summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--etc/Makefile2
-rw-r--r--etc/defaults/periodic.conf49
-rw-r--r--etc/mtree/BSD.root.dist2
-rw-r--r--etc/periodic/Makefile2
-rwxr-xr-xetc/periodic/daily/450.status-security29
-rwxr-xr-xetc/periodic/security/100.chksetuid75
-rwxr-xr-xetc/periodic/security/200.chkmounts73
-rwxr-xr-xetc/periodic/security/300.chkuid051
-rwxr-xr-xetc/periodic/security/400.passwdless48
-rwxr-xr-xetc/periodic/security/500.ipfwdenied69
-rwxr-xr-xetc/periodic/security/550.ipfwlimit61
-rwxr-xr-xetc/periodic/security/600.ip6fwdenied69
-rwxr-xr-xetc/periodic/security/650.ip6fwlimit61
-rwxr-xr-xetc/periodic/security/700.kernelmsg68
-rwxr-xr-xetc/periodic/security/800.loginfail62
-rwxr-xr-xetc/periodic/security/900.tcpwrap62
-rw-r--r--etc/periodic/security/Makefile15
-rw-r--r--etc/security234
-rw-r--r--share/man/man5/periodic.conf.5101
-rw-r--r--usr.sbin/periodic/periodic.85
20 files changed, 872 insertions, 266 deletions
diff --git a/etc/Makefile b/etc/Makefile
index fea950b..c693a1a 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -14,7 +14,7 @@ BIN1= amd.map apmd.conf auth.conf \
phones printcap profile protocols \
rc rc.atm rc.devfs rc.diskless1 rc.diskless2 rc.firewall rc.firewall6 \
rc.network rc.network6 rc.pccard rc.serial rc.shutdown \
- rc.syscons rc.sysctl remote rpc security services shells sysctl.conf \
+ rc.syscons rc.sysctl remote rpc services shells sysctl.conf \
syslog.conf usbd.conf \
etc.${MACHINE_ARCH}/disktab \
etc.${MACHINE_ARCH}/rc.${MACHINE_ARCH} \
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf
index c14a4a0..19c25dc 100644
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@@ -105,9 +105,7 @@ daily_status_mailq_shorten="NO" # Shorten output
# 450.status-security
daily_status_security_enable="YES" # Security check
-daily_status_security_inline="NO" # Run inline ?
-daily_status_security_output="root" # user or /file
-daily_status_security_noamd="NO" # Don't check amd mounts
+# See "Security options" below for more options
# 460.status-mail-rejects
daily_status_mail_rejects_enable="YES" # Check mail rejects
@@ -124,6 +122,51 @@ daily_queuerun_enable="YES" # Run mail queue
daily_local="/etc/daily.local" # Local scripts
+# Security options
+
+# These options are used by the security periodic(8) scripts spawned in
+# 450.status-security above.
+daily_status_security_inline="NO" # Run inline ?
+daily_status_security_output="root" # user or /file
+daily_status_security_noamd="NO" # Don't check amd mounts
+daily_status_security_logdir="/var/log" # Directory for logs
+
+# 100.chksetuid
+daily_status_security_chksetuid_enable="YES"
+
+# 200.chkmounts
+daily_status_security_chkmounts_enable="YES"
+#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching
+ # FS types
+
+# 300.chkuid0
+daily_status_security_chkuid0_enable="YES"
+
+# 400.passwdless
+daily_status_security_passwdless_enable="YES"
+
+# 500.ipfwdenied
+daily_status_security_ipfwdenied_enable="YES"
+
+# 550.ipfwlimit
+daily_status_security_ipfwlimit_enable="YES"
+
+# 600.ip6fwdenied
+daily_status_security_ip6fwdenied_enable="YES"
+
+# 650.ip6fwlimit
+daily_status_security_ip6fwlimit_enable="YES"
+
+# 700.kernelmsg
+daily_status_security_kernelmsg_enable="YES"
+
+# 800.loginfail
+daily_status_security_loginfail_enable="YES"
+
+# 900.tcpwrap
+daily_status_security_tcpwrap_enable="YES"
+
+
# Weekly options
# These options are used by periodic(8) itself to determine what to do
diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist
index 53a6770..559527c 100644
--- a/etc/mtree/BSD.root.dist
+++ b/etc/mtree/BSD.root.dist
@@ -45,6 +45,8 @@
..
monthly
..
