diff --git a/usr.sbin/periodic/etc/security/100.chksetuid b/usr.sbin/periodic/etc/security/100.chksetuid index 071d296cdaff..6ade53a180be 100755 --- a/usr.sbin/periodic/etc/security/100.chksetuid +++ b/usr.sbin/periodic/etc/security/100.chksetuid @@ -1,61 +1,59 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions -security_daily_compat_var security_status_chksetuid_enable - rc=0 if check_yesno_period security_status_chksetuid_enable then echo "" echo 'Checking setuid files and devices:' IFS=$'\n' # Don't split mount points with spaces or tabs MP=`mount -t ufs,zfs | awk ' $0 !~ /no(suid|exec)/ { sub(/^.* on \//, "/"); sub(/ \(.*\)/, ""); print $0 }'` find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ \( -perm -u+s -or -perm -g+s \) -exec ls -lid -D "%FT%T" \{\} \+ | check_diff setuid - "${host} setuid diffs:" rc=$? fi exit $rc diff --git a/usr.sbin/periodic/etc/security/110.neggrpperm b/usr.sbin/periodic/etc/security/110.neggrpperm index 6def25fc6a0e..41f2713533b0 100755 --- a/usr.sbin/periodic/etc/security/110.neggrpperm +++ b/usr.sbin/periodic/etc/security/110.neggrpperm @@ -1,60 +1,58 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi -security_daily_compat_var security_status_neggrpperm_enable - rc=0 if check_yesno_period security_status_neggrpperm_enable then echo "" echo 'Checking negative group permissions:' IFS=$'\n' # Don't split mount points with spaces or tabs MP=`mount -t ufs,zfs | awk ' $0 !~ /no(suid|exec)/ { sub(/^.* on \//, "/"); sub(/ \(.*\)/, ""); print $0 }'` n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ \( \( ! -perm +010 -and -perm +001 \) -or \ \( ! -perm +020 -and -perm +002 \) -or \ \( ! -perm +040 -and -perm +004 \) \) \ -exec ls -lid -D "%FT%T" \{\} \+ | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 fi exit $rc diff --git a/usr.sbin/periodic/etc/security/200.chkmounts b/usr.sbin/periodic/etc/security/200.chkmounts index c6405bb86467..055cf256018a 100755 --- a/usr.sbin/periodic/etc/security/200.chkmounts +++ b/usr.sbin/periodic/etc/security/200.chkmounts @@ -1,64 +1,60 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # Show changes in the way filesystems are mounted # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions -security_daily_compat_var security_status_chkmounts_enable -security_daily_compat_var security_status_chkmounts_ignore -security_daily_compat_var security_status_noamd - ignore="${security_status_chkmounts_ignore}" rc=0 if check_yesno_period security_status_chkmounts_enable then case "$security_status_noamd" in [Yy][Ee][Ss]) ignore="${ignore}|^amd:" esac [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat if ! [ -f /etc/fstab ]; then export PATH_FSTAB=/dev/null fi mount -p | sort | ${cmd} | check_diff mount - "${host} changes in mounted filesystems:" rc=$? fi exit "$rc" diff --git a/usr.sbin/periodic/etc/security/300.chkuid0 b/usr.sbin/periodic/etc/security/300.chkuid0 index 121734357d06..c73980300d70 100755 --- a/usr.sbin/periodic/etc/security/300.chkuid0 +++ b/usr.sbin/periodic/etc/security/300.chkuid0 @@ -1,53 +1,51 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi -security_daily_compat_var security_status_chkuid0_enable - rc=0 if check_yesno_period security_status_chkuid0_enable then echo "" echo 'Checking for uids of 0:' n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr | sed -e '/^root 0$/d' -e '/^toor 0$/d' | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 fi exit "$rc" diff --git a/usr.sbin/periodic/etc/security/400.passwdless b/usr.sbin/periodic/etc/security/400.passwdless index 10a80ce43370..3e30e5e9cf5f 100755 --- a/usr.sbin/periodic/etc/security/400.passwdless +++ b/usr.sbin/periodic/etc/security/400.passwdless @@ -1,50 +1,48 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi -security_daily_compat_var security_status_passwdless_enable - rc=0 if check_yesno_period security_status_passwdless_enable then echo "" echo 'Checking for passwordless accounts:' n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 fi exit "$rc" diff --git a/usr.sbin/periodic/etc/security/410.logincheck b/usr.sbin/periodic/etc/security/410.logincheck index 7e1ac5ec1b67..a3f3f3f1a21a 100755 --- a/usr.sbin/periodic/etc/security/410.logincheck +++ b/usr.sbin/periodic/etc/security/410.logincheck @@ -1,54 +1,52 @@ #!