MFC r322868:

Fix 100.chksetuid and 110.neggrpperm for mountpoints with spaces

Also, fix them for mountpoints with tabs.

PR: 48325
Reported by: pguyot@kallisys.net, aaron@baugher.biz

MFC r314895:

Only install 900.tcpwrap if MK_INETD != "no" and MK_TCP_WRAPPERS != "no"

It relies on output from inetd that is triggered by MK_TCP_WRAPPERS=yes.

We need to check for both knobs being set -- otherwise the script doesn't
have much value.

PR: 217577

MFC r274130:
r274130 (by bapt):

Avoid installing security.functions with executable bits, periodic(8) will
try to execute all files with an executable bit in /etc/periodic/*/ while
this file is supposed only to be sourced by others

MFC r306048

Fix periodic scripts when an NFS mount covers a local mount

100.chksetuid and 110.neggrpperm try to search through all UFS and ZFS
filesystems. But their logic contains an error. They also search through
remote filesystems that are mounted on top of the root of a local
filesystem. For example, if a user installs a FreeBSD system with the
default ZFS layout, he'll get a zroot/usr/home filesystem. If he then mounts
/usr/home over NFS, these scripts would search through /usr/home.

MFC: r295032

Use '^[>+][^+]' instead of '^[>+]' with grep(1) when filtering the
diff(1) output between two files in "new_only"-mode. Otherwise,
with the default of using unified format a remnant of the header
in the output is the result. This is especially irritating when
the two files differ but the second one is empty, amounting to the
vestige of the header being the only readout.
Reported by: Stefan Haemmerl

Approved by: re (delphij)

MFC r290405:

Restrict 520.pfdenied to only list rules that blocked traffic.
Before this change, the 520.pfdenied script listed all rules that
matched /^block/ in the rule. Restrict the printed output to only
those rules that result in packets being dropped.

Approved by: rpaulo (mentor)

Further refine the auth fail regex to catch more auth failures and
reduce false positives.

The committed patch was provided by Christian Marg.

PR: 91732
Submitted by: Daniel O'Connor <doconnor at gsoft.com.au>
Skye Poier <spoier at gmail.com>
Alan Amesbury <amesbury at umn.edu>
Christian Marg <marg at rz.tu-clausthal.de>

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Make the period of each periodic security script configurable.

There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.

All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.

"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".

Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.

When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.

Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.

Reviewed by: hackers@

Hook the 220.backup-pkgdb script I added to the build unconditionally

Hook up 610.ipf6denied based on MK_IPFILTER as 510.ipfdenied is now

Poked by: Andrzej Tobola <ato@iem.pw.edu.pl>

Add svn:executable property on remaining period scripts without it

Add an (off by default) check for negative permissions (where the
group on a object has less permissions that everyone). These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.

MFC after: 1 week

Hide 460.chkportsum in MK_PKGTOOLS != no case.

Submitted by: Alex Kozlov <spam rm-rf kiev ua>
MFC after: 2 weeks

- Fixes to the chkportsum script to handle better some special cases,
like spaces in filename

Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by: delphij (mentor)

- Add a periodic script, which can be used to find installed ports' files with
mismatched checksum

PR: conf/124641
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by: delphij (mentor)

Silence warning printed by getfsspec(3) when /etc/fstab does not exist
fstab: /etc/fstab:0: No such file or directory
and from dump(8) when setfsent(3) fails due to /etc/fstab not existing:
DUMP: Can't open /etc/fstab for dump table information: No such...

This makes daily and security periodic runs somewhat cleaner in jails
which lack /etc/fstab files.

MFC after: 1 month

Sort `mount -p' output by name before checking for any differences.

I noticed on a system at home that restarting named(8) causes the
/var/named/dev mount to be moved to the bottom of the mount list,
because it gets remounted. When I received the daily security email this
morning, I was quite amazed to see that the security report listed the
differences, while it was nothing out of the ordinary.

If we just throw the `mount -p' output through sort(1), we'll only
receive notifications about changes to mounts if something has really
changed.

add new build knobs and jigger some existing controls to improve
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd

Reviewed by: various (posted to arch)
MFC after: 1 month

Improve periodic/security/550.ipfwlimit a bit:
- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")

PR: conf/126060 [1]
MFC after: 1 month

Rev. 1.8 broke matching on lines where the failure mode is at the head
of the message, such as:
Jun 30 10:49:21 rogue sshd[17553]: Invalid user iceman from 127.0.0.1

PR: conf/124569
Submitted by: Taku <taku@tekipaki.jp>

Add a missing ;.

PR: misc/122069
Submitted by: taku@tekipaki.jp
MFC after: 3 days
Approved by: imp (mentor, implicit trivial change).

Eliminate xargs in favor of find -exec {} +

Rewrite to consume significantly less memory, by using find -s instead of
find | sort. As a bonus, this simplifies the logic considerably. Also
remove the bogus "overruning the args to ls" comment and the corresponding
"-n 20" argument to xargs; the whole point with xargs is precisely that it
knows how large the argument list can safely get.

Note that the first run of the updated script may hypotheticall produce
false positives due to differences between find's and sort's sorting
algorithm. I haven't seen this during testing, but others might.

MFC after: 2 weeks

Also check setuid executables on ZFS.

Only match on log messages containing fail,invalid,
bad or illegal. This prevents matching on systems that
have a name that matches the query.

PR: conf/107560
Submitted by: Christian Laursen <cfsl at pil dot dk>
MFC after: 3 days
Approved by: imp (mentor)

Use egrep instead of grep so that reporting of login failures (broken
by revision 1.6) works again. This fix is already in RELENG_6, but was
never committed to HEAD.

