Commit Graph

50 Commits

Author SHA1 Message Date
dougb
5690821f7a Hook the 220.backup-pkgdb script I added to the build unconditionally
Hook up 610.ipf6denied based on MK_IPFILTER as 510.ipfdenied is now

Poked by:	Andrzej Tobola <ato@iem.pw.edu.pl>
2011-03-27 03:06:58 +00:00
dougb
2f5c17bf80 Add svn:executable property on remaining period scripts without it 2011-03-27 03:03:29 +00:00
brooks
479b7f4288 Add an (off by default) check for negative permissions (where the
group on a object has less permissions that everyone).  These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.

MFC after:	1 week
2010-11-13 00:40:43 +00:00
delphij
c98c4f39f2 Hide 460.chkportsum in MK_PKGTOOLS != no case.
Submitted by:	Alex Kozlov <spam rm-rf kiev ua>
MFC after:	2 weeks
2010-11-09 18:46:44 +00:00
gabor
0caf1f3942 - Fixes to the chkportsum script to handle better some special cases,
like spaces in filename

Submitted by:	Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by:	delphij (mentor)
2010-08-10 11:15:17 +00:00
gabor
6a3f80a589 - Add a periodic script, which can be used to find installed ports' files with
mismatched checksum

PR:		conf/124641
Submitted by:	Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by:	delphij (mentor)
2010-07-19 20:19:14 +00:00
cperciva
d2f83e3acd Silence warning printed by getfsspec(3) when /etc/fstab does not exist
fstab: /etc/fstab:0: No such file or directory
and from dump(8) when setfsent(3) fails due to /etc/fstab not existing:
  DUMP: Can't open /etc/fstab for dump table information: No such...

This makes daily and security periodic runs somewhat cleaner in jails
which lack /etc/fstab files.

MFC after:	1 month
2009-09-28 03:32:35 +00:00
ed
4405dea5ac Sort `mount -p' output by name before checking for any differences.
I noticed on a system at home that restarting named(8) causes the
/var/named/dev mount to be moved to the bottom of the mount list,
because it gets remounted. When I received the daily security email this
morning, I was quite amazed to see that the security report listed the
differences, while it was nothing out of the ordinary.

If we just throw the `mount -p' output through sort(1), we'll only
receive notifications about changes to mounts if something has really
changed.
2008-10-25 18:45:40 +00:00
sam
9c3d2ffcdf add new build knobs and jigger some existing controls to improve
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd

Reviewed by:	various (posted to arch)
MFC after:	1 month
2008-09-21 22:02:26 +00:00
antoine
e5067d55c3 Improve periodic/security/550.ipfwlimit a bit:
- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")

PR:		conf/126060 [1]
MFC after:	1 month
2008-08-10 18:11:24 +00:00
mtm
b64893bda7 Rev. 1.8 broke matching on lines where the failure mode is at the head
of the message, such as:
  Jun 30 10:49:21 rogue sshd[17553]: Invalid user iceman from 127.0.0.1

PR: conf/124569
Submitted by:	Taku <taku@tekipaki.jp>
2008-06-30 08:01:47 +00:00
remko
24e4d4b1f4 Add a missing ;.
PR:		misc/122069
Submitted by:	taku@tekipaki.jp
MFC after:	3 days
Approved by:	imp (mentor, implicit trivial change).
2008-03-25 15:16:19 +00:00
des
1c5bd932f1 Eliminate xargs in favor of find -exec {} + 2008-02-03 00:33:05 +00:00
des
ddf9fd25a8 Rewrite to consume significantly less memory, by using find -s instead of
find | sort.  As a bonus, this simplifies the logic considerably.  Also
remove the bogus "overruning the args to ls" comment and the corresponding
"-n 20" argument to xargs; the whole point with xargs is precisely that it
knows how large the argument list can safely get.

Note that the first run of the updated script may hypotheticall produce
false positives due to differences between find's and sort's sorting
algorithm.  I haven't seen this during testing, but others might.

MFC after:	2 weeks
2008-02-02 12:27:37 +00:00
ru
df014ee1ed Also check setuid executables on ZFS. 2007-11-23 13:00:31 +00:00
remko
a713b8f232 Only match on log messages containing fail,invalid,
bad or illegal. This prevents matching on systems that
have a name that matches the query.