/bin/sh - # # Copyright (c) 2006 Tom Rhodes # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi -security_daily_compat_var security_status_logincheck_enable - rc=0 if check_yesno_period security_status_logincheck_enable then echo "" echo 'Checking login.conf permissions:' if [ -G /etc/login.conf -a -O /etc/login.conf ]; then n=0 else echo "Bad ownership of /etc/login.conf" n=1 fi [ $n -gt 0 ] && rc=1 || rc=0 fi exit "$rc" diff --git a/usr.sbin/periodic/etc/security/500.ipfwdenied b/usr.sbin/periodic/etc/security/500.ipfwdenied index f2a435711805..3ee7b3aa5cdc 100755 --- a/usr.sbin/periodic/etc/security/500.ipfwdenied +++ b/usr.sbin/periodic/etc/security/500.ipfwdenied @@ -1,53 +1,51 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions -security_daily_compat_var security_status_ipfwdenied_enable - rc=0 if check_yesno_period security_status_ipfwdenied_enable then TMP=`mktemp -t security` if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" fi rc=$? rm -f ${TMP} fi exit $rc diff --git a/usr.sbin/periodic/etc/security/510.ipfdenied b/usr.sbin/periodic/etc/security/510.ipfdenied index 3350bfd40fcf..b9f468fb96e5 100755 --- a/usr.sbin/periodic/etc/security/510.ipfdenied +++ b/usr.sbin/periodic/etc/security/510.ipfdenied @@ -1,53 +1,51 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions -security_daily_compat_var security_status_ipfdenied_enable - rc=0 if check_yesno_period security_status_ipfdenied_enable then TMP=`mktemp -t security` if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf ${TMP} "${host} ipf denied packets:" fi rc=$? rm -f ${TMP} fi exit $rc diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied index 6af474712d6f..9852936257bc 100755 --- a/usr.sbin/periodic/etc/security/520.pfdenied +++ b/usr.sbin/periodic/etc/security/520.pfdenied @@ -1,58 +1,56 @@ #!/bin/sh - # # Copyright (c) 2004 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions -security_daily_compat_var security_status_pfdenied_enable - rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) ${security_status_pfdenied_additionalanchors} do pfctl -a "${_a}" -sr -v -z 2>/dev/null | \ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} done if [ -s ${TMP} ]; then check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? rm -f ${TMP} fi exit $rc diff --git a/usr.sbin/periodic/etc/security/550.ipfwlimit b/usr.sbin/periodic/etc/security/550.ipfwlimit index 7b6f915a1ac5..8382c12df22f 100755 --- a/usr.sbin/periodic/etc/security/550.ipfwlimit +++ b/usr.sbin/periodic/etc/security/550.ipfwlimit @@ -1,68 +1,66 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # Show ipfw rules which have reached the log limit # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi -security_daily_compat_var security_status_ipfwlimit_enable - rc=0 if check_yesno_period security_status_ipfwlimit_enable then IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then exit 0 fi TMP=`mktemp -t security` ipfw -a list | grep " log " | \ grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ awk \ '{if ($6 == "logamount") { if ($2 > $7) {print $0}} }' > ${TMP} if [ -s "${TMP}" ]; then rc=1 echo "" echo 'ipfw log limit reached:' cat ${TMP} fi rm -f ${TMP} fi exit $rc diff --git a/usr.sbin/periodic/etc/security/610.ipf6denied b/usr.sbin/periodic/etc/security/610.ipf6denied index a7902e504baa..e1db7611557b 100755 --- a/usr.sbin/periodic/etc/security/610.ipf6denied +++ b/usr.sbin/periodic/etc/security/610.ipf6denied @@ -1,53 +1,51 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions -security_daily_compat_var security_status_ipf6denied_enable - rc=0 if check_yesno_period security_status_ipf6denied_enable then TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" fi rc=$? rm -f ${TMP} fi exit $rc diff --git a/usr.sbin/periodic/etc/security/700.kernelmsg b/usr.sbin/periodic/etc/security/700.kernelmsg index cd4391aad98d..016bfbef36d0 100755 --- a/usr.sbin/periodic/etc/security/700.kernelmsg +++ b/usr.sbin/periodic/etc/security/700.kernelmsg @@ -1,53 +1,51 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # Show