summaryrefslogtreecommitdiffstats
path: root/etc/periodic
diff options
context:
space:
mode:
Diffstat (limited to 'etc/periodic')
-rwxr-xr-xetc/periodic/monthly/450.status-security41
-rwxr-xr-xetc/periodic/security/100.chksetuid12
-rwxr-xr-xetc/periodic/security/110.neggrpperm9
-rwxr-xr-xetc/periodic/security/200.chkmounts17
-rwxr-xr-xetc/periodic/security/300.chkuid013
-rwxr-xr-xetc/periodic/security/400.passwdless13
-rwxr-xr-xetc/periodic/security/410.logincheck13
-rwxr-xr-xetc/periodic/security/460.chkportsum12
-rwxr-xr-xetc/periodic/security/500.ipfwdenied11
-rwxr-xr-xetc/periodic/security/510.ipfdenied11
-rwxr-xr-xetc/periodic/security/520.pfdenied11
-rwxr-xr-xetc/periodic/security/550.ipfwlimit11
-rwxr-xr-xetc/periodic/security/610.ipf6denied11
-rwxr-xr-xetc/periodic/security/700.kernelmsg11
-rwxr-xr-xetc/periodic/security/800.loginfail16
-rwxr-xr-xetc/periodic/security/900.tcpwrap16
-rw-r--r--etc/periodic/security/security.functions12
-rwxr-xr-xetc/periodic/weekly/450.status-security41
-rw-r--r--etc/periodic/weekly/Makefile1
19 files changed, 198 insertions, 84 deletions
diff --git a/etc/periodic/monthly/450.status-security b/etc/periodic/monthly/450.status-security
new file mode 100755
index 0000000..027c896
--- /dev/null
+++ b/etc/periodic/monthly/450.status-security
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$monthly_status_security_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "Security check:"
+
+ case "$monthly_status_security_inline" in
+ [Yy][Ee][Ss])
+ monthly_status_security_output="";;
+ esac
+
+ export security_output="${monthly_status_security_output}"
+ case "${monthly_status_security_output}" in
+ "")
+ rc=3;;
+ /*)
+ echo " (output logged separately)"
+ rc=0;;
+ *)
+ echo " (output mailed separately)"
+ rc=0;;
+ esac
+
+ periodic security || rc=3;;
+
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid
index 5b93b20..95920a6 100755
--- a/etc/periodic/security/100.chksetuid
+++ b/etc/periodic/security/100.chksetuid
@@ -37,10 +37,12 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_chksetuid_enable
+
rc=0
-case "$daily_status_security_chksetuid_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_chksetuid_enable
+then
echo ""
echo 'Checking setuid files and devices:'
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_enable" in
\( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
check_diff setuid - "${host} setuid diffs:"
rc=$?
- ;;
- *)
- rc=0
- ;;
-esac
+fi
exit $rc
diff --git a/etc/periodic/security/110.neggrpperm b/etc/periodic/security/110.neggrpperm
index 68d1e7b..1d545ac 100755
--- a/etc/periodic/security/110.neggrpperm
+++ b/etc/periodic/security/110.neggrpperm
@@ -35,10 +35,12 @@ then
source_periodic_confs
fi
+security_daily_compat_var security_status_neggrpperm_enable
+
rc=0
-case "$daily_status_security_neggrpperm_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_neggrpperm_enable
+then
echo ""
echo 'Checking negative group permissions:'
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_enable" in
\( ! -perm +040 -and -perm +004 \) \) \
-exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0
- ;;
-esac
+fi
exit $rc
diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts
index 17b114e..7b14866 100755
--- a/etc/periodic/security/200.chkmounts
+++ b/etc/periodic/security/200.chkmounts
@@ -40,12 +40,16 @@ fi
. /etc/periodic/security/security.functions
-ignore="${daily_status_security_chkmounts_ignore}"
+security_daily_compat_var security_status_chkmounts_enable
+security_daily_compat_var security_status_chkmounts_ignore
+security_daily_compat_var security_status_noamd
+
+ignore="${security_status_chkmounts_ignore}"
rc=0
-case "$daily_status_security_chkmounts_enable" in
- [Yy][Ee][Ss])
- case "$daily_status_security_noamd" in
+if check_yesno_period security_status_chkmounts_enable
+then
+ case "$security_status_noamd" in
[Yy][Ee][Ss])
ignore="${ignore}|^amd:"
esac
@@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_enable" in
fi
mount -p | sort | ${cmd} |
check_diff mount - "${host} changes in mounted filesystems:"
- rc=$?;;
- *) rc=0;;
-esac
+ rc=$?