PR:		conf/107560
Submitted by:	Christian Laursen <cfsl at pil dot dk>
MFC after:	3 days
Approved by:	imp (mentor)
2007-02-23 21:42:54 +00:00
jdp
abb828c3b9 Use egrep instead of grep so that reporting of login failures (broken
by revision 1.6) works again.  This fix is already in RELENG_6, but was
never committed to HEAD.
2007-02-05 16:36:25 +00:00
trhodes
f21ca27dec Add login.conf checking to periodic security scripts. If the login.conf file
is not UID/GID 0, limits will be ignored and a strange error sent to auth.log.

Head nod:	ru, rwatson
2006-08-25 07:34:36 +00:00
mlaier
23ea781ace Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.
2006-05-12 19:17:34 +00:00
matteo
00b7acda29 Enhance loginfail: it will catch sshd, proftpd and su errors, as well as other programs
PR: conf/70973
Submitted by:	Ryan Sommers" <ryans@gamersimpact.com>
Approved by:	philip (mentor)
MFC after:	3 days
2006-03-05 15:45:38 +00:00
maxim
e6775c1a34 A new version of rev. 1.4: postpone a temporary file creation
until we realize if ipfw(4) ever used.

PR:		bin/85970
Submitted by:	Andre Albsmeier
MFC after:	3 days
2005-09-11 14:29:58 +00:00
glebius
5facd9e67a Fix braino in last commit. Print nothing if ipfw(4) is not present. 2005-08-31 08:31:14 +00:00
cperciva
2f763eca1d When looking for new lines in diff output, grep for '^[>+]' instead of
'^>', in order to catch both normal and unified diffs.

Problem reported by:	volker at vwsoft dot com via -stable
MFC after:	3 days
2005-08-22 09:33:36 +00:00
glebius
34a844087d - Correctly parse output, when logging amount is limited in the
rule itself, not in verbose_limit sysctl. [1]
- Do check rules, even if verbose_limit is set 0. Rules may have
  their own log limits.

PR:		conf/77929
Submitted by:	Andriy Gapon [1]
Reviewed by:	matteo
2005-08-20 09:41:49 +00:00
ssouhlal
ec1c427a31 Replace "ipfw l", which is now deprecated, with "ipfw list".
Approved by:	grehan (mentor)
2005-02-23 15:07:36 +00:00
glebius
f044db930e Don't do setuid checks on file systems mounted with noexec option.
Reviewed by:	brian, ru
MFC after:	1 week
2005-01-13 15:07:35 +00:00
mlaier
7e3eabcfe7 Teach periodic(8) security output to display information about blocked
packet counts by pf(4).

This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.

The output will look like this (line wrapped):

  pf denied packets:
  > block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
    Bytes: 0 States: 0 ]
  > block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
    States: 0 ]

Submitted by:	clive (thanks a lot!)
MFC after:	2 weeks
2004-11-24 18:41:53 +00:00
jkoshy
e73862471d Add a knob 'daily_status_security_diff_flags' controlling the
format of the 'diff' output generated during periodic(8) scripts.

Submitted by:	keramida (script changes)
Reviewed by:	keramida (man page changes)
2004-09-23 02:00:52 +00:00
darrenr
77ecc19ba0 Add script for checking ipv6 blocked packets from PR.
PR:		misc/50154
Submitted by:	Kimura Fuyuki <fuyuki@hadaly.org>
2004-04-20 13:44:57 +00:00
mtm
016c135dba Have mktemp(1) construct the temporary file name for us instead
of providing a template manually.

Submitted by:	Lars Eggert <larse@isi.edu>
2003-06-30 22:06:26 +00:00
se
6f580108ee Add support for bzip2ed log files. 2003-01-05 21:32:50 +00:00
keramida
f973c892f0 Avoid using perl in the periodic & security scripts. This brings the
base system one step closer to being totally perl-free.

Approved by:	re (jhb)
2002-12-07 23:37:44 +00:00
thomas
dfc9d731c3 Do not emit a message on stderr when one of the compared files
is shorter than the other.

