| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
reduce false positives.
The committed patch was provided by Christian Marg.
PR: 91732
Submitted by: Daniel O'Connor <doconnor at gsoft.com.au>
Skye Poier <spoier at gmail.com>
Alan Amesbury <amesbury at umn.edu>
Christian Marg <marg at rz.tu-clausthal.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.
All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.
"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".
Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.
When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.
Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.
Reviewed by: hackers@
|
|
|
|
|
|
| |
Hook up 610.ipf6denied based on MK_IPFILTER as 510.ipfdenied is now
Poked by: Andrzej Tobola <ato@iem.pw.edu.pl>
|
| |
|
|
|
|
|
|
|
|
| |
group on a object has less permissions that everyone). These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.
MFC after: 1 week
|
|
|
|
|
| |
Submitted by: Alex Kozlov <spam rm-rf kiev ua>
MFC after: 2 weeks
|
|
|
|
|
|
|
| |
like spaces in filename
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by: delphij (mentor)
|
|
|
|
|
|
|
|
| |
mismatched checksum
PR: conf/124641
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by: delphij (mentor)
|
|
|
|
|
|
|
|
|
|
|
| |
fstab: /etc/fstab:0: No such file or directory
and from dump(8) when setfsent(3) fails due to /etc/fstab not existing:
DUMP: Can't open /etc/fstab for dump table information: No such...
This makes daily and security periodic runs somewhat cleaner in jails
which lack /etc/fstab files.
MFC after: 1 month
|
|
|
|
|
|
|
|
|
|
|
|
| |
I noticed on a system at home that restarting named(8) causes the
/var/named/dev mount to be moved to the bottom of the mount list,
because it gets remounted. When I received the daily security email this
morning, I was quite amazed to see that the security report listed the
differences, while it was nothing out of the ordinary.
If we just throw the `mount -p' output through sort(1), we'll only
receive notifications about changes to mounts if something has really
changed.
|
|
|
|
|
|
|
|
| |
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd
Reviewed by: various (posted to arch)
MFC after: 1 month
|
|
|
|
|
|
|
|
|
| |
- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")
PR: conf/126060 [1]
MFC after: 1 month
|
|
|
|
|
|
|
|
| |
of the message, such as:
Jun 30 10:49:21 rogue sshd[17553]: Invalid user iceman from 127.0.0.1
PR: conf/124569
Submitted by: Taku <taku@tekipaki.jp>
|
|
|
|
|
|
|
| |
PR: misc/122069
Submitted by: taku@tekipaki.jp
MFC after: 3 days
Approved by: imp (mentor, implicit trivial change).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
find | sort. As a bonus, this simplifies the logic considerably. Also
remove the bogus "overruning the args to ls" comment and the corresponding
"-n 20" argument to xargs; the whole point with xargs is precisely that it
knows how large the argument list can safely get.
Note that the first run of the updated script may hypotheticall produce
false positives due to differences between find's and sort's sorting
algorithm. I haven't seen this during testing, but others might.
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
| |
bad or illegal. This prevents matching on systems that
have a name that matches the query.
PR: conf/107560
Submitted by: Christian Laursen <cfsl at pil dot dk>
MFC after: 3 days
Approved by: imp (mentor)
|
|
|
|
|
| |
by revision 1.6) works again. This fix is already in RELENG_6, but was
never committed to HEAD.
|
|
|
|
|
|
| |
is not UID/GID 0, limits will be ignored and a strange error sent to auth.log.
Head nod: ru, rwatson
|
|
|
|
|
| |
Since ipfw2 now does dual-stack, statistics for IPv6 come from the ipfw
scripts as well.
|
|
|
|
|
|
|
|
|
| |
other programs
PR: conf/70973
Submitted by: Ryan Sommers" <ryans@gamersimpact.com>
Approved by: philip (mentor)
MFC after: 3 days
|
|
|
|
|
|
|
|
| |
until we realize if ipfw(4) ever used.
PR: bin/85970
Submitted by: Andre Albsmeier
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
| |
'^>', in order to catch both normal and unified diffs.
Problem reported by: volker at vwsoft dot com via -stable
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
| |
rule itself, not in verbose_limit sysctl. [1]
- Do check rules, even if verbose_limit is set 0. Rules may have
their own log limits.
PR: conf/77929
Submitted by: Andriy Gapon [1]
Reviewed by: matteo
|
|
|
|
| |
Approved by: grehan (mentor)
|
|
|
|
|
| |
Reviewed by: brian, ru
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
packet counts by pf(4).
This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.
The output will look like this (line wrapped):
pf denied packets:
> block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
Bytes: 0 States: 0 ]
> block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
States: 0 ]
Submitted by: clive (thanks a lot!)
MFC after: 2 weeks
|
|
|
|
|
|
|
| |
format of the 'diff' output generated during periodic(8) scripts.
Submitted by: keramida (script changes)
Reviewed by: keramida (man page changes)
|
|
|
|
|
| |
PR: misc/50154
Submitted by: Kimura Fuyuki <fuyuki@hadaly.org>
|
|
|
|
|
|
| |
of providing a template manually.
Submitted by: Lars Eggert <larse@isi.edu>
|
| |
|
|
|
|
|
|
| |
base system one step closer to being totally perl-free.
Approved by: re (jhb)
|
|
|
|
|
|
|
| |
is shorter than the other.
Reviewed by: roberto
MFC after: 3 days
|
|
|
|
|
|
| |
Reviewed by: roberto
Committed from: EuroBSDCon Amsterdam
MFC after: 3 days
|
|
|
|
| |
Reviewed by: roberto
|
|
|
|
|
|
|
|
| |
rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf
knob (daily_status_security_ipfdenied_enable).
Reviewed by: roberto
Approved by: re@
|
|
|
|
|
|
|
| |
separate file, /etc/periodic/security/security.functions.
Reviewed by: roberto (mentor)
Approved by: re@
|
|
|
|
| |
All old sorts understand -k too.
|
|
|
|
|
|
|
|
|
| |
in the script. Eliminates a bug where we create a temp file, but don't
delete it since the rm(1) is only done if the check is enabled.
PR: bin/40960
Submitted by: frf <frf@xocolatl.com>
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
sets ${MP} to an empty string so the next line:
set ${MP}
actually just dumps all of the shells variables to stdout (and therefore
the security report). Fixed by surrounding the code which goes through the
mounts with a test for an empty string before using ${MP}.
Reviewed by: brian
MFC after: 3 days
|
|
|
|
| |
strip the suffixes).
|
|
|
|
|
|
|
| |
no output.
PR: 39618
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
| |
The change was introduced in src/etc/security 1.53 almost a year ago
in an attempt to see ipfw deny message logs.
However, ipfw deny/reject logs have been displayed since version 1.13
of the same file as a separate ``job'' and have since moved to
src/etc/periodic/security/500.ipfwdenied.
MFC after: 3 days
|
|
|
|
|
| |
Problem reported by: lumpy <lumpy@the.whole.net>
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the way we run ls(1), through xargs(1), the leading whitespace
can change even when the setuid files haven't. To avoid displaying
these lines, we currently run diff(1) with the '-w' option. However,
this is probably not the ideal way to go; there is a very, very small
possibility for diff(1) to miss things is shouldn't. So, with the
leading space cleaned, we can revert to the '-b' option which is
"safer."
PR: conf/37618
Reviewed by: brian
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
and teach it to look for more general classes of failures, including
SSH login failures. This is similar but not identical to a patch
submitted by aeonflux@synapse.subneural.net.
|
| |
|