+fi
exit "$rc"
diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0
index 32cc16c..73578e2 100755
--- a/etc/periodic/security/300.chkuid0
+++ b/etc/periodic/security/300.chkuid0
@@ -36,16 +36,19 @@ then
source_periodic_confs
fi
-case "$daily_status_security_chkuid0_enable" in
- [Yy][Ee][Ss])
+security_daily_compat_var security_status_chkuid0_enable
+
+rc=0
+
+if check_yesno_period security_status_chkuid0_enable
+then
echo ""
echo 'Checking for uids of 0:'
n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
tee /dev/stderr |
sed -e '/^root 0$/d' -e '/^toor 0$/d' |
wc -l)
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit "$rc"
diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless
index 42ece04..5e851ac 100755
--- a/etc/periodic/security/400.passwdless
+++ b/etc/periodic/security/400.passwdless
@@ -35,14 +35,17 @@ then
source_periodic_confs
fi
-case "$daily_status_security_passwdless_enable" in
- [Yy][Ee][Ss])
+security_daily_compat_var security_status_passwdless_enable
+
+rc=0
+
+if check_yesno_period security_status_passwdless_enable
+then
echo ""
echo 'Checking for passwordless accounts:'
n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
tee /dev/stderr | wc -l)
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit "$rc"
diff --git a/etc/periodic/security/410.logincheck b/etc/periodic/security/410.logincheck
index f6cf405..41e7f65 100755
--- a/etc/periodic/security/410.logincheck
+++ b/etc/periodic/security/410.logincheck
@@ -35,8 +35,12 @@ then
source_periodic_confs
fi
-case "$daily_status_security_logincheck_enable" in
- [Yy][Ee][Ss])
+security_daily_compat_var security_status_logincheck_enable
+
+rc=0
+
+if check_yesno_period security_status_logincheck_enable
+then
echo ""
echo 'Checking login.conf permissions:'
if [ -G /etc/login.conf -a -O /etc/login.conf ]; then
@@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in
echo "Bad ownership of /etc/login.conf"
n=1
fi
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit "$rc"
diff --git a/etc/periodic/security/460.chkportsum b/etc/periodic/security/460.chkportsum
index 3a39c84..18a12ec 100755
--- a/etc/periodic/security/460.chkportsum
+++ b/etc/periodic/security/460.chkportsum
@@ -35,13 +35,15 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_chkportsum_enable
+
rc=0
echo ""
echo 'Checking for ports with mismatched checksums:'
-case "${daily_status_security_chkportsum_enable}" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_chkportsum_enable
+then
set -f
pkg_info -ga 2>/dev/null | \
while IFS= read -r line; do
@@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum_enable}" in
;;
esac
done
- ;;
- *)
- rc=0
- ;;
-esac
+fi
exit $rc
diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied
index 6a6fb8b4..f39ca0e 100755
--- a/etc/periodic/security/500.ipfwdenied
+++ b/etc/periodic/security/500.ipfwdenied
@@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_ipfwdenied_enable
+
rc=0
-case "$daily_status_security_ipfwdenied_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwdenied_enable
+then
TMP=`mktemp -t security`
if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
fi
rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/510.ipfdenied b/etc/periodic/security/510.ipfdenied
index 2058d2b..bed75e6 100755
--- a/etc/periodic/security/510.ipfdenied
+++ b/etc/periodic/security/510.ipfdenied
@@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_ipfdenied_enable
+
rc=0
-case "$daily_status_security_ipfdenied_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfdenied_enable
+then
TMP=`mktemp -t security`
if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then
check_diff new_only ipf ${TMP} "${host} ipf denied packets:"
fi
rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied
index 5e51393..7a32bf2 100755
--- a/etc/periodic/security/520.pfdenied
+++ b/etc/periodic/security/520.pfdenied
@@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_pfdenied_enable
+
rc=0
-case "$daily_status_security_pfdenied_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_pfdenied_enable
+then
TMP=`mktemp -t security`
if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
check_diff new_only pf ${TMP} "${host} pf denied packets:"
fi
rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit
index daa0f86..86932c6 100755
--- a/etc/periodic/security/550.ipfwlimit
+++ b/etc/periodic/security/550.ipfwlimit
@@ -38,10 +38,12 @@ then
source_periodic_confs
fi
+security_daily_compat_var security_status_ipfwlimit_enable
+
rc=0
-case "$daily_status_security_ipfwlimit_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwlimit_enable
+then
IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
exit 0
@@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_enable" in
echo 'ipfw log limit reached:'
cat ${TMP}
fi
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/610.ipf6denied b/etc/periodic/security/610.ipf6denied
index 6c64d92..7e02cfc 100755
--- a/etc/periodic/security/610.ipf6denied
+++ b/etc/periodic/security/610.ipf6denied
@@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_ipf6denied_enable
+
rc=0
-case "$daily_status_security_ipf6denied_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_ipf6denied_enable
+then
TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then
check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:"
fi
rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg
index fb5ed63..8bf6491 100755
--- a/etc/periodic/security/700.kernelmsg
+++ b/etc/periodic/security/700.kernelmsg
@@ -40,14 +40,15 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_kernelmsg_enable
+
rc=0
-case "$daily_status_security_kernelmsg_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_kernelmsg_enable
+then
dmesg 2>/dev/null |
check_diff new_only dmesg - "${host} kernel log messages:"
- rc=$?;;
- *) rc=0;;
-esac
+ rc=$?