Reviewed by:	roberto
MFC after:	3 days
2002-11-16 14:58:39 +00:00
thomas
e4fc2471bb Remove incorrect output redirection.
Reviewed by:	roberto
Committed from:	EuroBSDCon Amsterdam
MFC after:	3 days
2002-11-16 14:57:12 +00:00
thomas
08d4d01809 Add newly-added sripts to FILES.
Reviewed by:	roberto
2002-10-25 15:23:26 +00:00
thomas
0eb26ce875 Add a new /etc/periodic/security script to check for packets
rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf
knob (daily_status_security_ipfdenied_enable).

Reviewed by:	roberto
Approved by:	re@
2002-10-25 15:16:54 +00:00
thomas
24742dd0fd Factor out code across various /etc/periodic/security scripts into a
separate file, /etc/periodic/security/security.functions.

Reviewed by:	roberto (mentor)
Approved by:	re@
2002-10-25 15:14:16 +00:00
ache
ac09299ab9 Make it work with POSIX sort (POS arg).
All old sorts understand -k too.
2002-09-24 18:53:46 +00:00
cjc
1bdbc52de7 Only create a temporary file if we are actually going to do something
in the script. Eliminates a bug where we create a temp file, but don't
delete it since the rm(1) is only done if the check is enabled.

PR:		bin/40960
Submitted by:	frf <frf@xocolatl.com>
MFC after:	3 days
2002-08-25 04:09:17 +00:00
gshapiro
8cc0839b13 If all file systems are marked nosuid, the line:
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`

sets ${MP} to an empty string so the next line:

	set ${MP}

actually just dumps all of the shells variables to stdout (and therefore
the security report).  Fixed by surrounding the code which goes through the
mounts with a test for an empty string before using ${MP}.

Reviewed by:	brian
MFC after:	3 days
2002-08-03 22:33:34 +00:00
ru
ed13465e59 Install scripts via FILES (purposedly not via SCRIPTS that would
strip the suffixes).
2002-07-18 12:33:01 +00:00
brian
c4dd2bd45f Mention that we're checking kernel log messages, even if there's
no output.

PR:		39618
MFC after:	1 week
2002-06-28 10:32:18 +00:00
brian
e0be427440 Change `dmesg -a'' to `dmesg''.
The change was introduced in src/etc/security 1.53 almost a year ago
in an attempt to see ipfw deny message logs.

However, ipfw deny/reject logs have been displayed since version 1.13
of the same file as a separate ``job'' and have since moved to
src/etc/periodic/security/500.ipfwdenied.

MFC after:	3 days
2002-05-17 13:38:36 +00:00
brian
e0e62927af Tighten up temporary file permissions and move them to ${TMPDIR:-/tmp}
Problem reported by:	lumpy <lumpy@the.whole.net>
MFC after:		3 days
2002-05-17 11:34:12 +00:00
cjc
560bc9d245 Remove leading whitespace from the setuid file lists.
Due to the way we run ls(1), through xargs(1), the leading whitespace
can change even when the setuid files haven't. To avoid displaying
these lines, we currently run diff(1) with the '-w' option. However,
this is probably not the ideal way to go; there is a very, very small
possibility for diff(1) to miss things is shouldn't. So, with the
leading space cleaned, we can revert to the '-b' option which is
"safer."

PR:		conf/37618
Reviewed by:	brian
MFC after:	3 days
2002-05-05 00:59:37 +00:00
rwatson
5ccd83be46 No need to explicitly check for both cases when using grep -i. 2002-03-12 21:44:33 +00:00
rwatson
dcb54d0614 Update login failure checking to check auth.log instead of messages,
and teach it to look for more general classes of failures, including
SSH login failures.  This is similar but not identical to a patch
submitted by aeonflux@synapse.subneural.net.
2002-03-11 19:39:08 +00:00
cjc
1a95751be8 Fix a stray character that found its way into a filename. 2001-12-14 22:25:04 +00:00
ru
1255b8caf5 Work around the bugfeature of test(1).
PR:		bin/32822
2001-12-14 08:58:21 +00:00
cjc
ba1e7b8577 Long ago, there was just /etc/daily. Then /etc/security was split out
of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.

Reviewed by:	ru
Approved by:	ru
2001-12-07 23:57:39 +00:00