+ security
+ ..
weekly
..
..
diff --git a/etc/periodic/Makefile b/etc/periodic/Makefile
index 4c1fda4..8fb56df 100644
--- a/etc/periodic/Makefile
+++ b/etc/periodic/Makefile
@@ -1,5 +1,5 @@
# $FreeBSD$
-SUBDIR= daily weekly monthly
+SUBDIR= daily security weekly monthly
.include <bsd.subdir.mk>
diff --git a/etc/periodic/daily/450.status-security b/etc/periodic/daily/450.status-security
index ce3288a..00889aa 100755
--- a/etc/periodic/daily/450.status-security
+++ b/etc/periodic/daily/450.status-security
@@ -16,30 +16,23 @@ case "$daily_status_security_enable" in
echo ""
echo "Security check:"
- case "$daily_status_security_noamd" in
- [Yy][Ee][Ss])
- args=-a;;
- *)
- args=;;
- esac
-
case "$daily_status_security_inline" in
[Yy][Ee][Ss])
- sh /etc/security -s $args
- rc=$?;;
-
+ export security_output="";;
*)
- case "${daily_status_security_output:=root}" in
+ export security_output="${daily_status_security_output}"
+ case "${daily_status_security_output}" in
+ "")
+ ;;
/*)
- echo " (output logged separately)"
- sh /etc/security -s $args \
- >$daily_status_security_output 2>&1;;
+ echo " (output logged separately)";;
*)
- echo " (output mailed separately)"
- sh /etc/security $args 2>&1 |
- mail -s "`hostname` security check output" $daily_status_security_output;;
+ echo " (output mailed separately)";;
esac;;
- esac;;
+ esac
+
+ periodic security
+ rc=$?;;
*) rc=0;;
esac
diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid
new file mode 100755
index 0000000..df0ce8c
--- /dev/null
+++ b/etc/periodic/security/100.chksetuid
@@ -0,0 +1,75 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_chksetuid_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo 'Checking setuid files and devices:'
+ # XXX Note that there is the possibility of overrunning the args to ls
+ MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
+ set ${MP}
+ while [ $# -ge 1 ]; do
+ mount=$1
+ shift
+ find $mount -xdev -type f \
+ \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
+ \( -perm -u+s -or -perm -g+s \) -print0
+ done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
+
+ if [ ! -f ${LOG}/setuid.today ]; then
+ rc=1
+ echo "No ${LOG}/setuid.today"
+ cp ${TMP} ${LOG}/setuid.today || rc=3
+ fi
+
+ if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null
+ then
+ [ $rc -lt 1 ] && rc=1
+ echo "${host} setuid diffs:"
+ diff -w ${LOG}/setuid.today ${TMP}
+ mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
+ mv ${TMP} ${LOG}/setuid.today || rc=3
+ fi
+ rm -f ${TMP};;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts
new file mode 100755
index 0000000..9b19675
--- /dev/null
+++ b/etc/periodic/security/200.chkmounts
@@ -0,0 +1,73 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show changes in the way filesystems are mounted
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+ignore="${daily_status_security_chkmounts_ignore}"
+rc=0
+
+case "$daily_status_security_chkmounts_enable" in
+ [Yy][Ee][Ss])
+ case "$daily_status_security_noamd" in
+ [Yy][Ee][Ss])
+ ignore="${ignore}|^amd:"
+ esac
+ [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
+ if mount -p | ${cmd} > ${TMP}; then
+ if [ ! -f ${LOG}/mount.today ]; then
+ rc=1
+ echo ""
+ echo "No ${LOG}/mount.today"
+ cp ${TMP} ${LOG}/mount.today || rc=3
+ fi
+ if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then
+ [ $rc -lt 1 ] && rc=1
+ echo ""
+ echo "${host} changes in mounted filesystems:"
+ diff -b ${LOG}/mount.today ${TMP}
+ mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3
+ mv ${TMP} ${LOG}/mount}.today || rc=3
+ fi
+ fi
+ rm -f ${TMP};;
+ *) rc=0;;
+esac
+
+exit "$rc"
diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0
new file mode 100755
index 0000000..32cc16c
--- /dev/null
+++ b/etc/periodic/security/300.chkuid0
@@ -0,0 +1,51 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$daily_status_security_chkuid0_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo 'Checking for uids of 0:'
