Factor out code across various /etc/periodic/security scripts into a

separate file, /etc/periodic/security/security.functions.

Reviewed by:	roberto (mentor)
Approved by:	re@

6 files changed, 101 insertions, 99 deletions

diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid
index e3f4df5..f5b5f82 100755
--- a/etc/periodic/security/100.chksetuid
+++ b/etc/periodic/security/100.chksetuid
@@ -35,12 +35,12 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
 rc=0
 
 case "$daily_status_security_chksetuid_enable" in
     [Yy][Ee][Ss])
-	TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
 	echo ""
 	echo 'Checking setuid files and devices:'
 	# XXX Note that there is the possibility of overrunning the args to ls
@@ -54,24 +54,10 @@ case "$daily_status_security_chksetuid_enable" in
 	        find $mount -xdev -type f \
 			\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
 			\( -perm -u+s -or -perm -g+s \) -print0
-	    done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 > ${TMP}
-	fi
-
-	if [ ! -f ${LOG}/setuid.today ]; then
-	    rc=1
-	    echo "No ${LOG}/setuid.today"
-	    cp ${TMP} ${LOG}/setuid.today || rc=3
-	fi
-
-	if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null
-	then
-	    [ $rc -lt 1 ] && rc=1
-	    echo "${host} setuid diffs:"
-	    diff -b ${LOG}/setuid.today ${TMP}
-	    mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
-	    mv ${TMP} ${LOG}/setuid.today || rc=3
-	fi
-	rm -f ${TMP};;
+	    done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 |
+	      check_diff setuid - "${host} setuid diffs:"
+	    rc=$?
+	fi;;
     *)	rc=0;;
 esac
 
diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts
index dbd2907..3b72c52 100755
--- a/etc/periodic/security/200.chkmounts
+++ b/etc/periodic/security/200.chkmounts
@@ -38,35 +38,21 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
 ignore="${daily_status_security_chkmounts_ignore}"
 rc=0
 
 case "$daily_status_security_chkmounts_enable" in
     [Yy][Ee][Ss])
-	TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
 	case "$daily_status_security_noamd" in
 	    [Yy][Ee][Ss])
 		ignore="${ignore}|^amd:"
 	esac
 	[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
-	if mount -p | ${cmd} > ${TMP}; then
-	    if [ ! -f ${LOG}/mount.today ]; then
-		rc=1
-		echo ""
-		echo "No ${LOG}/mount.today"
-		cp ${TMP} ${LOG}/mount.today || rc=3
-	    fi
-	    if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then
-		[ $rc -lt 1 ] && rc=1
-		echo ""
-		echo "${host} changes in mounted filesystems:"
-		diff -b ${LOG}/mount.today ${TMP}
-		mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3
-		mv ${TMP} ${LOG}/mount.today || rc=3
-	    fi
-	fi
-	rm -f ${TMP};;
+	mount -p | ${cmd} |
+	  check_diff mount - "${host} changes in mounted filesystems:"
+	rc=$?;;
     *)	rc=0;;
 esac
 
diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied
index d65d72b..7735302 100755
--- a/etc/periodic/security/500.ipfwdenied
+++ b/etc/periodic/security/500.ipfwdenied
@@ -27,10 +27,6 @@
 # $FreeBSD$
 #
 
-# Show denied packets
-#
-
-
 # If there is a global system configuration file, suck it in.
 #
 if [ -r /etc/defaults/periodic.conf ]
@@ -39,29 +35,17 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
 rc=0
 
 case "$daily_status_security_ipfwdenied_enable" in
     [Yy][Ee][Ss])
 	TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
 	if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
-	    if [ ! -f ${LOG}/ipfw.today ]; then
-		rc=1
-		echo ""
-		echo "No ${LOG}/ipfw.today"
-		cp ${TMP} ${LOG}/ipfw.today || rc=3
-	    fi
-
-	    if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
-		[ $rc -lt 1 ] && rc=1
-		echo ""
-		echo "${host} denied packets:"
-		diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
-		mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
-		mv ${TMP} ${LOG}/ipfw.today || rc=3
-	    fi
+	  check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
 	fi
+	rc=$?
 	rm -f ${TMP};;
     *)	rc=0;;
 esac
diff --git a/etc/periodic/security/600.ip6fwdenied b/etc/periodic/security/600.ip6fwdenied
index 8205876..407aa9f 100755
--- a/etc/periodic/security/600.ip6fwdenied
+++ b/etc/periodic/security/600.ip6fwdenied
@@ -27,9 +27,6 @@
 # $FreeBSD$
 #
 