+fi
exit $rc
diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail
index 767b959..a0de96d 100755
--- a/etc/periodic/security/800.loginfail
+++ b/etc/periodic/security/800.loginfail
@@ -38,7 +38,10 @@ then
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_loginfail_enable
+
+LOG="${security_status_logdir}"
yesterday=`date -v-1d "+%b %e "`
@@ -55,14 +58,15 @@ catmsgs() {
[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
}
-case "$daily_status_security_loginfail_enable" in
- [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_loginfail_enable
+then
echo ""
echo "${host} login failures:"
n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
tee /dev/stderr | wc -l)
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit $rc
diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap
index 55f7709..10b02e9 100755
--- a/etc/periodic/security/900.tcpwrap
+++ b/etc/periodic/security/900.tcpwrap
@@ -38,7 +38,10 @@ then
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_tcpwrap_enable
+
+LOG="${security_status_logdir}"
yesterday=`date -v-1d "+%b %e "`
@@ -55,14 +58,15 @@ catmsgs() {
[ -f ${LOG}/messages ] && cat $LOG/messages
}
-case "$daily_status_security_tcpwrap_enable" in
- [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_tcpwrap_enable
+then
echo ""
echo "${host} refused connections:"
n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
tee /dev/stderr | wc -l)
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit $rc
diff --git a/etc/periodic/security/security.functions b/etc/periodic/security/security.functions
index f5b8dcd..bc2bcba 100644
--- a/etc/periodic/security/security.functions
+++ b/etc/periodic/security/security.functions
@@ -27,11 +27,19 @@
# $FreeBSD$
#
+# This is a library file, so we only try to do something when sourced.
+case "$0" in
+*/security.functions) exit 0 ;;
+esac
+
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_diff_flags
+
#
# Show differences in the output of an audit command
#
-LOG="${daily_status_security_logdir}"
+LOG="${security_status_logdir}"
rc=0
# Usage: COMMAND | check_diff [new_only] LABEL - MSG
@@ -67,7 +75,7 @@ check_diff() {
[ $rc -lt 1 ] && rc=1
echo ""
echo "${msg}"
- diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \
+ diff ${security_status_diff_flags} ${LOG}/${label}.today \
${tmpf} | eval "${filter}"
mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
mv ${tmpf} ${LOG}/${label}.today || rc=3
diff --git a/etc/periodic/weekly/450.status-security b/etc/periodic/weekly/450.status-security
new file mode 100755
index 0000000..513fbda
--- /dev/null
+++ b/etc/periodic/weekly/450.status-security
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$weekly_status_security_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "Security check:"
+
+ case "$weekly_status_security_inline" in
+ [Yy][Ee][Ss])
+ weekly_status_security_output="";;
+ esac
+
+ export security_output="${weekly_status_security_output}"
+ case "${weekly_status_security_output}" in
+ "")
+ rc=3;;
+ /*)
+ echo " (output logged separately)"
+ rc=0;;
+ *)
+ echo " (output mailed separately)"
+ rc=0;;
+ esac
+
+ periodic security || rc=3;;
+
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/weekly/Makefile b/etc/periodic/weekly/Makefile
index 7f2eae2..057653d 100644
--- a/etc/periodic/weekly/Makefile
+++ b/etc/periodic/weekly/Makefile
@@ -3,6 +3,7 @@
.include <bsd.own.mk>
FILES= 340.noid \
+ 450.status-security \
999.local
# NB: keep these sorted by MK_* knobs
OpenPOWER on IntegriCloud