summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/defaults/periodic.conf147
-rwxr-xr-xetc/periodic/monthly/450.status-security41
-rwxr-xr-xetc/periodic/security/100.chksetuid12
-rwxr-xr-xetc/periodic/security/110.neggrpperm9
-rwxr-xr-xetc/periodic/security/200.chkmounts17
-rwxr-xr-xetc/periodic/security/300.chkuid013
-rwxr-xr-xetc/periodic/security/400.passwdless13
-rwxr-xr-xetc/periodic/security/410.logincheck13
-rwxr-xr-xetc/periodic/security/460.chkportsum12
-rwxr-xr-xetc/periodic/security/500.ipfwdenied11
-rwxr-xr-xetc/periodic/security/510.ipfdenied11
-rwxr-xr-xetc/periodic/security/520.pfdenied11
-rwxr-xr-xetc/periodic/security/550.ipfwlimit11
-rwxr-xr-xetc/periodic/security/610.ipf6denied11
-rwxr-xr-xetc/periodic/security/700.kernelmsg11
-rwxr-xr-xetc/periodic/security/800.loginfail16
-rwxr-xr-xetc/periodic/security/900.tcpwrap16
-rw-r--r--etc/periodic/security/security.functions12
-rwxr-xr-xetc/periodic/weekly/450.status-security41
-rw-r--r--etc/periodic/weekly/Makefile1
20 files changed, 322 insertions, 107 deletions
diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf
index 4dc2478..5dd7fa9 100644
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES" # Also submit queue
# 450.status-security
daily_status_security_enable="YES" # Security check
-# See "Security options" below for more options
+# See also "Security options" below for more options
+daily_status_security_inline="NO" # Run inline ?
+daily_status_security_output="root" # user or /file
# 460.status-mail-rejects
daily_status_mail_rejects_enable="YES" # Check mail rejects
@@ -163,59 +165,78 @@ daily_local="/etc/daily.local" # Local scripts
# Security options
# These options are used by the security periodic(8) scripts spawned in
-# 450.status-security above.
-daily_status_security_inline="NO" # Run inline ?
-daily_status_security_output="root" # user or /file
-daily_status_security_logdir="/var/log" # Directory for logs
-daily_status_security_diff_flags="-b -u" # flags for diff output
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log" # Directory for logs
+security_status_diff_flags="-b -u" # flags for diff output
+
+# Each of the security_status_*_enable options below can have one of the
+# following values:
+# - NO
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
# 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
+security_status_chksetuid_enable="YES"
+security_status_chksetuid_period="daily"
# 110.neggrpperm
-daily_status_security_neggrpperm_enable="YES"
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
# 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^amd:" # Don't check matching
# FS types
-daily_status_security_noamd="NO" # Don't check amd mounts
+security_status_noamd="NO" # Don't check amd mounts
# 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
# 400.passwdless
-daily_status_security_passwdless_enable="YES"
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
# 410.logincheck
-daily_status_security_logincheck_enable="YES"
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
# 460.chkportsum
-daily_status_security_chkportsum_enable="NO" # Check ports w/ wrong checksum
+security_status_chkportsum_enable="NO" # Check ports w/ wrong checksum
+security_status_chkportsum_period="daily"
# 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
# 510.ipfdenied
-daily_status_security_ipfdenied_enable="YES"
+security_status_ipfdenied_enable="YES"
+security_status_ipfdenied_period="daily"
# 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
# 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
# 610.ipf6denied
-daily_status_security_ipf6denied_enable="YES"
+security_status_ipf6denied_enable="YES"
+security_status_ipf6denied_period="daily"
# 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
# 800.loginfail
-daily_status_security_loginfail_enable="YES"
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
# 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
# Weekly options
@@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO" # Find out-of-date pkgs
pkg_version=pkg_version # Use this program
pkg_version_index=/usr/ports/INDEX-10 # Use this index file
+# 450.status-security
+weekly_status_security_enable="YES" # Security check
+# See also "Security options" above for more options
+weekly_status_security_inline="NO" # Run inline ?
+weekly_status_security_output="root" # user or /file
+
# 999.local
weekly_local="/etc/weekly.local" # Local scripts
@@ -267,6 +294,12 @@ monthly_show_badconfig="NO" # scripts returning 2
# 200.accounting
monthly_accounting_enable="YES" # Login accounting
+# 450.status-security
+monthly_status_security_enable="YES" # Security check
+# See also "Security options" above for more options
+monthly_status_security_inline="NO" # Run inline ?
+monthly_status_security_output="root" # user or /file
+
# 999.local
monthly_local="/etc/monthly.local" # Local scripts
@@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local" # Local scripts
if [ -z "${source_periodic_confs_defined}" ]; then
source_periodic_confs_defined=yes
+
+ # Compatibility with old daily variable names.
