diff options
Diffstat (limited to 'etc/defaults/periodic.conf')
-rw-r--r-- | etc/defaults/periodic.conf | 147 |
1 files changed, 124 insertions, 23 deletions
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index 4dc2478..5dd7fa9 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # Also submit queue # 450.status-security daily_status_security_enable="YES" # Security check -# See "Security options" below for more options +# See also "Security options" below for more options +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file # 460.status-mail-rejects daily_status_mail_rejects_enable="YES" # Check mail rejects @@ -163,59 +165,78 @@ daily_local="/etc/daily.local" # Local scripts # Security options # These options are used by the security periodic(8) scripts spawned in -# 450.status-security above. -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file -daily_status_security_logdir="/var/log" # Directory for logs -daily_status_security_diff_flags="-b -u" # flags for diff output +# daily and weekly 450.status-security. +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output + +# Each of the security_status_*_enable options below can have one of the +# following values: +# - NO +# - daily: only run during the daily security status +# - weekly: only run during the weekly security status # 100.chksetuid -daily_status_security_chksetuid_enable="YES" +security_status_chksetuid_enable="YES" +security_status_chksetuid_period="daily" # 110.neggrpperm -daily_status_security_neggrpperm_enable="YES" +security_status_neggrpperm_enable="YES" +security_status_neggrpperm_period="daily" # 200.chkmounts -daily_status_security_chkmounts_enable="YES" -#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching +security_status_chkmounts_enable="YES" +security_status_chkmounts_period="daily" +#security_status_chkmounts_ignore="^amd:" # Don't check matching # FS types -daily_status_security_noamd="NO" # Don't check amd mounts +security_status_noamd="NO" # Don't check amd mounts # 300.chkuid0 -daily_status_security_chkuid0_enable="YES" +security_status_chkuid0_enable="YES" +security_status_chkuid0_period="daily" # 400.passwdless -daily_status_security_passwdless_enable="YES" +security_status_passwdless_enable="YES" +security_status_passwdless_period="daily" # 410.logincheck -daily_status_security_logincheck_enable="YES" +security_status_logincheck_enable="YES" +security_status_logincheck_period="daily" # 460.chkportsum -daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum +security_status_chkportsum_period="daily" # 500.ipfwdenied -daily_status_security_ipfwdenied_enable="YES" +security_status_ipfwdenied_enable="YES" +security_status_ipfwdenied_period="daily" # 510.ipfdenied -daily_status_security_ipfdenied_enable="YES" +security_status_ipfdenied_enable="YES" +security_status_ipfdenied_period="daily" # 520.pfdenied -daily_status_security_pfdenied_enable="YES" +security_status_pfdenied_enable="YES" +security_status_pfdenied_period="daily" # 550.ipfwlimit -daily_status_security_ipfwlimit_enable="YES" +security_status_ipfwlimit_enable="YES" +security_status_ipfwlimit_period="daily" # 610.ipf6denied -daily_status_security_ipf6denied_enable="YES" +security_status_ipf6denied_enable="YES" +security_status_ipf6denied_period="daily" # 700.kernelmsg -daily_status_security_kernelmsg_enable="YES" +security_status_kernelmsg_enable="YES" +security_status_kernelmsg_period="daily" # 800.loginfail -daily_status_security_loginfail_enable="YES" +security_status_loginfail_enable="YES" +security_status_loginfail_period="daily" # 900.tcpwrap -daily_status_security_tcpwrap_enable="YES" +security_status_tcpwrap_enable="YES" +security_status_tcpwrap_period="daily" # Weekly options @@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO" # Find out-of-date pkgs pkg_version=pkg_version # Use this program pkg_version_index=/usr/ports/INDEX-10 # Use this index file +# 450.status-security +weekly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +weekly_status_security_inline="NO" # Run inline ? +weekly_status_security_output="root" # user or /file + # 999.local weekly_local="/etc/weekly.local" # Local scripts @@ -267,6 +294,12 @@ monthly_show_badconfig="NO" # scripts returning 2 # 200.accounting monthly_accounting_enable="YES" # Login accounting +# 450.status-security +monthly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +monthly_status_security_inline="NO" # Run inline ? +monthly_status_security_output="root" # user or /file + # 999.local monthly_local="/etc/monthly.local" # Local scripts @@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local" # Local scripts if [ -z "${source_periodic_confs_defined}" ]; then source_periodic_confs_defined=yes + + # Compatibility with old daily variable names. + # They can be removed in stable/11. + security_daily_compat_var() { + local var=$1 dailyvar value + + dailyvar=daily_status_security${#status_security} + periodvar=${var%enable}period + eval value=\"\$$dailyvar\" + [ -z "$value" ] && return + echo "Warning: Variable \$$dailyvar is deprecated," \ + "use \$$var instead." >&2 + case "$value" in + [Yy][Ee][Ss]) + $var=YES + $periodvar=daily + ;; + *) + $var="$value" + ;; + esac + } + + check_yesno_period() { + local var="$1" periodvar value period + + eval value=\"\$$var\" + case "$value" in + [Yy][Ee][Ss]) ;; + *) return 1 ;; + esac + + periodvar=${var%enable}period + eval period=\"\$$periodvar\" + case "$PERIODIC" in + "security daily") + case "$period" in + [Dd][Aa][Ii][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security weekly") + case "$period" in + [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security monthly") + case "$period" in + [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + security) + # Run directly from crontab(5). + case "$period" in + [Nn][Oo]) return 1 ;; + *) return 0 ;; + esac + ;; + *) + echo "ASSERTION FAILED: Unexpected value for " \ + "\$PERIODIC: '$PERIODIC'" >&2 + exit 127 + ;; + esac + } + source_periodic_confs() { local i sourced_files |