summaryrefslogtreecommitdiffstats
path: root/etc/defaults/periodic.conf
diff options
context:
space:
mode:
Diffstat (limited to 'etc/defaults/periodic.conf')
-rw-r--r--etc/defaults/periodic.conf147
1 files changed, 124 insertions, 23 deletions
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf
index 4dc2478..5dd7fa9 100644
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # Also submit queue
# 450.status-security
daily_status_security_enable="YES" # Security check
-# See "Security options" below for more options
+# See also "Security options" below for more options
+daily_status_security_inline="NO" # Run inline ?
+daily_status_security_output="root" # user or /file
# 460.status-mail-rejects
daily_status_mail_rejects_enable="YES" # Check mail rejects
@@ -163,59 +165,78 @@ daily_local="/etc/daily.local" # Local scripts
# Security options
# These options are used by the security periodic(8) scripts spawned in
-# 450.status-security above.
-daily_status_security_inline="NO" # Run inline ?
-daily_status_security_output="root" # user or /file
-daily_status_security_logdir="/var/log" # Directory for logs
-daily_status_security_diff_flags="-b -u" # flags for diff output
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log" # Directory for logs
+security_status_diff_flags="-b -u" # flags for diff output
+
+# Each of the security_status_*_enable options below can have one of the
+# following values:
+# - NO
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
# 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
+security_status_chksetuid_enable="YES"
+security_status_chksetuid_period="daily"
# 110.neggrpperm
-daily_status_security_neggrpperm_enable="YES"
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
# 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^amd:" # Don't check matching
# FS types
-daily_status_security_noamd="NO" # Don't check amd mounts
+security_status_noamd="NO" # Don't check amd mounts
# 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
# 400.passwdless
-daily_status_security_passwdless_enable="YES"
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
# 410.logincheck
-daily_status_security_logincheck_enable="YES"
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
# 460.chkportsum
-daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum
+security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum
+security_status_chkportsum_period="daily"
# 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
# 510.ipfdenied
-daily_status_security_ipfdenied_enable="YES"
+security_status_ipfdenied_enable="YES"
+security_status_ipfdenied_period="daily"
# 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
# 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
# 610.ipf6denied
-daily_status_security_ipf6denied_enable="YES"
+security_status_ipf6denied_enable="YES"
+security_status_ipf6denied_period="daily"
# 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
# 800.loginfail
-daily_status_security_loginfail_enable="YES"
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
# 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
# Weekly options
@@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO" # Find out-of-date pkgs
pkg_version=pkg_version # Use this program
pkg_version_index=/usr/ports/INDEX-10 # Use this index file
+# 450.status-security
+weekly_status_security_enable="YES" # Security check
+# See also "Security options" above for more options
+weekly_status_security_inline="NO" # Run inline ?
+weekly_status_security_output="root" # user or /file
+
# 999.local
weekly_local="/etc/weekly.local" # Local scripts
@@ -267,6 +294,12 @@ monthly_show_badconfig="NO" # scripts returning 2
# 200.accounting
monthly_accounting_enable="YES" # Login accounting
+# 450.status-security
+monthly_status_security_enable="YES" # Security check
+# See also "Security options" above for more options
+monthly_status_security_inline="NO" # Run inline ?
+monthly_status_security_output="root" # user or /file
+
# 999.local
monthly_local="/etc/monthly.local" # Local scripts
@@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local" # Local scripts
if [ -z "${source_periodic_confs_defined}" ]; then
source_periodic_confs_defined=yes
+
+ # Compatibility with old daily variable names.
+ # They can be removed in stable/11.
+ security_daily_compat_var() {
+ local var=$1 dailyvar value
+
+ dailyvar=daily_status_security${#status_security}
+ periodvar=${var%enable}period
+ eval value=\"\$$dailyvar\"
+ [ -z "$value" ] && return
+ echo "Warning: Variable \$$dailyvar is deprecated," \
+ "use \$$var instead." >&2
+ case "$value" in
+ [Yy][Ee][Ss])
+ $var=YES
+ $periodvar=daily
+ ;;
+ *)
+ $var="$value"
+ ;;
+ esac
+ }
+
+ check_yesno_period() {
+ local var="$1" periodvar value period
+
+ eval value=\"\$$var\"
+ case "$value" in
+ [Yy][Ee][Ss]) ;;
+ *) return 1 ;;
+ esac
+
+ periodvar=${var%enable}period
+ eval period=\"\$$periodvar\"
+ case "$PERIODIC" in
+ "security daily")
+ case "$period" in
+ [Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ "security weekly")
+ case "$period" in
+ [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ "security monthly")
+ case "$period" in
+ [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ security)
+ # Run directly from crontab(5).
+ case "$period" in
+ [Nn][Oo]) return 1 ;;
+ *) return 0 ;;
+ esac
+ ;;
+ *)
+ echo "ASSERTION FAILED: Unexpected value for " \
+ "\$PERIODIC: '$PERIODIC'" >&2
+ exit 127
+ ;;
+ esac
+ }
+
source_periodic_confs() {
local i sourced_files
OpenPOWER on IntegriCloud