+ n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
+ tee /dev/stderr |
+ sed -e '/^root 0$/d' -e '/^toor 0$/d' |
+ wc -l)
+ [ $n -gt 0 ] && rc=1 || rc=0;;
+ *) rc=0;;
+esac
+
+exit "$rc"
diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless
new file mode 100755
index 0000000..42ece04
--- /dev/null
+++ b/etc/periodic/security/400.passwdless
@@ -0,0 +1,48 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$daily_status_security_passwdless_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo 'Checking for passwordless accounts:'
+ n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
+ tee /dev/stderr | wc -l)
+ [ $n -gt 0 ] && rc=1 || rc=0;;
+ *) rc=0;;
+esac
+
+exit "$rc"
diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied
new file mode 100755
index 0000000..ac08b4b
--- /dev/null
+++ b/etc/periodic/security/500.ipfwdenied
@@ -0,0 +1,69 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show denied packets
+#
+
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_ipfwdenied_enable" in
+ [Yy][Ee][Ss])
+ if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
+ if [ ! -f ${LOG}/ipfw.today ]; then
+ rc=1
+ echo ""
+ echo "No ${LOG}/ipfw.today"
+ cp ${TMP} ${LOG}/ipfw.today || rc=3
+ fi
+
+ if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
+ [ $rc -lt 1 ] && rc=1
+ echo ""
+ echo "${host} denied packets:"
+ diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
+ mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
+ mv ${TMP} ${LOG}/ipfw.today || rc=3
+ fi
+ fi
+ rm -f ${TMP};;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit
new file mode 100755
index 0000000..3bc13b8
--- /dev/null
+++ b/etc/periodic/security/550.ipfwlimit
@@ -0,0 +1,61 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show ipfw rules which have reached the log limit
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+rc=0
+
+case "$daily_status_security_ipfwlimit_enable" in
+ [Yy][Ee][Ss])
+ IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
+ if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
+ ipfw -a l | grep " log " | perl -n -e \
+ '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
+ if [ -s "${TMP}" ]; then
+ rc=1
+ echo ""
+ echo 'ipfw log limit reached:'
+ cat ${TMP}
+ fi
+ fi
+ rm -f ${TMP};;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/600.ip6fwdenied b/etc/periodic/security/600.ip6fwdenied
new file mode 100755
index 0000000..36315c2
--- /dev/null
+++ b/etc/periodic/security/600.ip6fwdenied
@@ -0,0 +1,69 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show IPv6 denied packets
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_ip6fwdenied_enable" in
+ [Yy][Ee][Ss])
+ if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
+ if [ ! -f ${LOG}/ip6fw.today ]; then
+ rc=1
+ echo ""
+ echo "No ${LOG}/ip6fw.today"
+ cp ${TMP} ${LOG}/ip6fw.today || rc=3
+ fi
+
+ if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
+ [ $rc -lt 1 ] && rc=1
+ echo ""
+ echo "${host} IPv6 denied packets:"
+ diff -b ${LOG}/ip6fw.today ${TMP} |
+ egrep "^>"
+ mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
+ mv ${TMP} ${LOG}/ip6fw.today || rc=3
+ fi
+ fi
+ rm -f ${TMP};;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/650.ip6fwlimit b/etc/periodic/security/650.ip6fwlimit
new file mode 100755
index 0000000..96af389
--- /dev/null
+++ b/etc/periodic/security/650.ip6fwlimit
@@ -0,0 +1,61 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show ip6fw rules which have reached the log limit
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+rc=0
+
+case "$daily_status_security_ip6fwlimit_enable" in
+ [Yy][Ee][Ss])
+ IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
+ if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
+ ip6fw -a l | grep " log " | perl -n -e \
+ '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
