326326 |
28-Nov-2017 |
asomers |
MFC r322868:
Fix 100.chksetuid and 110.neggrpperm for mountpoints with spaces
Also, fix them for mountpoints with tabs.
PR: 48325 Reported by: pguyot@kallisys.net, aaron@baugher.biz |
315348 |
16-Mar-2017 |
ngie |
MFC r314895:
Only install 900.tcpwrap if MK_INETD != "no" and MK_TCP_WRAPPERS != "no"
It relies on output from inetd that is triggered by MK_TCP_WRAPPERS=yes.
We need to check for both knobs being set -- otherwise the script doesn't have much value.
PR: 217577 |
315346 |
16-Mar-2017 |
ngie |
MFC r274130: r274130 (by bapt):
Avoid installing security.functions with executable bits, periodic(8) will try to execute all files with an executable bit in /etc/periodic/*/ while this file is supposed only to be sourced by others |
306644 |
03-Oct-2016 |
asomers |
MFC r306048
Fix periodic scripts when an NFS mount covers a local mount
100.chksetuid and 110.neggrpperm try to search through all UFS and ZFS filesystems. But their logic contains an error. They also search through remote filesystems that are mounted on top of the root of a local filesystem. For example, if a user installs a FreeBSD system with the default ZFS layout, he'll get a zroot/usr/home filesystem. If he then mounts /usr/home over NFS, these scripts would search through /usr/home. |
295130 |
01-Feb-2016 |
marius |
MFC: r295032
Use '^[>+][^+]' instead of '^[>+]' with grep(1) when filtering the diff(1) output between two files in "new_only"-mode. Otherwise, with the default of using unified format a remnant of the header in the output is the result. This is especially irritating when the two files differ but the second one is empty, amounting to the vestige of the header being the only readout. Reported by: Stefan Haemmerl
Approved by: re (delphij) |
292672 |
23-Dec-2015 |
lidl |
MFC r290405:
Restrict 520.pfdenied to only list rules that blocked traffic. Before this change, the 520.pfdenied script listed all rules that matched /^block/ in the rule. Restrict the printed output to only those rules that result in packets being dropped.
Approved by: rpaulo (mentor) |
263661 |
23-Mar-2014 |
brueffer |
Further refine the auth fail regex to catch more auth failures and reduce false positives.
The committed patch was provided by Christian Marg.
PR: 91732 Submitted by: Daniel O'Connor <doconnor at gsoft.com.au> Skye Poier <spoier at gmail.com> Alan Amesbury <amesbury at umn.edu> Christian Marg <marg at rz.tu-clausthal.de> |
256281 |
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
254974 |
27-Aug-2013 |
jlh |
Make the period of each periodic security script configurable.
There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values.
All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE.
"security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO".
Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable.
When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong.
Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier.
Reviewed by: hackers@
|
220049 |
27-Mar-2011 |
dougb |
Hook the 220.backup-pkgdb script I added to the build unconditionally
Hook up 610.ipf6denied based on MK_IPFILTER as 510.ipfdenied is now
Poked by: Andrzej Tobola <ato@iem.pw.edu.pl>
|
220048 |
27-Mar-2011 |
dougb |
Add svn:executable property on remaining period scripts without it
|
215213 |
13-Nov-2010 |
brooks |
Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean.
MFC after: 1 week
|
215045 |
09-Nov-2010 |
delphij |
Hide 460.chkportsum in MK_PKGTOOLS != no case.
Submitted by: Alex Kozlov <spam rm-rf kiev ua> MFC after: 2 weeks
|
211141 |
10-Aug-2010 |
gabor |
- Fixes to the chkportsum script to handle better some special cases, like spaces in filename
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua> Approved by: delphij (mentor)
|
210254 |
19-Jul-2010 |
gabor |
- Add a periodic script, which can be used to find installed ports' files with mismatched checksum
PR: conf/124641 Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua> Approved by: delphij (mentor)
|
197552 |
28-Sep-2009 |
cperciva |
Silence warning printed by getfsspec(3) when /etc/fstab does not exist fstab: /etc/fstab:0: No such file or directory and from dump(8) when setfsent(3) fails due to /etc/fstab not existing: DUMP: Can't open /etc/fstab for dump table information: No such...
This makes daily and security periodic runs somewhat cleaner in jails which lack /etc/fstab files.
MFC after: 1 month
|
184265 |
25-Oct-2008 |
ed |
Sort `mount -p' output by name before checking for any differences.
I noticed on a system at home that restarting named(8) causes the /var/named/dev mount to be moved to the bottom of the mount list, because it gets remounted. When I received the daily security email this morning, I was quite amazed to see that the security report listed the differences, while it was nothing out of the ordinary.
