Make the period of each periodic security script configurable.

There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
author: jlh <jlh@FreeBSD.org> 2013-08-27 21:20:28 +0000
committer: jlh <jlh@FreeBSD.org> 2013-08-27 21:20:28 +0000
commit: 2194a6603d76d977fda661e9938aebfe18cf3375 (patch)
tree: aeca29c177cf44d51cbba1cb6a179a3bb74302ef /etc/defaults
parent: 73f239a63e71d117bcfaca20d9b5bf28b434d9fd (diff)
download: FreeBSD-src-2194a6603d76d977fda661e9938aebfe18cf3375.zip
FreeBSD-src-2194a6603d76d977fda661e9938aebfe18cf3375.tar.gz
1 files changed, 124 insertions, 23 deletions
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf
index 4dc2478..5dd7fa9 100644
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES"			# Also submit queue
 
 # 450.status-security
 daily_status_security_enable="YES"			# Security check
-# See "Security options" below for more options
+# See also "Security options" below for more options
+daily_status_security_inline="NO"			# Run inline ?
+daily_status_security_output="root"			# user or /file
 
 # 460.status-mail-rejects
 daily_status_mail_rejects_enable="YES"			# Check mail rejects
@@ -163,59 +165,78 @@ daily_local="/etc/daily.local"				# Local scripts
 # Security options
 
 # These options are used by the security periodic(8) scripts spawned in
-# 450.status-security above.
-daily_status_security_inline="NO"			# Run inline ?
-daily_status_security_output="root"			# user or /file
-daily_status_security_logdir="/var/log"			# Directory for logs
-daily_status_security_diff_flags="-b -u"		# flags for diff output
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log"			# Directory for logs
+security_status_diff_flags="-b -u"			# flags for diff output
+
+# Each of the security_status_*_enable options below can have one of the
+# following values:
+# - NO
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
 
 # 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
+security_status_chksetuid_enable="YES"
+security_status_chksetuid_period="daily"
 
 # 110.neggrpperm
-daily_status_security_neggrpperm_enable="YES"
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
 
 # 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^amd:"		# Don't check matching
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^amd:"		# Don't check matching
 							# FS types
-daily_status_security_noamd="NO"			# Don't check amd mounts
+security_status_noamd="NO"				# Don't check amd mounts
 
 # 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
 
 # 400.passwdless
-daily_status_security_passwdless_enable="YES"
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
 
 # 410.logincheck
-daily_status_security_logincheck_enable="YES"
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
 
 # 460.chkportsum
-daily_status_security_chkportsum_enable="NO"	# Check ports w/ wrong checksum
+security_status_chkportsum_enable="NO"		# Check ports w/ wrong checksum
+security_status_chkportsum_period="daily"
 
 # 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
 
 # 510.ipfdenied
-daily_status_security_ipfdenied_enable="YES"
+security_status_ipfdenied_enable="YES"
+security_status_ipfdenied_period="daily"
 
 # 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
 
 # 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
 
 # 610.ipf6denied
-daily_status_security_ipf6denied_enable="YES"
+security_status_ipf6denied_enable="YES"
+security_status_ipf6denied_period="daily"
 
 # 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
 
 # 800.loginfail
-daily_status_security_loginfail_enable="YES"
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
 
 # 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
 
 
 # Weekly options
@@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO"				# Find out-of-date pkgs
 pkg_version=pkg_version					# Use this program
 pkg_version_index=/usr/ports/INDEX-10			# Use this index file
 
+# 450.status-security
+weekly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+weekly_status_security_inline="NO"			# Run inline ?
+weekly_status_security_output="root"			# user or /file
+
 # 999.local
 weekly_local="/etc/weekly.local"			# Local scripts
 
@@ -267,6 +294,12 @@ monthly_show_badconfig="NO"				# scripts returning 2
 # 200.accounting
 monthly_accounting_enable="YES"				# Login accounting
 
+# 450.status-security
+monthly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+monthly_status_security_inline="NO"			# Run inline ?
+monthly_status_security_output="root"			# user or /file
+
 # 999.local
 monthly_local="/etc/monthly.local"			# Local scripts
 
@@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local"			# Local scripts
 
 if [ -z "${source_periodic_confs_defined}" ]; then
         source_periodic_confs_defined=yes
+
+	# Compatibility with old daily variable names.
+	# They can be removed in stable/11.
+	security_daily_compat_var() {
+		local var=$1 dailyvar value
+
+		dailyvar=daily_status_security${#status_security}
+		periodvar=${var%enable}period
+		eval value=\"\$$dailyvar\"
+		[ -z "$value" ] && return
+		echo "Warning: Variable \$$dailyvar is deprecated," \
+		    "use \$$var instead." >&2
+		case "$value" in
+		[Yy][Ee][Ss])
+			$var=YES
+			$periodvar=daily
+			;;
+		*)
+			$var="$value"
+			;;
+		esac
+	}
+
+	check_yesno_period() {
+		local var="$1" periodvar value period
+
+		eval value=\"\$$var\"
+		case "$value" in
+		[Yy][Ee][Ss]) ;;
+		*) return 1 ;;
+		esac
+
+		periodvar=${var%enable}period
+		eval period=\"\$$periodvar\"
+		case "$PERIODIC" in
+		"security daily")
+			case "$period" in
+			[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security weekly")
+			case "$period" in
+			[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security monthly")
+			case "$period" in
+			[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		security)
+			# Run directly from crontab(5).
+			case "$period" in
+			[Nn][Oo]) return 1 ;;
+			*) return 0 ;;
+			esac
+			;;
+		*)
+			echo "ASSERTION FAILED: Unexpected value for " \
+			    "\$PERIODIC: '$PERIODIC'" >&2
+			exit 127
+			;;
+		esac
+	}
+
         source_periodic_confs() {
                 local i sourced_files
author	jlh <jlh@FreeBSD.org>	2013-08-27 21:20:28 +0000
committer	jlh <jlh@FreeBSD.org>	2013-08-27 21:20:28 +0000
commit	2194a6603d76d977fda661e9938aebfe18cf3375 (patch)
tree	aeca29c177cf44d51cbba1cb6a179a3bb74302ef /etc/defaults
parent	73f239a63e71d117bcfaca20d9b5bf28b434d9fd (diff)
download	FreeBSD-src-2194a6603d76d977fda661e9938aebfe18cf3375.zip FreeBSD-src-2194a6603d76d977fda661e9938aebfe18cf3375.tar.gz