summaryrefslogtreecommitdiffstats
path: root/etc/defaults/periodic.conf
diff options
context:
space:
mode:
Diffstat (limited to 'etc/defaults/periodic.conf')
-rw-r--r--etc/defaults/periodic.conf223
1 files changed, 164 insertions, 59 deletions
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf
index e630e1d..9fb6859 100644
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # Also submit queue
# 450.status-security
daily_status_security_enable="YES" # Security check
-# See "Security options" below for more options
+# See also "Security options" below for more options
+daily_status_security_inline="NO" # Run inline ?
+daily_status_security_output="root" # user or /file
# 460.status-mail-rejects
daily_status_mail_rejects_enable="YES" # Check mail rejects
@@ -160,64 +162,6 @@ daily_scrub_zfs_default_threshold="35" # days between scrubs
daily_local="/etc/daily.local" # Local scripts
-# Security options
-
-# These options are used by the security periodic(8) scripts spawned in
-# 450.status-security above.
-daily_status_security_inline="NO" # Run inline ?
-daily_status_security_output="root" # user or /file
-daily_status_security_noamd="NO" # Don't check amd mounts
-daily_status_security_logdir="/var/log" # Directory for logs
-daily_status_security_diff_flags="-b -u" # flags for diff output
-
-# 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
-
-# 110.neggrpperm
-daily_status_security_neggrpperm_enable="YES"
-
-# 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching
- # FS types
-
-# 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
-
-# 400.passwdless
-daily_status_security_passwdless_enable="YES"
-
-# 410.logincheck
-daily_status_security_logincheck_enable="YES"
-
-# 460.chkportsum
-daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum
-
-# 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
-
-# 510.ipfdenied
-daily_status_security_ipfdenied_enable="YES"
-
-# 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
-
-# 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
-
-# 610.ipf6denied
-daily_status_security_ipf6denied_enable="YES"
-
-# 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
-
-# 800.loginfail
-daily_status_security_loginfail_enable="YES"
-
-# 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
-
-
# Weekly options
# These options are used by periodic(8) itself to determine what to do
@@ -248,6 +192,12 @@ weekly_status_pkg_enable="NO" # Find out-of-date pkgs
pkg_version=pkg_version # Use this program
pkg_version_index=/usr/ports/INDEX-10 # Use this index file
+# 450.status-security
+weekly_status_security_enable="YES" # Security check
+# See also "Security options" above for more options
+weekly_status_security_inline="NO" # Run inline ?
+weekly_status_security_output="root" # user or /file
+
# 999.local
weekly_local="/etc/weekly.local" # Local scripts
@@ -267,15 +217,170 @@ monthly_show_badconfig="NO" # scripts returning 2
# 200.accounting
monthly_accounting_enable="YES" # Login accounting
+# 450.status-security
+monthly_status_security_enable="YES" # Security check
+# See also "Security options" above for more options
+monthly_status_security_inline="NO" # Run inline ?
+monthly_status_security_output="root" # user or /file
+
# 999.local
monthly_local="/etc/monthly.local" # Local scripts
+# Security options
+
+# These options are used by the security periodic(8) scripts spawned in
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log" # Directory for logs
+security_status_diff_flags="-b -u" # flags for diff output
+
+# Each of the security_status_*_period options below can have one of the
+# following values:
+# - NO: do not run at all
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
+# - monthly: only run during the monthly security status
+# Note that if periodic security scripts are run from crontab(5) directly,
+# they will be run unless _enable or _period is set to "NO".
+
+# 100.chksetuid
+security_status_chksetuid_enable="YES"
+security_status_chksetuid_period="daily"
+
+# 110.neggrpperm
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
+
+# 200.chkmounts
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^amd:" # Don't check matching
+ # FS types
+security_status_noamd="NO" # Don't check amd mounts
+
+# 300.chkuid0
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
+
+# 400.passwdless
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
+
+# 410.logincheck
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
+
+# 460.chkportsum
+security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum
+security_status_chkportsum_period="daily"
+
+# 500.ipfwdenied
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
+
+# 510.ipfdenied
+security_status_ipfdenied_enable="YES"
+security_status_ipfdenied_period="daily"
+
+# 520.pfdenied
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
+
+# 550.ipfwlimit
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
+
+# 610.ipf6denied
+security_status_ipf6denied_enable="YES"
+security_status_ipf6denied_period="daily"
+
+# 700.kernelmsg
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
+
+# 800.loginfail
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
+
+# 900.tcpwrap
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
+
+
+
# Define source_periodic_confs, the mechanism used by /etc/periodic/*/*
# scripts to source defaults/periodic.conf overrides safely.
if [ -z "${source_periodic_confs_defined}" ]; then
source_periodic_confs_defined=yes
+
+ # Compatibility with old daily variable names.
+ # They can be removed in stable/11.
+ security_daily_compat_var() {
+ local var=$1 dailyvar value
+
+ dailyvar=daily_status_security${#status_security}
+ periodvar=${var%enable}period
+ eval value=\"\$$dailyvar\"
+ [ -z "$value" ] && return
+ echo "Warning: Variable \$$dailyvar is deprecated," \
+ "use \$$var instead." >&2
+ case "$value" in
+ [Yy][Ee][Ss])
+ $var=YES
+ $periodvar=daily
+ ;;
+ *)
+ $var="$value"
+ ;;
+ esac
+ }
+
+ check_yesno_period() {
+ local var="$1" periodvar value period
+
+ eval value=\"\$$var\"
+ case "$value" in
+ [Yy][Ee][Ss]) ;;
+ *) return 1 ;;
+ esac
+
+ periodvar=${var%enable}period
+ eval period=\"\$$periodvar\"
+ case "$PERIODIC" in
+ "security daily")
+ case "$period" in
+ [Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ "security weekly")
+ case "$period" in
+ [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ "security monthly")
+ case "$period" in
+ [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ security)
+ # Run directly from crontab(5).
+ case "$period" in
+ [Nn][Oo]) return 1 ;;
+ *) return 0 ;;
+ esac
+ ;;
+ *)
+ echo "ASSERTION FAILED: Unexpected value for " \
+ "\$PERIODIC: '$PERIODIC'" >&2
+ exit 127
+ ;;
+ esac
+ }
+
source_periodic_confs() {
local i sourced_files
OpenPOWER on IntegriCloud