-# Show IPv6 denied packets
-#
-
 # If there is a global system configuration file, suck it in.
 #
 if [ -r /etc/defaults/periodic.conf ]
@@ -38,30 +35,17 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
 rc=0
 
 case "$daily_status_security_ip6fwdenied_enable" in
     [Yy][Ee][Ss])
 	TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
 	if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
-	    if [ ! -f ${LOG}/ip6fw.today ]; then
-		rc=1
-		echo ""
-		echo "No ${LOG}/ip6fw.today"
-		cp ${TMP} ${LOG}/ip6fw.today || rc=3
-	    fi
-
-	    if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
-		[ $rc -lt 1 ] && rc=1
-		echo ""
-		echo "${host} IPv6 denied packets:"
-		diff -b ${LOG}/ip6fw.today ${TMP} |
-		    egrep "^>"
-		mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
-		mv ${TMP} ${LOG}/ip6fw.today || rc=3
-	    fi
+	  check_diff new_only ip6fw ${TMP} "${host} ip6fw denied packets:"
 	fi
+	rc=$?
 	rm -f ${TMP};;
     *)	rc=0;;
 esac
diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg
index 5ac15c2..40bee4a 100755
--- a/etc/periodic/security/700.kernelmsg
+++ b/etc/periodic/security/700.kernelmsg
@@ -38,30 +38,15 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+. /etc/periodic/security/security.functions
+
 rc=0
 
 case "$daily_status_security_kernelmsg_enable" in
     [Yy][Ee][Ss])
-	TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
-	if dmesg 2>/dev/null > ${TMP}; then
-	    if [ ! -f ${LOG}/dmesg.today ]; then
-		rc=1
-		echo ""
-		echo "No ${LOG}/dmesg.today"
-		cp ${TMP} ${LOG}/dmesg.today || rc=3
-	    fi
-
-	    echo ""
-	    echo "${host} kernel log messages:"
-	    if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
-		[ $rc -lt 1 ] && rc=1
-		diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
-		mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
-		mv ${TMP} ${LOG}/dmesg.today || rc=3
-	    fi
-	fi
-	rm -f ${TMP};;
+	dmesg 2>/dev/null > ${TMP} |
+	    check_diff new_only dmesg - "${host} kernel log messages:"
+	rc=$?;;
     *)	rc=0;;
 esac
 
diff --git a/etc/periodic/security/security.functions b/etc/periodic/security/security.functions
new file mode 100644
index 0000000..8dba6dc
--- /dev/null
+++ b/etc/periodic/security/security.functions
@@ -0,0 +1,77 @@
+#!/bin/sh
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+#
+# Show differences in the output of an audit command
+#
+
+LOG="${daily_status_security_logdir}"
+rc=0
+
+# Usage: COMMAND | check_diff [new_only] LABEL - MSG
+#        COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG
+#   if $1 is new_only, show only the 'new' part of the diff.
+#   LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files.
+
+check_diff() {
+  rc=0
+  if [ "$1" = "new_only" ]; then
+    shift
+    filter="grep '^>'"
+  else
+    filter="cat"
+  fi
+  label="$1"; shift
+  tmpf="$1"; shift
+  msg="$1"; shift
+
+  if [ "${tmpf}" = "-" ]; then
+    tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
+    cat > ${tmpf}
+  fi
+
+  if [ ! -f ${LOG}/${label}.today ]; then
+    rc=1
+    echo ""
+    echo "No ${LOG}/${label}.today"
+    cp ${tmpf} ${LOG}/${label}.today || rc=3
+  fi
+
+  if ! cmp ${LOG}/${label}.today ${tmpf} >/dev/null; then
+    [ $rc -lt 1 ] && rc=1
+    echo ""
+    echo "${msg}"
+    diff -b ${LOG}/${label}.today ${tmpf} | eval "${filter}"
+    mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
+    mv ${tmpf} ${LOG}/${label}.today || rc=3
+  fi
+
+  rm -f ${tmpf}
+  exit ${rc}
+}