diff options
author | jlh <jlh@FreeBSD.org> | 2013-08-27 21:20:28 +0000 |
---|---|---|
committer | jlh <jlh@FreeBSD.org> | 2013-08-27 21:20:28 +0000 |
commit | 2194a6603d76d977fda661e9938aebfe18cf3375 (patch) | |
tree | aeca29c177cf44d51cbba1cb6a179a3bb74302ef /etc/defaults | |
parent | 73f239a63e71d117bcfaca20d9b5bf28b434d9fd (diff) | |
download | FreeBSD-src-2194a6603d76d977fda661e9938aebfe18cf3375.zip FreeBSD-src-2194a6603d76d977fda661e9938aebfe18cf3375.tar.gz |
Make the period of each periodic security script configurable.
There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.
All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.
"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".
Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.
When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.
Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.
Reviewed by: hackers@
Diffstat (limited to 'etc/defaults')
-rw-r--r-- | etc/defaults/periodic.conf | 147 |
1 files changed, 124 insertions, 23 deletions
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index 4dc2478..5dd7fa9 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # Also submit queue # 450.status-security daily_status_security_enable="YES" # Security check -# See "Security options" below for more options +# See also "Security options" below for more options +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file # 460.status-mail-rejects daily_status_mail_rejects_enable="YES" # Check mail rejects @@ -163,59 +165,78 @@ daily_local="/etc/daily.local" # Local scripts # Security options # These options are used by the security periodic(8) scripts spawned in -# 450.status-security above. -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file -daily_status_security_logdir="/var/log" # Directory for logs -daily_status_security_diff_flags="-b -u" # flags for diff output +# daily and weekly 450.status-security. +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output + +# Each of the security_status_*_enable options below can have one of the +# following values: +# - NO +# - daily: only run during the daily security status +# - weekly: only run during the weekly security status # 100.chksetuid -daily_status_security_chksetuid_enable="YES" +security_status_chksetuid_enable="YES" +security_status_chksetuid_period="daily" # 110.neggrpperm -daily_status_security_neggrpperm_enable="YES" +security_status_neggrpperm_enable="YES" +security_status_neggrpperm_period="daily" # 200.chkmounts -daily_status_security_chkmounts_enable="YES" -#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching +security_status_chkmounts_enable="YES" +security_status_chkmounts_period="daily" +#security_status_chkmounts_ignore="^amd:" # Don't check matching # FS types -daily_status_security_noamd="NO" # Don't check amd mounts +security_status_noamd="NO" # Don't check amd mounts # 300.chkuid0 -daily_status_security_chkuid0_enable="YES" +security_status_chkuid0_enable="YES" +security_status_chkuid0_period="daily" # 400.passwdless -daily_status_security_passwdless_enable="YES" +security_status_passwdless_enable="YES" +security_status_passwdless_period="daily" # 410.logincheck -daily_status_security_logincheck_enable="YES" +security_status_logincheck_enable="YES" +security_status_logincheck_period="daily" # 460.chkportsum -daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_period="daily" # 500.ipfwdenied -daily_status_security_ipfwdenied_enable="YES" +security_status_ipfwdenied_enable="YES" +security_status_ipfwdenied_period="daily" # 510.ipfdenied -daily_status_security_ipfdenied_enable="YES" +security_status_ipfdenied_enable="YES" +security_status_ipfdenied_period="daily" # 520.pfdenied -daily_status_security_pfdenied_enable="YES" +security_status_pfdenied_enable="YES" +security_status_pfdenied_period="daily" # 550.ipfwlimit -daily_status_security_ipfwlimit_enable="YES" +security_status_ipfwlimit_enable="YES" +security_status_ipfwlimit_period="daily" # 610.ipf6denied -daily_status_security_ipf6denied_enable="YES" +security_status_ipf6denied_enable="YES" +security_status_ipf6denied_period="daily" # 700.kernelmsg -daily_status_security_kernelmsg_enable="YES" +security_status_kernelmsg_enable="YES" +security_status_kernelmsg_period="daily" # 800.loginfail -daily_status_security_loginfail_enable="YES" +security_status_loginfail_enable="YES" +security_status_loginfail_period="daily" # 900.tcpwrap -daily_status_security_tcpwrap_enable="YES" +security_status_tcpwrap_enable="YES" +security_status_tcpwrap_period="daily" # Weekly options @@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO" # Find out-of-date pkgs pkg_version=pkg_version # Use this program pkg_version_index=/usr/ports/INDEX-10 # Use this index file +# 450.status-security +weekly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +weekly_status_security_inline="NO" # Run inline ? +weekly_status_security_output="root" # user or /file + # 999.local weekly_local="/etc/weekly.local" # Local scripts @@ -267,6 +294,12 @@ monthly_show_badconfig="NO" # scripts returning 2 # 200.accounting monthly_accounting_enable="YES" # Login accounting +# 450.status-security +monthly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +monthly_status_security_inline="NO" # Run inline ? +monthly_status_security_output="root" # user or /file + # 999.local monthly_local="/etc/monthly.local" # Local scripts @@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local" # Local scripts if [ -z "${source_periodic_confs_defined}" ]; then source_periodic_confs_defined=yes + + # Compatibility with old daily variable names. + # They can be removed in stable/11. + security_daily_compat_var() { + local var=$1 dailyvar value + + dailyvar=daily_status_security${#status_security} + periodvar=${var%enable}period + eval value=\"\$$dailyvar\" + [ -z "$value" ] && return + echo "Warning: Variable \$$dailyvar is deprecated," \ + "use \$$var instead." >&2 + case "$value" in + [Yy][Ee][Ss]) + $var=YES + $periodvar=daily + ;; + *) + $var="$value" + ;; + esac + } + + check_yesno_period() { + local var="$1" periodvar value period + + eval value=\"\$$var\" + case "$value" in + [Yy][Ee][Ss]) ;; + *) return 1 ;; + esac + + periodvar=${var%enable}period + eval period=\"\$$periodvar\" + case "$PERIODIC" in + "security daily") + case "$period" in + [Dd][Aa][Ii][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security weekly") + case "$period" in + [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security monthly") + case "$period" in + [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + security) + # Run directly from crontab(5). + case "$period" in + [Nn][Oo]) return 1 ;; + *) return 0 ;; + esac + ;; + *) + echo "ASSERTION FAILED: Unexpected value for " \ + "\$PERIODIC: '$PERIODIC'" >&2 + exit 127 + ;; + esac + } + source_periodic_confs() { local i sourced_files |