If we just throw the `mount -p' output through sort(1), we'll only receive notifications about changes to mounts if something has really changed.
|
183242 |
21-Sep-2008 |
sam |
add new build knobs and jigger some existing controls to improve control over the result of buildworld and installworld; this especially helps packaging systems such as nanobsd
Reviewed by: various (posted to arch) MFC after: 1 month
|
181531 |
10-Aug-2008 |
antoine |
Improve periodic/security/550.ipfwlimit a bit: - don't run it if net.inet.ip.fw.verbose = 0 as it is pointless - handle rules without logging limit correctly [1] (those rules show up without logamount in "ipfw -a list")
PR: conf/126060 [1] MFC after: 1 month
|
180111 |
30-Jun-2008 |
mtm |
Rev. 1.8 broke matching on lines where the failure mode is at the head of the message, such as: Jun 30 10:49:21 rogue sshd[17553]: Invalid user iceman from 127.0.0.1
PR: conf/124569 Submitted by: Taku <taku@tekipaki.jp>
|
177606 |
25-Mar-2008 |
remko |
Add a missing ;.
PR: misc/122069 Submitted by: taku@tekipaki.jp MFC after: 3 days Approved by: imp (mentor, implicit trivial change).
|
175906 |
03-Feb-2008 |
des |
Eliminate xargs in favor of find -exec {} +
|
175890 |
02-Feb-2008 |
des |
Rewrite to consume significantly less memory, by using find -s instead of find | sort. As a bonus, this simplifies the logic considerably. Also remove the bogus "overruning the args to ls" comment and the corresponding "-n 20" argument to xargs; the whole point with xargs is precisely that it knows how large the argument list can safely get.
Note that the first run of the updated script may hypotheticall produce false positives due to differences between find's and sort's sorting algorithm. I haven't seen this during testing, but others might.
MFC after: 2 weeks
|
173873 |
23-Nov-2007 |
ru |
Also check setuid executables on ZFS.
|
166928 |
23-Feb-2007 |
remko |
Only match on log messages containing fail,invalid, bad or illegal. This prevents matching on systems that have a name that matches the query.
PR: conf/107560 Submitted by: Christian Laursen <cfsl at pil dot dk> MFC after: 3 days Approved by: imp (mentor)
|
166519 |
05-Feb-2007 |
jdp |
Use egrep instead of grep so that reporting of login failures (broken by revision 1.6) works again. This fix is already in RELENG_6, but was never committed to HEAD.
|
161602 |
25-Aug-2006 |
trhodes |
Add login.conf checking to periodic security scripts. If the login.conf file is not UID/GID 0, limits will be ignored and a strange error sent to auth.log.
Head nod: ru, rwatson
|
158497 |
12-May-2006 |
mlaier |
Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts. Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw scripts as well.
|
156312 |
05-Mar-2006 |
matteo |
Enhance loginfail: it will catch sshd, proftpd and su errors, as well as other programs
PR: conf/70973 Submitted by: Ryan Sommers" <ryans@gamersimpact.com> Approved by: philip (mentor) MFC after: 3 days
|
149989 |
11-Sep-2005 |
maxim |
A new version of rev. 1.4: postpone a temporary file creation until we realize if ipfw(4) ever used.
PR: bin/85970 Submitted by: Andre Albsmeier MFC after: 3 days
|
149659 |
31-Aug-2005 |
glebius |
Fix braino in last commit. Print nothing if ipfw(4) is not present.
|
149366 |
22-Aug-2005 |
cperciva |
When looking for new lines in diff output, grep for '^[>+]' instead of '^>', in order to catch both normal and unified diffs.
Problem reported by: volker at vwsoft dot com via -stable MFC after: 3 days
|
149320 |
20-Aug-2005 |
glebius |
- Correctly parse output, when logging amount is limited in the rule itself, not in verbose_limit sysctl. [1] - Do check rules, even if verbose_limit is set 0. Rules may have their own log limits.
PR: conf/77929 Submitted by: Andriy Gapon [1] Reviewed by: matteo
|
142303 |
23-Feb-2005 |
ssouhlal |
Replace "ipfw l", which is now deprecated, with "ipfw list".
Approved by: grehan (mentor)
|
140186 |
13-Jan-2005 |
glebius |
Don't do setuid checks on file systems mounted with noexec option.
Reviewed by: brian, ru MFC after: 1 week
|
138061 |
24-Nov-2004 |
mlaier |
Teach periodic(8) security output to display information about blocked packet counts by pf(4).
This adds a ``daily_status_security_pfdenied_enable'' variable to periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.
The output will look like this (line wrapped):
pf denied packets: > block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0 Bytes: 0 States: 0 ] > block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578 States: 0 ]
Submitted by: clive (thanks a lot!) MFC after: 2 weeks
|
135591 |
23-Sep-2004 |
jkoshy |
Add a knob 'daily_status_security_diff_flags' controlling the format of the 'diff' output generated during periodic(8) scripts.
