aliases,group,master.passwd} in r55196, but then backed out
only for the latter two in r56697, as the adaption of the sed(1)ing
done in r56308 was incorrect. This left us with inconsistent diff(1)
formats in the daily output of periodic(8) ever since, despite in
r56697 having been promised to be revisited. So properly adapt the
password hash filtering to the unified format and turn the later on
again for /etc/{group,master.passwd}, too.
r322277 moved rwho* and ruptime out of the MK_RCMDS conditional including
updating the obsolete files entries to not remove these scripts due to
WITHOUT_RCMDS=yes. However, the initial installation was still conditional
on MK_RCMDS, so new installs did not include these scripts and upgrades via
mergemaster or etcupdate removed them.
PR: 220953
MFC after: 1 month
Previously, 450.status-security would always set rc=3 in inline mode,
because it doesn't know whether "periodic security" is going to find
anything interesting. But this annoyingly results in daily reports that
simply say "Security check: \n\n-- End of daily output --".
This change fixes that by testing whether "periodic security" printed
anything, and setting 450.status-security's exit status to 3 if it did. An
alternative would be to change the exit status of periodic(8) to be the
worst of its scripts' exit statuses, but that would be a more intrusive
change.
Reviewed by: brian
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D10267
Multiple periodic scripts sleep for a random amount of time in order to
mitigate the thundering herd problem. This is bad, because the sum of
multiple uniformly distributed random variables approaches a normal
distribution, so the problem isn't mitigated as effectively as it would be
with a single sleep.
This change creates a single configurable anticongestion sleep. periodic
will only sleep if at least one script requires it, and it will never sleep
more than once per invocation. It also won't sleep if periodic was run
interactively, fixing an unrelated longstanding bug.
PR: 217055
PR: 210188
Reviewed by: cy
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D10211
It relies on output from inetd that is triggered by MK_TCP_WRAPPERS=yes.
We need to check for both knobs being set -- otherwise the script doesn't
have much value.
PR: 217577
Submitted by: Sergey <kpect@protonmail.com> (MK_TCP_WRAPPERS piece)
MFC after: 1 week
Sponsored by: Dell EMC Isilon
If one of the scripts listed in (daily|weekly|monthly)_local is executable,
999.local should simply execute it. Only if the script isn't executable
should 999.local assume it needs /bin/sh.
Reviewed by: brian
MFC after: 3 weeks
Sponsored by: Spectra Logic Corp
This change is needed to make the 520.pfdenied script find the new
blacklistd/* anchor points for reporting blocked traffic.
Reviewed by: kp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
100.chksetuid and 110.neggrpperm try to search through all UFS and ZFS
filesystems. But their logic contains an error. They also search through
remote filesystems that are mounted on top of the root of a local
filesystem. For example, if a user installs a FreeBSD system with the
default ZFS layout, he'll get a zroot/usr/home filesystem. If he then mounts
/usr/home over NFS, these scripts would search through /usr/home.
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D7482
24 hours is too long. Periodic scripts are executed serially, so when
combined with the sleep in 410.pkg-audit periodic could actually take more
than 24 hours and block the next invocation.
Reviewed by: cy
MFC after: 4 weeks
Sponsored by: Spectra Logic Corp
Differential Revision: https://reviews.freebsd.org/D7481
Zero pf rule counters so that each daily report lists an absolute
number of rejected packets, not the total since the last time the
machine rebooted (or the counters were manually cleared).
PR: 206467
Submitted by: Rick Adams
Approved by: rpaulo (mentor)
Differential Revision: https://reviews.freebsd.org/D5172
diff(1) output between two files in "new_only"-mode. Otherwise,
with the default of using unified format a remnant of the header
in the output is the result. This is especially irritating when
the two files differ but the second one is empty, amounting to the
vestige of the header being the only readout.
Reported by: Stefan Haemmerl
MFC after: 3 days
The working copy of leapfile resides in /var/dbntpd.leap-seconds.list.
/etc/ntp/leap-seconds (periodically updated from ftp://time.nist.gov/pub/
or ftp://tycho.usno.navy.mil/pub/ntp/) contains the master copy should
automatic leapfile updates be disabled (default).
Automatic leapfile updates are fetched from $ntp_leapfile_sources,
defaulting to https://www.ietf.org/timezones/data/leap-seconds.list,
within $ntp_leapfile_expiry_days (default 30 days) from leap-seconds
file expiry. Automatic updates can be enabled by setting
$daily_ntpd_leapfile_enable="YES" in periodic.conf. To avoid congesting
the ntp leapfile source the automatic update randomized by default but
can be disabled through daily_ntpd_avoid_congestion="NO" in
periodic.conf.
Suggested by: des
Reviewed by: des, roberto, dwmalone, ian, cperciva, glebius, gjb
MFC after: 1 week
X-MFC with: r289421, r293037
output from df, similar to what security/200.chkmounts does. This can be
useful to avoid listing automounted ZFS snapshots, for instance.
MFC after: 1 week
Before this change, the 520.pfdenied script listed all rules that
matched /^block/ in the rule. Restrict the printed output to only
those rules that result in packets being dropped.
PR: conf/187224
Approved by: rpaulo (mentor)
Differential Revision: https://reviews.freebsd.org/D4068
The command was checking local/remote system uptime, so rename the script to
match its function and to avoid confusion
The controlling variable in /etc/periodic.conf has been renamed from
daily_status_rwho_enable to daily_status_uptime_enable.
MFC after: 3 days
Reported by: Peter Jeremy <peter@rulingia.com>
Relnotes: yes
Sponsored by: EMC / Isilon Storage Division
In particular, this allows an administrator to specify "-h" for human
readable output if that is preferred.
The default setting passes "-d", so that can be excluded by using a custom
setting.
Differential Revision: https://reviews.freebsd.org/D2034
Submitted by: Lystopad Aleksandr <laa@laa.zp.ua>
(patch to add option for -h)
Reviewed by: bz
MFC after: 1 week
periodic(8) run, taken from uname(1) '-U' and '-K'
flags.
Reviewed by: allanjude, dvl
Differential Revision: https://reviews.freebsd.org/D1541
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Mounting something in /tmp such as a build jail with nullfs mounts for
some directories can result in very surprising results the next day.
MFC after: 2 weeks
Relnotes: yes
reduce false positives.
The committed patch was provided by Christian Marg.
PR: 91732
Submitted by: Daniel O'Connor <doconnor at gsoft.com.au>
Skye Poier <spoier at gmail.com>
Alan Amesbury <amesbury at umn.edu>
Christian Marg <marg at rz.tu-clausthal.de>
MFC after: 1 month
There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.
All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.
"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".
Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.
When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.
Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.
Reviewed by: hackers@
forced to 3 so that the output of this script is always displayed.
In fact, setting this flag is identical to setting
daily_status_security_output to an empty string. To make the logic
less confusing, change the behavior of daily_status_security_inline
such that it just forces daily_status_security_output to an empty
string and then applies the normal logic.
PR: conf/178611
Submitted by: Jason Unovitch <jason.unovitch@gmail.com>
MFC after: 3 days