+ if [ -s "${TMP}" ]; then
+ rc=1
+ echo ""
+ echo 'ip6fw log limit reached:'
+ cat ${TMP}
+ fi
+ fi
+ rm -f ${TMP};;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg
new file mode 100755
index 0000000..a0b6a00
--- /dev/null
+++ b/etc/periodic/security/700.kernelmsg
@@ -0,0 +1,68 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show kernel log messages
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_kernelmsg_enable" in
+ [Yy][Ee][Ss])
+ if dmesg -a 2>/dev/null > ${TMP}; then
+ if [ ! -f ${LOG}/dmesg.today ]; then
+ rc=1
+ echo ""
+ echo "No ${LOG}/dmesg.today"
+ cp ${TMP} ${LOG}/dmesg.today || rc=3
+ fi
+
+ if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
+ [ $rc -lt 1 ] && rc=1
+ echo ""
+ echo "${host} kernel log messages:"
+ diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
+ mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
+ mv ${TMP} ${LOG}/dmesg.today || rc=3
+ fi
+ fi
+ rm -f ${TMP};;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail
new file mode 100755
index 0000000..c4446f5
--- /dev/null
+++ b/etc/periodic/security/800.loginfail
@@ -0,0 +1,62 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show login failures
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+LOG="${daily_status_security_logdir}"
+
+yesterday=`date -v-1d "+%b %e "`
+
+catmsgs() {
+ find ${LOG} -name 'messages.*' -mtime -2 |
+ sort -t. -r -n +1 -2 |
+ xargs zcat -f
+ [ -f ${LOG}/messages ] && cat $LOG/messages
+}
+
+case "$daily_status_security_loginfail_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "${host} login failures:"
+ n=$(catmsgs | grep -ia "^$yesterday.*login failure" |
+ tee /dev/stderr | wc -l)
+ [ $n -gt 0 ] && rc=1 || rc=0;;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap
new file mode 100755
index 0000000..0dc61dc
--- /dev/null
+++ b/etc/periodic/security/900.tcpwrap
@@ -0,0 +1,62 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001 The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show tcp_wrapper warning messages
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+LOG="${daily_status_security_logdir}"
+
+yesterday=`date -v-1d "+%b %e "`
+
+catmsgs() {
+ find ${LOG} -name 'messages.*' -mtime -2 |
+ sort -t. -r -n +1 -2 |
+ xargs zcat -f
+ [ -f ${LOG}/messages ] && cat $LOG/messages
+}
+
+case "$daily_status_security_tcpwrap_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "${host} refused connections:"
+ n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
+ tee /dev/stderr | wc -l)
+ [ $n -gt 0 ] && rc=1 || rc=0;;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile
new file mode 100644
index 0000000..da4152f
--- /dev/null
+++ b/etc/periodic/security/Makefile
@@ -0,0 +1,15 @@
+# $FreeBSD$
+
+BIN= 100.chksetuid \
+ 200.chkmounts \
+ 300.chkuid0 \
+ 400.passwdless \
+ 500.ipfwdenied \
+ 550.ipfwlimit \
+ 600.ip6fwdenied \
+ 650.ip6fwlimit \
+ 700.kernelmsg \
+ 800.loginfail \
+ 900.tcpwrap
+
+.include <bsd.prog.mk>
diff --git a/etc/security b/etc/security
deleted file mode 100644
index 32d948b..0000000
--- a/etc/security
+++ /dev/null
@@ -1,234 +0,0 @@
-#!/bin/sh -
-#
-# Copyright (c) 2000 The FreeBSD Project
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-# @(#)security 5.3 (Berkeley) 5/28/91
-# $FreeBSD$
-#
-
-PATH=/sbin:/bin:/usr/bin
-LC_ALL=C; export LC_ALL
-rc=0
-LOG=/var/log
-TMP=/var/run/_secure.$$
-
-separator () {
- echo ''
- echo ''
-}
-
-catmsgs() {
- find $LOG -name 'messages.*' -mtime -2 |
- sort -t. -r -n +1 -2 |
- xargs zcat -f
- [ -f $LOG/messages ] && cat $LOG/messages
-}
-
-sflag=FALSE ignore=
-while getopts as c
-do
- case "$c" in
- a) ignore="$ignore|^amd:";;
- s) sflag=TRUE;;
- esac
-done
-
-yesterday=`date -v-1d "+%b %e "`
-
-host=`hostname`
-
-umask 027
-
-echo 'Checking setuid files and devices:'
-
-# Don't have ncheck, but this does the equivalent of the commented out block.
