Commit Graph

34 Commits

Author SHA1 Message Date
John Polstra
bd4dbd7879 Use egrep instead of grep so that reporting of login failures (broken
by revision 1.6) works again.  This fix is already in RELENG_6, but was
never committed to HEAD.
2007-02-05 16:36:25 +00:00
Tom Rhodes
b5aea37f80 Add login.conf checking to periodic security scripts. If the login.conf file
is not UID/GID 0, limits will be ignored and a strange error sent to auth.log.

Head nod:	ru, rwatson
2006-08-25 07:34:36 +00:00
Max Laier
9277da52e1 Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.
2006-05-12 19:17:34 +00:00
Matteo Riondato
fe468fe9c0 Enhance loginfail: it will catch sshd, proftpd and su errors, as well as other programs
PR: conf/70973
Submitted by:	Ryan Sommers" <ryans@gamersimpact.com>
Approved by:	philip (mentor)
MFC after:	3 days
2006-03-05 15:45:38 +00:00
Maxim Konovalov
17793b6ae5 A new version of rev. 1.4: postpone a temporary file creation
until we realize if ipfw(4) ever used.

PR:		bin/85970
Submitted by:	Andre Albsmeier
MFC after:	3 days
2005-09-11 14:29:58 +00:00
Gleb Smirnoff
fcb3c1b182 Fix braino in last commit. Print nothing if ipfw(4) is not present. 2005-08-31 08:31:14 +00:00
Colin Percival
d7883da19f When looking for new lines in diff output, grep for '^[>+]' instead of
'^>', in order to catch both normal and unified diffs.

Problem reported by:	volker at vwsoft dot com via -stable
MFC after:	3 days
2005-08-22 09:33:36 +00:00
Gleb Smirnoff
07d6ed30ec - Correctly parse output, when logging amount is limited in the
rule itself, not in verbose_limit sysctl. [1]
- Do check rules, even if verbose_limit is set 0. Rules may have
  their own log limits.

PR:		conf/77929
Submitted by:	Andriy Gapon [1]
Reviewed by:	matteo
2005-08-20 09:41:49 +00:00
Suleiman Souhlal
71b7f1cffb Replace "ipfw l", which is now deprecated, with "ipfw list".
Approved by:	grehan (mentor)
2005-02-23 15:07:36 +00:00
Gleb Smirnoff
aed9792fae Don't do setuid checks on file systems mounted with noexec option.
Reviewed by:	brian, ru
MFC after:	1 week
2005-01-13 15:07:35 +00:00
Max Laier
66754ab3f1 Teach periodic(8) security output to display information about blocked
packet counts by pf(4).

This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.

The output will look like this (line wrapped):

  pf denied packets:
  > block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
    Bytes: 0 States: 0 ]
  > block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
    States: 0 ]

Submitted by:	clive (thanks a lot!)
MFC after:	2 weeks
2004-11-24 18:41:53 +00:00
Joseph Koshy
59583bf53c Add a knob 'daily_status_security_diff_flags' controlling the
format of the 'diff' output generated during periodic(8) scripts.

Submitted by:	keramida (script changes)
Reviewed by:	keramida (man page changes)
2004-09-23 02:00:52 +00:00
Darren Reed
167992ad9a Add script for checking ipv6 blocked packets from PR.
PR:		misc/50154
Submitted by:	Kimura Fuyuki <fuyuki@hadaly.org>
2004-04-20 13:44:57 +00:00
Mike Makonnen
3b5ba84fd2 Have mktemp(1) construct the temporary file name for us instead
of providing a template manually.

Submitted by:	Lars Eggert <larse@isi.edu>
2003-06-30 22:06:26 +00:00
Stefan Eßer
2068678af4 Add support for bzip2ed log files. 2003-01-05 21:32:50 +00:00
Giorgos Keramidas
0333ea509d Avoid using perl in the periodic & security scripts. This brings the
base system one step closer to being totally perl-free.

Approved by:	re (jhb)
2002-12-07 23:37:44 +00:00
Thomas Quinot
da509dd293 Do not emit a message on stderr when one of the compared files
is shorter than the other.