kernel log messages # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/periodic/security/security.functions -security_daily_compat_var security_status_kernelmsg_enable - rc=0 if check_yesno_period security_status_kernelmsg_enable then dmesg 2>/dev/null | check_diff new_only dmesg - "${host} kernel log messages:" rc=$? fi exit $rc diff --git a/usr.sbin/periodic/etc/security/800.loginfail b/usr.sbin/periodic/etc/security/800.loginfail index c5a3a972aaa1..19bf9a4b3b91 100755 --- a/usr.sbin/periodic/etc/security/800.loginfail +++ b/usr.sbin/periodic/etc/security/800.loginfail @@ -1,68 +1,65 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # Show login failures # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_loginfail_enable - LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` catmsgs() { find ${LOG} -name 'auth.log.*' -mtime -2 | sort -t. -r -n -k 2,2 | while read f do zcat -f $f done [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } rc=0 if check_yesno_period security_status_loginfail_enable then echo "" echo "${host} login failures:" n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 fi exit $rc diff --git a/usr.sbin/periodic/etc/security/900.tcpwrap b/usr.sbin/periodic/etc/security/900.tcpwrap index 55fa58f4df39..bbbc04a03988 100755 --- a/usr.sbin/periodic/etc/security/900.tcpwrap +++ b/usr.sbin/periodic/etc/security/900.tcpwrap @@ -1,68 +1,65 @@ #!/bin/sh - # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # Show tcp_wrapper warning messages # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_tcpwrap_enable - LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` catmsgs() { find ${LOG} -name 'messages.*' -mtime -2 | sort -t. -r -n -k 2,2 | while read f do zcat -f $f done [ -f ${LOG}/messages ] && cat $LOG/messages } rc=0 if check_yesno_period security_status_tcpwrap_enable then echo "" echo "${host} refused connections:" n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 fi exit $rc diff --git a/usr.sbin/periodic/etc/security/security.functions b/usr.sbin/periodic/etc/security/security.functions index aa19a99ebf87..c3ff6eb69391 100644 --- a/usr.sbin/periodic/etc/security/security.functions +++ b/usr.sbin/periodic/etc/security/security.functions @@ -1,86 +1,83 @@ #!/bin/sh # # Copyright (c) 2001 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # This is a library file, so we only try to do something when sourced. case "$0" in */security.functions) exit 0 ;; esac -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_diff_flags - # # Show differences in the output of an audit command # LOG="${security_status_logdir}" rc=0 # Usage: COMMAND | check_diff [new_only] LABEL - MSG # COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG # if $1 is new_only, show only the 'new' part of the diff. # LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files. check_diff() { unset IFS rc=0 if [ "$1" = "new_only" ]; then shift filter="grep '^[>+][^+]'" else filter="cat" fi label="$1"; shift tmpf="$1"; shift msg="$1"; shift if [ "${tmpf}" = "-" ]; then tmpf=`mktemp -t security` cat > ${tmpf} fi if [ ! -f ${LOG}/${label}.today ]; then rc=1 echo "" echo "No ${LOG}/${label}.today" cp ${tmpf} ${LOG}/${label}.today || rc=3 fi if ! cmp -s ${LOG}/${label}.today ${tmpf} >/dev/null; then [ $rc -lt 1 ] && rc=1 echo "" echo "${msg}" diff ${security_status_diff_flags} ${LOG}/${label}.today \ ${tmpf} | eval "${filter}" mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3 fi rm -f ${tmpf} exit ${rc} } diff --git a/usr.sbin/periodic/periodic.conf b/usr.sbin/periodic/periodic.conf index 608a199b3cc9..3bb34d827564 100644 --- a/usr.sbin/periodic/periodic.conf +++ b/usr.sbin/periodic/periodic.conf @@ -1,433 +1,411 @@ #!