+ # They can be removed in stable/11.
+ security_daily_compat_var() {
+ local var=$1 dailyvar value
+
+ dailyvar=daily_status_security${#status_security}
+ periodvar=${var%enable}period
+ eval value=\"\$$dailyvar\"
+ [ -z "$value" ] && return
+ echo "Warning: Variable \$$dailyvar is deprecated," \
+ "use \$$var instead." >&2
+ case "$value" in
+ [Yy][Ee][Ss])
+ $var=YES
+ $periodvar=daily
+ ;;
+ *)
+ $var="$value"
+ ;;
+ esac
+ }
+
+ check_yesno_period() {
+ local var="$1" periodvar value period
+
+ eval value=\"\$$var\"
+ case "$value" in
+ [Yy][Ee][Ss]) ;;
+ *) return 1 ;;
+ esac
+
+ periodvar=${var%enable}period
+ eval period=\"\$$periodvar\"
+ case "$PERIODIC" in
+ "security daily")
+ case "$period" in
+ [Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ "security weekly")
+ case "$period" in
+ [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ "security monthly")
+ case "$period" in
+ [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+ *) return 1 ;;
+ esac
+ ;;
+ security)
+ # Run directly from crontab(5).
+ case "$period" in
+ [Nn][Oo]) return 1 ;;
+ *) return 0 ;;
+ esac
+ ;;
+ *)
+ echo "ASSERTION FAILED: Unexpected value for " \
+ "\$PERIODIC: '$PERIODIC'" >&2
+ exit 127
+ ;;
+ esac
+ }
+
source_periodic_confs() {
local i sourced_files
diff --git a/etc/periodic/monthly/450.status-security b/etc/periodic/monthly/450.status-security
new file mode 100755
index 0000000..027c896
--- /dev/null
+++ b/etc/periodic/monthly/450.status-security
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$monthly_status_security_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "Security check:"
+
+ case "$monthly_status_security_inline" in
+ [Yy][Ee][Ss])
+ monthly_status_security_output="";;
+ esac
+
+ export security_output="${monthly_status_security_output}"
+ case "${monthly_status_security_output}" in
+ "")
+ rc=3;;
+ /*)
+ echo " (output logged separately)"
+ rc=0;;
+ *)
+ echo " (output mailed separately)"
+ rc=0;;
+ esac
+
+ periodic security || rc=3;;
+
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid
index 5b93b20..95920a6 100755
--- a/etc/periodic/security/100.chksetuid
+++ b/etc/periodic/security/100.chksetuid
@@ -37,10 +37,12 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_chksetuid_enable
+
rc=0
-case "$daily_status_security_chksetuid_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_chksetuid_enable
+then
echo ""
echo 'Checking setuid files and devices:'
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_enable" in
\( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
check_diff setuid - "${host} setuid diffs:"
rc=$?
- ;;
- *)
- rc=0
- ;;
-esac
+fi
exit $rc
diff --git a/etc/periodic/security/110.neggrpperm b/etc/periodic/security/110.neggrpperm
index 68d1e7b..1d545ac 100755
--- a/etc/periodic/security/110.neggrpperm
+++ b/etc/periodic/security/110.neggrpperm
@@ -35,10 +35,12 @@ then
source_periodic_confs
fi
+security_daily_compat_var security_status_neggrpperm_enable
+
rc=0
-case "$daily_status_security_neggrpperm_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_neggrpperm_enable
+then
echo ""
echo 'Checking negative group permissions:'
MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_enable" in
\( ! -perm +040 -and -perm +004 \) \) \
-exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0
- ;;
-esac
+fi
exit $rc
diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts
index 17b114e..7b14866 100755
--- a/etc/periodic/security/200.chkmounts
+++ b/etc/periodic/security/200.chkmounts
@@ -40,12 +40,16 @@ fi
. /etc/periodic/security/security.functions
-ignore="${daily_status_security_chkmounts_ignore}"
+security_daily_compat_var security_status_chkmounts_enable
+security_daily_compat_var security_status_chkmounts_ignore
+security_daily_compat_var security_status_noamd
+
+ignore="${security_status_chkmounts_ignore}"
rc=0
-case "$daily_status_security_chkmounts_enable" in
- [Yy][Ee][Ss])
- case "$daily_status_security_noamd" in
+if check_yesno_period security_status_chkmounts_enable
+then
+ case "$security_status_noamd" in
[Yy][Ee][Ss])
ignore="${ignore}|^amd:"
esac
@@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_enable" in
fi
mount -p | sort | ${cmd} |
check_diff mount - "${host} changes in mounted filesystems:"
- rc=$?;;
- *) rc=0;;
-esac
+ rc=$?