Reviewed by:	roberto
MFC after:	3 days
2002-11-16 14:58:39 +00:00
Thomas Quinot
68c2bacd8d Remove incorrect output redirection.
Reviewed by:	roberto
Committed from:	EuroBSDCon Amsterdam
MFC after:	3 days
2002-11-16 14:57:12 +00:00
Thomas Quinot
77ee1b9798 Add newly-added sripts to FILES.
Reviewed by:	roberto
2002-10-25 15:23:26 +00:00
Thomas Quinot
7644e396f3 Add a new /etc/periodic/security script to check for packets
rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf
knob (daily_status_security_ipfdenied_enable).

Reviewed by:	roberto
Approved by:	re@
2002-10-25 15:16:54 +00:00
Thomas Quinot
cb9eff8a9e Factor out code across various /etc/periodic/security scripts into a
separate file, /etc/periodic/security/security.functions.

Reviewed by:	roberto (mentor)
Approved by:	re@
2002-10-25 15:14:16 +00:00
Andrey A. Chernov
15897030c6 Make it work with POSIX sort (POS arg).
All old sorts understand -k too.
2002-09-24 18:53:46 +00:00
Crist J. Clark
10f23b4ad0 Only create a temporary file if we are actually going to do something
in the script. Eliminates a bug where we create a temp file, but don't
delete it since the rm(1) is only done if the check is enabled.

PR:		bin/40960
Submitted by:	frf <frf@xocolatl.com>
MFC after:	3 days
2002-08-25 04:09:17 +00:00
Gregory Neil Shapiro
b31d4126e3 If all file systems are marked nosuid, the line:
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`

sets ${MP} to an empty string so the next line:

	set ${MP}

actually just dumps all of the shells variables to stdout (and therefore
the security report).  Fixed by surrounding the code which goes through the
mounts with a test for an empty string before using ${MP}.

Reviewed by:	brian
MFC after:	3 days
2002-08-03 22:33:34 +00:00
Ruslan Ermilov
bff0acee63 Install scripts via FILES (purposedly not via SCRIPTS that would
strip the suffixes).
2002-07-18 12:33:01 +00:00
Brian Somers
103efc95e8 Mention that we're checking kernel log messages, even if there's
no output.

PR:		39618
MFC after:	1 week
2002-06-28 10:32:18 +00:00
Brian Somers
740b91b560 Change `dmesg -a'' to `dmesg''.
The change was introduced in src/etc/security 1.53 almost a year ago
in an attempt to see ipfw deny message logs.

However, ipfw deny/reject logs have been displayed since version 1.13
of the same file as a separate ``job'' and have since moved to
src/etc/periodic/security/500.ipfwdenied.

MFC after:	3 days
2002-05-17 13:38:36 +00:00
Brian Somers
db1d04d6d9 Tighten up temporary file permissions and move them to ${TMPDIR:-/tmp}
Problem reported by:	lumpy <lumpy@the.whole.net>
MFC after:		3 days
2002-05-17 11:34:12 +00:00
Crist J. Clark
f5a8f1482c Remove leading whitespace from the setuid file lists.
Due to the way we run ls(1), through xargs(1), the leading whitespace
can change even when the setuid files haven't. To avoid displaying
these lines, we currently run diff(1) with the '-w' option. However,
this is probably not the ideal way to go; there is a very, very small
possibility for diff(1) to miss things is shouldn't. So, with the
leading space cleaned, we can revert to the '-b' option which is
"safer."

PR:		conf/37618
Reviewed by:	brian
MFC after:	3 days
2002-05-05 00:59:37 +00:00
Robert Watson
2e1fc052bc No need to explicitly check for both cases when using grep -i. 2002-03-12 21:44:33 +00:00
Robert Watson
cd9281b380 Update login failure checking to check auth.log instead of messages,
and teach it to look for more general classes of failures, including
SSH login failures.  This is similar but not identical to a patch
submitted by aeonflux@synapse.subneural.net.
2002-03-11 19:39:08 +00:00
Crist J. Clark
d15413fe2f Fix a stray character that found its way into a filename. 2001-12-14 22:25:04 +00:00
Ruslan Ermilov
ac47c95eea Work around the bugfeature of test(1).
PR:		bin/32822
2001-12-14 08:58:21 +00:00
Crist J. Clark
2204f3ce42 Long ago, there was just /etc/daily. Then /etc/security was split out
of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.

Reviewed by:	ru
Approved by:	ru
2001-12-07 23:57:39 +00:00