-# Note that one of the original problems, the possibility of overrunning
-# the args to ls, is still here...
-#
-MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
-set ${MP}
-while [ $# -ge 1 ]; do
- mount=$1
- shift
- find $mount -xdev -type f \
- \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
- \( -perm -u+s -or -perm -g+s \) -print0
-done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
-
-if [ ! -f ${LOG}/setuid.today ]; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "No ${LOG}/setuid.today"
- cp ${TMP} ${LOG}/setuid.today || rc=3
-fi
-
-if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "${host} setuid diffs:"
- diff -w ${LOG}/setuid.today ${TMP}
- mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
- mv ${TMP} ${LOG}/setuid.today || rc=3
-fi
-
-# Show changes in the way filesystems are mounted
-#
-[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
-if mount -p | $cmd > $TMP; then
- if [ ! -f $LOG/mount.today ]; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "No $LOG/mount.today"
- cp $TMP $LOG/mount.today || rc=3
- fi
- if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "$host changes in mounted filesystems:"
- diff -b $LOG/mount.today $TMP
- mv $LOG/mount.today $LOG/mount.yesterday || rc=3
- mv $TMP $LOG/mount.today || rc=3
- fi
-fi
-
-separator
-echo 'Checking for uids of 0:'
-n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
- tee /dev/stderr |
- sed -e '/^root 0$/d' -e '/^toor 0$/d' |
- wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
-separator
-echo 'Checking for passwordless accounts:'
-n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
- tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
-# Show denied packets
-#
-if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
- if [ ! -f ${LOG}/ipfw.today ]; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "No ${LOG}/ipfw.today"
- cp ${TMP} ${LOG}/ipfw.today || rc=3
- fi
-
- if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "${host} denied packets:"
- diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
- mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
- mv ${TMP} ${LOG}/ipfw.today || rc=3
- fi
-fi
-
-# Show ipfw rules which have reached the log limit
-#
-IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
- ipfw -a l | grep " log " | perl -n -e \
- '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
- if [ -s "${TMP}" ]; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo 'ipfw log limit reached:'
- cat ${TMP}
- fi
-fi
-
-# Show IPv6 denied packets
-#
-if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
- if [ ! -f ${LOG}/ip6fw.today ]; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "No ${LOG}/ip6fw.today"
- cp ${TMP} ${LOG}/ip6fw.today || rc=3
- fi
-
- if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "${host} IPv6 denied packets:"
- diff -b ${LOG}/ip6fw.today ${TMP} | egrep "^>"
- mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
- mv ${TMP} ${LOG}/ip6fw.today || rc=3
- fi
-fi
-
-# Show ip6fw rules which have reached the log limit
-#
-IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
- ip6fw -a l | grep " log " | perl -n -e \
- '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
- if [ -s "${TMP}" ]; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo 'ip6fw log limit reached:'
- cat ${TMP}
- fi
-fi
-
-# Show kernel log messages
-#
-if dmesg -a 2>/dev/null > ${TMP}; then
- if [ ! -f ${LOG}/dmesg.today ]; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "No ${LOG}/dmesg.today"
- cp ${TMP} ${LOG}/dmesg.today || rc=3
- fi
-
- if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
- [ $rc -lt 1 ] && rc=1
- separator
- echo "${host} kernel log messages:"
- diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
- mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
- mv ${TMP} ${LOG}/dmesg.today || rc=3
- fi
-fi
-
-# Show login failures
-#
-separator
-echo "${host} login failures:"
-n=$(catmsgs | grep -ia "^$yesterday.*login failure" | tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
-# Show tcp_wrapper warning messages
-#
-separator
-echo "${host} refused connections:"
-n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
-rm -f ${TMP}
-
-exit $rc
diff --git a/share/man/man5/periodic.conf.5 b/share/man/man5/periodic.conf.5
index a49aa2b..7755dab 100644
--- a/share/man/man5/periodic.conf.5
+++ b/share/man/man5/periodic.conf.5
@@ -401,22 +401,27 @@ is set to
.Pq Vt bool
Set to
.Dq YES
-if you want to run
-.Pa /etc/security .