/bin/sh # # This is defaults/periodic.conf - a file full of useful variables that # you can set to change the default behaviour of periodic jobs on your # system. You should not edit this file! Put any overrides into one of the # $periodic_conf_files instead and you will be able to update these defaults # later without spamming your local configuration information. # # The $periodic_conf_files files should only contain values which override # values set in this file. This eases the upgrade path when defaults # are changed and new features are added. # # For a more detailed explanation of all the periodic.conf variables, please # refer to the periodic.conf(5) manual page. # # # What files override these defaults ? periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local ${_localbase}/etc/periodic.conf" # periodic script dirs. _localbase is being set in /usr/sbin/periodic local_periodic="${_localbase}/etc/periodic" # Max time to sleep to avoid causing congestion on download servers anticongestion_sleeptime=3600 # Daily options # These options are used by periodic(8) itself to determine what to do # with the output of the sub-programs that are run, and where to send # that output. $daily_output might be set to /var/log/daily.log if you # wish to log the daily output and have the files rotated by newsyslog(8) # daily_diff_flags="-b -U 0" # flags for diff output daily_output="root" # user or /file daily_show_success="YES" # scripts returning 0 daily_show_info="YES" # scripts returning 1 daily_show_badconfig="NO" # scripts returning 2 # 100.clean-disks daily_clean_disks_enable="NO" # Delete files daily daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*" daily_clean_disks_days=3 # If older than this daily_clean_disks_verbose="YES" # Mention files deleted # 110.clean-tmps daily_clean_tmps_enable="NO" # Delete stuff daily daily_clean_tmps_dirs="/tmp" # Delete under here daily_clean_tmps_days="3" # If not accessed for daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix" daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap" daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal" # Don't delete these daily_clean_tmps_verbose="YES" # Mention files deleted # 120.clean-preserve daily_clean_preserve_enable="YES" # Delete files daily daily_clean_preserve_days=7 # If not modified for daily_clean_preserve_verbose="YES" # Mention files deleted # 130.clean-msgs daily_clean_msgs_enable="YES" # Delete msgs daily daily_clean_msgs_days= # If not modified for # 140.clean-rwho daily_clean_rwho_enable="YES" # Delete rwho daily daily_clean_rwho_days=7 # If not modified for daily_clean_rwho_verbose="YES" # Mention files deleted # 150.clean-hoststat daily_clean_hoststat_enable="YES" # Purge sendmail host # status cache daily # 200.backup-passwd daily_backup_passwd_enable="YES" # Backup passwd & group # 210.backup-aliases daily_backup_aliases_enable="YES" # Backup mail aliases # 221.backup-gpart if [ $(sysctl -n security.jail.jailed) = 0 ]; then # Backup partition table/boot partition/MBR daily_backup_gpart_enable="YES" else daily_backup_gpart_enable="NO" fi daily_backup_gpart_verbose="NO" # Be verbose if new backup differs from the old one daily_backup_efi_enable="NO" # Backup EFI system partition (ESP) # 222.backup-gmirror daily_backup_gmirror_enable="NO" # Backup of gmirror info (i.e., output of `gmirror list`) daily_backup_gmirror_verbose="NO" # Log diff if new backup differs from the old one # 223.backup-zfs daily_backup_zfs_enable="NO" # Backup output from zpool/zfs list daily_backup_zfs_props_enable="NO" # Backup zpool/zfs filesystem properties daily_backup_zfs_get_flags="all" # flags passed to `zfs get` daily_backup_zfs_list_flags="" # flags passed to `zfs list` daily_backup_zpool_get_flags="all" # flags passed to `zpool get` daily_backup_zpool_list_flags="-v" # flags passed to `zpool list` daily_backup_zfs_verbose="NO" # Report diff between the old and new backups. # 300.calendar daily_calendar_enable="NO" # Run calendar -a # 310.accounting daily_accounting_enable="YES" # Rotate acct files daily_accounting_compress="NO" # Gzip rotated files daily_accounting_flags=-q # Flags to /usr/sbin/sa daily_accounting_save=3 # How many files to save # 400.status-disks daily_status_disks_enable="YES" # Check disk status daily_status_disks_df_flags="-l -h" # df(1) flags for check # 401.status-graid daily_status_graid_enable="NO" # Check graid(8) # 404.status-zfs daily_status_zfs_enable="NO" # Check ZFS daily_status_zfs_zpool_list_enable="YES" # List ZFS pools # 406.status-gmirror daily_status_gmirror_enable="NO" # Check