Add login.conf checking to periodic security scripts. If the login.conf file
is not UID/GID 0, limits will be ignored and a strange error sent to auth.log.

Head nod: ru, rwatson

Move etc/rc.firewall6 to ipfw2+v6, update related rc.d and periodic scripts.
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.

Enhance loginfail: it will catch sshd, proftpd and su errors, as well as other programs

PR: conf/70973
Submitted by: Ryan Sommers" <ryans@gamersimpact.com>
Approved by: philip (mentor)
MFC after: 3 days

A new version of rev. 1.4: postpone a temporary file creation
until we realize if ipfw(4) ever used.

PR: bin/85970
Submitted by: Andre Albsmeier
MFC after: 3 days

Fix braino in last commit. Print nothing if ipfw(4) is not present.

When looking for new lines in diff output, grep for '^[>+]' instead of
'^>', in order to catch both normal and unified diffs.

Problem reported by: volker at vwsoft dot com via -stable
MFC after: 3 days

- Correctly parse output, when logging amount is limited in the
rule itself, not in verbose_limit sysctl. [1]
- Do check rules, even if verbose_limit is set 0. Rules may have
their own log limits.

PR: conf/77929
Submitted by: Andriy Gapon [1]
Reviewed by: matteo

Replace "ipfw l", which is now deprecated, with "ipfw list".

Approved by: grehan (mentor)

Don't do setuid checks on file systems mounted with noexec option.

Reviewed by: brian, ru
MFC after: 1 week

Teach periodic(8) security output to display information about blocked
packet counts by pf(4).

This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.

The output will look like this (line wrapped):

pf denied packets:
> block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
Bytes: 0 States: 0 ]
> block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
States: 0 ]

Submitted by: clive (thanks a lot!)
MFC after: 2 weeks

Add a knob 'daily_status_security_diff_flags' controlling the
format of the 'diff' output generated during periodic(8) scripts.

Submitted by: keramida (script changes)
Reviewed by: keramida (man page changes)

Add script for checking ipv6 blocked packets from PR.

PR: misc/50154
Submitted by: Kimura Fuyuki <fuyuki@hadaly.org>

Have mktemp(1) construct the temporary file name for us instead
of providing a template manually.

Submitted by: Lars Eggert <larse@isi.edu>

Add support for bzip2ed log files.

Avoid using perl in the periodic & security scripts. This brings the
base system one step closer to being totally perl-free.

Approved by: re (jhb)

Do not emit a message on stderr when one of the compared files
is shorter than the other.

Reviewed by: roberto
MFC after: 3 days

Remove incorrect output redirection.

Reviewed by: roberto
Committed from: EuroBSDCon Amsterdam
MFC after: 3 days

Add newly-added sripts to FILES.

Reviewed by: roberto

Add a new /etc/periodic/security script to check for packets
rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf
knob (daily_status_security_ipfdenied_enable).

Reviewed by: roberto
Approved by: re@

Factor out code across various /etc/periodic/security scripts into a
separate file, /etc/periodic/security/security.functions.

Reviewed by: roberto (mentor)
Approved by: re@

Make it work with POSIX sort (POS arg).
All old sorts understand -k too.

Only create a temporary file if we are actually going to do something
in the script. Eliminates a bug where we create a temp file, but don't
delete it since the rm(1) is only done if the check is enabled.

PR: bin/40960
Submitted by: frf <frf@xocolatl.com>
MFC after: 3 days

If all file systems are marked nosuid, the line:

MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`

sets ${MP} to an empty string so the next line:

set ${MP}

actually just dumps all of the shells variables to stdout (and therefore
the security report). Fixed by surrounding the code which goes through the
mounts with a test for an empty string before using ${MP}.

Reviewed by: brian
MFC after: 3 days

Install scripts via FILES (purposedly not via SCRIPTS that would
strip the suffixes).

Mention that we're checking kernel log messages, even if there's
no output.

PR: 39618
MFC after: 1 week

Change ``dmesg -a'' to ``dmesg''.

The change was introduced in src/etc/security 1.53 almost a year ago
in an attempt to see ipfw deny message logs.

However, ipfw deny/reject logs have been displayed since version 1.13
of the same file as a separate ``job'' and have since moved to
src/etc/periodic/security/500.ipfwdenied.

MFC after: 3 days

Tighten up temporary file permissions and move them to ${TMPDIR:-/tmp}

Problem reported by: lumpy <lumpy@the.whole.net>
MFC after: 3 days

Remove leading whitespace from the setuid file lists.

Due to the way we run ls(1), through xargs(1), the leading whitespace
can change even when the setuid files haven't. To avoid displaying
these lines, we currently run diff(1) with the '-w' option. However,
this is probably not the ideal way to go; there is a very, very small
possibility for diff(1) to miss things is shouldn't. So, with the
leading space cleaned, we can revert to the '-b' option which is
"safer."

PR: conf/37618
Reviewed by: brian
MFC after: 3 days

No need to explicitly check for both cases when using grep -i.

Update login failure checking to check auth.log instead of messages,
and teach it to look for more general classes of failures, including
SSH login failures. This is similar but not identical to a patch
submitted by aeonflux@synapse.subneural.net.

Fix a stray character that found its way into a filename.

Work around the bugfeature of test(1).

PR: bin/32822

Long ago, there was just /etc/daily. Then /etc/security was split out
of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.

Reviewed by: ru
Approved by: ru