+fi
exit "$rc"
diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0
index 32cc16c..73578e2 100755
--- a/etc/periodic/security/300.chkuid0
+++ b/etc/periodic/security/300.chkuid0
@@ -36,16 +36,19 @@ then
source_periodic_confs
fi
-case "$daily_status_security_chkuid0_enable" in
- [Yy][Ee][Ss])
+security_daily_compat_var security_status_chkuid0_enable
+
+rc=0
+
+if check_yesno_period security_status_chkuid0_enable
+then
echo ""
echo 'Checking for uids of 0:'
n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
tee /dev/stderr |
sed -e '/^root 0$/d' -e '/^toor 0$/d' |
wc -l)
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit "$rc"
diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless
index 42ece04..5e851ac 100755
--- a/etc/periodic/security/400.passwdless
+++ b/etc/periodic/security/400.passwdless
@@ -35,14 +35,17 @@ then
source_periodic_confs
fi
-case "$daily_status_security_passwdless_enable" in
- [Yy][Ee][Ss])
+security_daily_compat_var security_status_passwdless_enable
+
+rc=0
+
+if check_yesno_period security_status_passwdless_enable
+then
echo ""
echo 'Checking for passwordless accounts:'
n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
tee /dev/stderr | wc -l)
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit "$rc"
diff --git a/etc/periodic/security/410.logincheck b/etc/periodic/security/410.logincheck
index f6cf405..41e7f65 100755
--- a/etc/periodic/security/410.logincheck
+++ b/etc/periodic/security/410.logincheck
@@ -35,8 +35,12 @@ then
source_periodic_confs
fi
-case "$daily_status_security_logincheck_enable" in
- [Yy][Ee][Ss])
+security_daily_compat_var security_status_logincheck_enable
+
+rc=0
+
+if check_yesno_period security_status_logincheck_enable
+then
echo ""
echo 'Checking login.conf permissions:'
if [ -G /etc/login.conf -a -O /etc/login.conf ]; then
@@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in
echo "Bad ownership of /etc/login.conf"
n=1
fi
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit "$rc"
diff --git a/etc/periodic/security/460.chkportsum b/etc/periodic/security/460.chkportsum
index 3a39c84..18a12ec 100755
--- a/etc/periodic/security/460.chkportsum
+++ b/etc/periodic/security/460.chkportsum
@@ -35,13 +35,15 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_chkportsum_enable
+
rc=0
echo ""
echo 'Checking for ports with mismatched checksums:'
-case "${daily_status_security_chkportsum_enable}" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_chkportsum_enable
+then
set -f
pkg_info -ga 2>/dev/null | \
while IFS= read -r line; do
@@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum_enable}" in
;;
esac
done
- ;;
- *)
- rc=0
- ;;
-esac
+fi
exit $rc
diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied
index 6a6fb8b4..f39ca0e 100755
--- a/etc/periodic/security/500.ipfwdenied
+++ b/etc/periodic/security/500.ipfwdenied
@@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_ipfwdenied_enable
+
rc=0
-case "$daily_status_security_ipfwdenied_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwdenied_enable
+then
TMP=`mktemp -t security`
if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
fi
rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/510.ipfdenied b/etc/periodic/security/510.ipfdenied
index 2058d2b..bed75e6 100755
--- a/etc/periodic/security/510.ipfdenied
+++ b/etc/periodic/security/510.ipfdenied
@@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_ipfdenied_enable
+
rc=0
-case "$daily_status_security_ipfdenied_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfdenied_enable
+then
TMP=`mktemp -t security`
if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then
check_diff new_only ipf ${TMP} "${host} ipf denied packets:"
fi
rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied
index 5e51393..7a32bf2 100755
--- a/etc/periodic/security/520.pfdenied
+++ b/etc/periodic/security/520.pfdenied
@@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_pfdenied_enable
+
rc=0
-case "$daily_status_security_pfdenied_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_pfdenied_enable
+then
TMP=`mktemp -t security`
if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
check_diff new_only pf ${TMP} "${host} pf denied packets:"
fi
rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit
index daa0f86..86932c6 100755
--- a/etc/periodic/security/550.ipfwlimit
+++ b/etc/periodic/security/550.ipfwlimit
@@ -38,10 +38,12 @@ then
source_periodic_confs
fi
+security_daily_compat_var security_status_ipfwlimit_enable
+
rc=0
-case "$daily_status_security_ipfwlimit_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwlimit_enable
+then
IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
exit 0
@@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_enable" in
echo 'ipfw log limit reached:'
cat ${TMP}
fi
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/610.ipf6denied b/etc/periodic/security/610.ipf6denied
index 6c64d92..7e02cfc 100755
--- a/etc/periodic/security/610.ipf6denied
+++ b/etc/periodic/security/610.ipf6denied
@@ -37,17 +37,18 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_ipf6denied_enable
+
rc=0
-case "$daily_status_security_ipf6denied_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_ipf6denied_enable
+then
TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then
check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:"
fi
rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
+ rm -f ${TMP}
+fi
exit $rc
diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg
index fb5ed63..8bf6491 100755
--- a/etc/periodic/security/700.kernelmsg
+++ b/etc/periodic/security/700.kernelmsg
@@ -40,14 +40,15 @@ fi
. /etc/periodic/security/security.functions
+security_daily_compat_var security_status_kernelmsg_enable
+
rc=0
-case "$daily_status_security_kernelmsg_enable" in
- [Yy][Ee][Ss])
+if check_yesno_period security_status_kernelmsg_enable
+then
dmesg 2>/dev/null |
check_diff new_only dmesg - "${host} kernel log messages:"
- rc=$?;;
- *) rc=0;;
-esac
+ rc=$?