+if you want to run the security check.
+The security check is another set of
+.Xr periodic 8
+scripts.
+The system defaults are in
+.Pa /etc/periodic/security .
+Local scripts should be placed in
+.Pa /usr/local/etc/periodic/security .
+See the
+.Xr periodic 8
+manual page for more information.
.It Va daily_status_security_inline
.Pq Vt bool
Set to
.Dq YES
-if you want to run
-.Pa /etc/security
-inline.
+if you want the security check output inline.
The default is to either mail or log the output according to the value of
.Va daily_status_security_output .
.It Va daily_status_security_output
.Pq Vt str
-Where to send the output of
-.Pa /etc/security
-if
+Where to send the output of the security check if
.Va daily_status_security_inline
is set to
.Dq NO .
@@ -424,13 +429,91 @@ This variable behaves in the same way as the
.Va *_output
variables above, namely it can be set either to one or more email addresses
or to an absolute file name.
+.It Va daily_status_security_chksetuid_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to compare the modes and modification times of setuid executables with
+the previous day's values.
+.It Va daily_status_security_chkmounts_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to check for changes mounted filesystems to the previous day's values.
.It Va daily_status_security_noamd
.Pq Vt bool
Set to
.Dq YES
if you want to ignore
.Xr amd 8
-mounts when comparing against yesterdays filesystem mounts.
+mounts when comparing against yesterdays filesystem mounts in the
+.Va daily_status_security_chkmounts_enable
+check.
+.It Va daily_status_security_chkuid0_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to check
+.Pa /etc/master.passwd
+for accounts with uid 0.
+.It Va daily_status_security_passwdless_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to check
+.Pa /etc/master.passwd
+for accounts with empty passwords.
+.It Va daily_status_security_ipfwdenied_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to show log entries for packets denied by
+.Xr ipfw 8
+since yesterday's check.
+.It Va daily_status_security_ipfwlimit_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to display
+.Xr ipfw 8
+rules that have reached their verbosity limit.
+.It Va daily_status_security_ip6fwdenied_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to show log entries for packets denied by
+.Xr ip6fw 8
+since yesterday's check.
+.It Va daily_status_security_ip6fwlimit_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to display
+.Xr ip6fw 8
+rules that have reached their verbosity limit.
+.It Va daily_status_security_kernelmsg_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to show new
+.Xr dmesg 8
+entries since yesterday's check.
+.It Va daily_status_security_loginfail_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to display failed logins from
+.Pa /var/log/messages
+in the previous day.
+.It Va daily_status_security_tcpwrap_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to display connections denied by tcpwrappers (see
+.Xr hosts_access 5 )
+from
+.Pa /var/log/messages
+during the previous day.
.It Va daily_status_mail_rejects_enable
.Pq Vt bool
Set to
diff --git a/usr.sbin/periodic/periodic.8 b/usr.sbin/periodic/periodic.8
index f0c1376..4b9b17e 100644
--- a/usr.sbin/periodic/periodic.8
+++ b/usr.sbin/periodic/periodic.8
@@ -52,6 +52,11 @@ This usually occurs on Sunday mornings.
.It Pa monthly
Perform the standard monthly periodic executable run.
This usually occurs on the first day of the month.
+.It Pa security
+Perform the standard daily security checks.
+This is usually spawned by the
+.Pa daily
+run.
.It Ar path
An arbitrary directory containing a set of executables to be run.
.El
OpenPOWER on IntegriCloud