gmirror(8) # 407.status-graid3 daily_status_graid3_enable="NO" # Check graid3(8) # 408.status-gstripe daily_status_gstripe_enable="NO" # Check gstripe(8) # 409.status-gconcat daily_status_gconcat_enable="NO" # Check gconcat(8) # 410.status-mfi daily_status_mfi_enable="NO" # Check mfiutil(8) # 420.status-network daily_status_network_enable="YES" # Check network status daily_status_network_usedns="YES" # DNS lookups are ok daily_status_network_netstat_flags="-d -W" # netstat(1) flags # 430.status-uptime daily_status_uptime_enable="YES" # Check system uptime # 440.status-mailq daily_status_mailq_enable="YES" # Check mail status daily_status_mailq_shorten="NO" # Shorten output daily_status_include_submit_mailq="YES" # Also submit queue # 450.status-security daily_status_security_enable="YES" # Security check # See also "Security options" below for more options daily_status_security_inline="NO" # Run inline ? daily_status_security_output="root" # user or /file # 460.status-mail-rejects daily_status_mail_rejects_enable="YES" # Check mail rejects daily_status_mail_rejects_logs=3 # How many logs to check daily_status_mail_rejects_shorten="NO" # Shorten output # 480.leapfile-ntpd daily_ntpd_leapfile_enable="YES" # Fetch NTP leapfile # 480.status-ntpd daily_status_ntpd_enable="NO" # Check NTP status # 500.queuerun daily_queuerun_enable="YES" # Run mail queue daily_submit_queuerun="YES" # Also submit queue # 510.status-world-kernel daily_status_world_kernel="YES" # Check the running # userland/kernel version # 800.scrub-zfs daily_scrub_zfs_enable="NO" daily_scrub_zfs_pools="" # empty string selects all pools daily_scrub_zfs_default_threshold="35" # days between scrubs #daily_scrub_zfs_${poolname}_threshold="35" # pool specific threshold # 801.trim-zfs daily_trim_zfs_enable="NO" daily_trim_zfs_pools="" # empty string selects all pools daily_trim_zfs_flags="" # zpool-trim(8) flags # 999.local daily_local="/etc/daily.local" # Local scripts # Weekly options # These options are used by periodic(8) itself to determine what to do # with the output of the sub-programs that are run, and where to send # that output. $weekly_output might be set to /var/log/weekly.log if you # wish to log the weekly output and have the files rotated by newsyslog(8) # weekly_output="root" # user or /file weekly_show_success="YES" # scripts returning 0 weekly_show_info="YES" # scripts returning 1 weekly_show_badconfig="NO" # scripts returning 2 # 310.locate weekly_locate_enable="YES" # Update locate weekly # 320.whatis weekly_whatis_enable="YES" # Update whatis weekly # 340.noid weekly_noid_enable="NO" # Find unowned files weekly_noid_dirs="/" # Look here # 450.status-security weekly_status_security_enable="YES" # Security check # See also "Security options" above for more options weekly_status_security_inline="NO" # Run inline ? weekly_status_security_output="root" # user or /file # 999.local weekly_local="/etc/weekly.local" # Local scripts # Monthly options # These options are used by periodic(8) itself to determine what to do # with the output of the sub-programs that are run, and where to send # that output. $monthly_output might be set to /var/log/monthly.log if you # wish to log the monthly output and have the files rotated by newsyslog(8) # monthly_output="root" # user or /file monthly_show_success="YES" # scripts returning 0 monthly_show_info="YES" # scripts returning 1 monthly_show_badconfig="NO" # scripts returning 2 # 200.accounting monthly_accounting_enable="YES" # Login accounting # 450.status-security monthly_status_security_enable="YES" # Security check # See also "Security options" above for more options monthly_status_security_inline="NO" # Run inline ? monthly_status_security_output="root" # user or /file # 999.local monthly_local="/etc/monthly.local" # Local scripts # Security options security_show_success="YES" # scripts returning 0 security_show_info="YES" # scripts returning 1 security_show_badconfig="NO" # scripts returning 2 # These options are used by the security periodic(8) scripts spawned in # daily and weekly 450.status-security. security_status_logdir="/var/log" # Directory