+fi
exit $rc
diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail
index 767b959..a0de96d 100755
--- a/etc/periodic/security/800.loginfail
+++ b/etc/periodic/security/800.loginfail
@@ -38,7 +38,10 @@ then
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_loginfail_enable
+
+LOG="${security_status_logdir}"
yesterday=`date -v-1d "+%b %e "`
@@ -55,14 +58,15 @@ catmsgs() {
[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
}
-case "$daily_status_security_loginfail_enable" in
- [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_loginfail_enable
+then
echo ""
echo "${host} login failures:"
n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
tee /dev/stderr | wc -l)
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit $rc
diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap
index 55f7709..10b02e9 100755
--- a/etc/periodic/security/900.tcpwrap
+++ b/etc/periodic/security/900.tcpwrap
@@ -38,7 +38,10 @@ then
source_periodic_confs
fi
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_tcpwrap_enable
+
+LOG="${security_status_logdir}"
yesterday=`date -v-1d "+%b %e "`
@@ -55,14 +58,15 @@ catmsgs() {
[ -f ${LOG}/messages ] && cat $LOG/messages
}
-case "$daily_status_security_tcpwrap_enable" in
- [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_tcpwrap_enable
+then
echo ""
echo "${host} refused connections:"
n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
tee /dev/stderr | wc -l)
- [ $n -gt 0 ] && rc=1 || rc=0;;
- *) rc=0;;
-esac
+ [ $n -gt 0 ] && rc=1 || rc=0
+fi
exit $rc
diff --git a/etc/periodic/security/security.functions b/etc/periodic/security/security.functions
index f5b8dcd..bc2bcba 100644
--- a/etc/periodic/security/security.functions
+++ b/etc/periodic/security/security.functions
@@ -27,11 +27,19 @@
# $FreeBSD$
#
+# This is a library file, so we only try to do something when sourced.
+case "$0" in
+*/security.functions) exit 0 ;;
+esac
+
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_diff_flags
+
#
# Show differences in the output of an audit command
#
-LOG="${daily_status_security_logdir}"
+LOG="${security_status_logdir}"
rc=0
# Usage: COMMAND | check_diff [new_only] LABEL - MSG
@@ -67,7 +75,7 @@ check_diff() {
[ $rc -lt 1 ] && rc=1
echo ""
echo "${msg}"
- diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \
+ diff ${security_status_diff_flags} ${LOG}/${label}.today \
${tmpf} | eval "${filter}"
mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
mv ${tmpf} ${LOG}/${label}.today || rc=3
diff --git a/etc/periodic/weekly/450.status-security b/etc/periodic/weekly/450.status-security
new file mode 100755
index 0000000..513fbda
--- /dev/null
+++ b/etc/periodic/weekly/450.status-security
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$weekly_status_security_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "Security check:"
+
+ case "$weekly_status_security_inline" in
+ [Yy][Ee][Ss])
+ weekly_status_security_output="";;
+ esac
+
+ export security_output="${weekly_status_security_output}"
+ case "${weekly_status_security_output}" in
+ "")
+ rc=3;;
+ /*)
+ echo " (output logged separately)"
+ rc=0;;
+ *)
+ echo " (output mailed separately)"
+ rc=0;;
+ esac
+
+ periodic security || rc=3;;
+
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/weekly/Makefile b/etc/periodic/weekly/Makefile
index 7f2eae2..057653d 100644
--- a/etc/periodic/weekly/Makefile
+++ b/etc/periodic/weekly/Makefile
@@ -3,6 +3,7 @@
.include <bsd.own.mk>
FILES= 340.noid \
+ 450.status-security \
999.local
# NB: keep these sorted by MK_* knobs
OpenPOWER on IntegriCloud