Submitted by: keramida (script changes) Reviewed by: keramida (man page changes)
|
128473 |
20-Apr-2004 |
darrenr |
Add script for checking ipv6 blocked packets from PR.
PR: misc/50154 Submitted by: Kimura Fuyuki <fuyuki@hadaly.org>
|
117088 |
30-Jun-2003 |
mtm |
Have mktemp(1) construct the temporary file name for us instead of providing a template manually.
Submitted by: Lars Eggert <larse@isi.edu>
|
108727 |
05-Jan-2003 |
se |
Add support for bzip2ed log files.
|
107674 |
07-Dec-2002 |
keramida |
Avoid using perl in the periodic & security scripts. This brings the base system one step closer to being totally perl-free.
Approved by: re (jhb)
|
106988 |
16-Nov-2002 |
thomas |
Do not emit a message on stderr when one of the compared files is shorter than the other.
Reviewed by: roberto MFC after: 3 days
|
106987 |
16-Nov-2002 |
thomas |
Remove incorrect output redirection.
Reviewed by: roberto Committed from: EuroBSDCon Amsterdam MFC after: 3 days
|
105938 |
25-Oct-2002 |
thomas |
Add newly-added sripts to FILES.
Reviewed by: roberto
|
105937 |
25-Oct-2002 |
thomas |
Add a new /etc/periodic/security script to check for packets rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf knob (daily_status_security_ipfdenied_enable).
Reviewed by: roberto Approved by: re@
|
105936 |
25-Oct-2002 |
thomas |
Factor out code across various /etc/periodic/security scripts into a separate file, /etc/periodic/security/security.functions.
Reviewed by: roberto (mentor) Approved by: re@
|
103903 |
24-Sep-2002 |
ache |
Make it work with POSIX sort (POS arg). All old sorts understand -k too.
|
102398 |
25-Aug-2002 |
cjc |
Only create a temporary file if we are actually going to do something in the script. Eliminates a bug where we create a temp file, but don't delete it since the rm(1) is only done if the check is enabled.
PR: bin/40960 Submitted by: frf <frf@xocolatl.com> MFC after: 3 days
|
101281 |
03-Aug-2002 |
gshapiro |
If all file systems are marked nosuid, the line:
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
sets ${MP} to an empty string so the next line:
set ${MP}
actually just dumps all of the shells variables to stdout (and therefore the security report). Fixed by surrounding the code which goes through the mounts with a test for an empty string before using ${MP}.
Reviewed by: brian MFC after: 3 days
|
100316 |
18-Jul-2002 |
ru |
Install scripts via FILES (purposedly not via SCRIPTS that would strip the suffixes).
|
98972 |
28-Jun-2002 |
brian |
Mention that we're checking kernel log messages, even if there's no output.
PR: 39618 MFC after: 1 week
|
96812 |
17-May-2002 |
brian |
Change ``dmesg -a'' to ``dmesg''.
The change was introduced in src/etc/security 1.53 almost a year ago in an attempt to see ipfw deny message logs.
However, ipfw deny/reject logs have been displayed since version 1.13 of the same file as a separate ``job'' and have since moved to src/etc/periodic/security/500.ipfwdenied.
MFC after: 3 days
|
96805 |
17-May-2002 |
brian |
Tighten up temporary file permissions and move them to ${TMPDIR:-/tmp}
Problem reported by: lumpy <lumpy@the.whole.net> MFC after: 3 days
|
96048 |
05-May-2002 |
cjc |
Remove leading whitespace from the setuid file lists.
Due to the way we run ls(1), through xargs(1), the leading whitespace can change even when the setuid files haven't. To avoid displaying these lines, we currently run diff(1) with the '-w' option. However, this is probably not the ideal way to go; there is a very, very small possibility for diff(1) to miss things is shouldn't. So, with the leading space cleaned, we can revert to the '-b' option which is "safer."
PR: conf/37618 Reviewed by: brian MFC after: 3 days
|
92191 |
12-Mar-2002 |
rwatson |
No need to explicitly check for both cases when using grep -i.
|
92102 |
11-Mar-2002 |
rwatson |
Update login failure checking to check auth.log instead of messages, and teach it to look for more general classes of failures, including SSH login failures. This is similar but not identical to a patch submitted by aeonflux@synapse.subneural.net.
|
87956 |
14-Dec-2001 |
cjc |
Fix a stray character that found its way into a filename.
|
87852 |
14-Dec-2001 |
ru |
Work around the bugfeature of test(1).
PR: bin/32822
|
87514 |
07-Dec-2001 |
cjc |
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable.
Reviewed by: ru Approved by: ru
|