for logs security_status_diff_flags="-b -U 0" # flags for diff output # Each of the security_status_*_period options below can have one of the # following values: # - NO: do not run at all # - daily: only run during the daily security status # - weekly: only run during the weekly security status # - monthly: only run during the monthly security status # Note that if periodic security scripts are run from crontab(5) directly, # they will be run unless _enable or _period is set to "NO". # 100.chksetuid security_status_chksetuid_enable="YES" security_status_chksetuid_period="daily" # 110.neggrpperm security_status_neggrpperm_enable="YES" security_status_neggrpperm_period="daily" # 200.chkmounts security_status_chkmounts_enable="YES" security_status_chkmounts_period="daily" #security_status_chkmounts_ignore="^amd:" # Don't check matching # FS types security_status_noamd="NO" # Don't check amd mounts # 300.chkuid0 security_status_chkuid0_enable="YES" security_status_chkuid0_period="daily" # 400.passwdless security_status_passwdless_enable="YES" security_status_passwdless_period="daily" # 410.logincheck security_status_logincheck_enable="YES" security_status_logincheck_period="daily" # 500.ipfwdenied security_status_ipfwdenied_enable="YES" security_status_ipfwdenied_period="daily" # 510.ipfdenied security_status_ipfdenied_enable="YES" security_status_ipfdenied_period="daily" # 520.pfdenied security_status_pfdenied_enable="YES" security_status_pfdenied_period="daily" security_status_pfdenied_additionalanchors="" # 550.ipfwlimit security_status_ipfwlimit_enable="YES" security_status_ipfwlimit_period="daily" # 610.ipf6denied security_status_ipf6denied_enable="YES" security_status_ipf6denied_period="daily" # 700.kernelmsg security_status_kernelmsg_enable="YES" security_status_kernelmsg_period="daily" # 800.loginfail security_status_loginfail_enable="YES" security_status_loginfail_period="daily" # 900.tcpwrap security_status_tcpwrap_enable="YES" security_status_tcpwrap_period="daily" # Define source_periodic_confs, the mechanism used by /etc/periodic/*/* # scripts to source defaults/periodic.conf overrides safely. if [ -z "${source_periodic_confs_defined}" ]; then source_periodic_confs_defined=yes # Sleep for a random amount of time in order to mitigate the thundering # herd problem of multiple hosts running periodic simultaneously. # Will not sleep when used interactively. # Will sleep at most once per invocation of periodic anticongestion() { [ -n "$PERIODIC_IS_INTERACTIVE" ] && return if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then rm -f $PERIODIC_ANTICONGESTION_FILE sleep `jot -r 1 0 ${anticongestion_sleeptime}` fi } - # Compatibility with old daily variable names. - # They can be removed in stable/11. - security_daily_compat_var() { - local var=$1 dailyvar value - - dailyvar=daily_status_security${var#security_status} - periodvar=${var%enable}period - eval value=\"\$$dailyvar\" - [ -z "$value" ] && return - echo "Warning: Variable \$$dailyvar is deprecated," \ - "use \$$var instead." >&2 - case "$value" in - [Yy][Ee][Ss]) - eval $var=YES - eval $periodvar=daily - ;; - *) - eval $var=\"$value\" - ;; - esac - } - check_yesno_period() { local var="$1" periodvar value period eval value=\"\$$var\" case "$value" in [Yy][Ee][Ss]) ;; *) return 1 ;; esac periodvar=${var%enable}period eval period=\"\$$periodvar\" case "$PERIODIC" in "security daily") case "$period" in [Dd][Aa][Ii][Ll][Yy]) return 0 ;; *) return 1 ;; esac ;; "security weekly") case "$period" in [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; *) return 1 ;; esac ;; "security monthly") case "$period" in [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; *) return 1 ;; esac ;; security) # Run directly from crontab(5). case "$period" in [Nn][Oo]) return 1 ;; *) return 0 ;; esac ;; '') # Script run manually. return 0 ;; *) echo "ASSERTION FAILED: Unexpected value for" \ "\$PERIODIC: '$PERIODIC'" >&2 exit 127 ;; esac } source_periodic_confs() { local i sourced_files for i in ${periodic_conf_files}; do case ${sourced_files} in *:$i:*) ;; *) sourced_files="${sourced_files}:$i:" [ -r $i ] && . $i ;; esac done } fi