| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
reduce false positives.
The committed patch was provided by Christian Marg.
PR: 91732
Submitted by: Daniel O'Connor <doconnor at gsoft.com.au>
Skye Poier <spoier at gmail.com>
Alan Amesbury <amesbury at umn.edu>
Christian Marg <marg at rz.tu-clausthal.de>
|
|
|
|
|
|
|
|
|
| |
Remove remnants of BIND from /etc, since there is no BIND in base now.
Sorry, that would break users running head and BIND from ports, since
ports rely on these scripts. The ports will be fixed soon.
Approved by: re (kib)
|
|
|
|
|
|
| |
affect 'make universe'.
Approved by: re (gjb)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.
All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.
"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".
Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.
When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.
Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.
Reviewed by: hackers@
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
forced to 3 so that the output of this script is always displayed.
In fact, setting this flag is identical to setting
daily_status_security_output to an empty string. To make the logic
less confusing, change the behavior of daily_status_security_inline
such that it just forces daily_status_security_output to an empty
string and then applies the normal logic.
PR: conf/178611
Submitted by: Jason Unovitch <jason.unovitch@gmail.com>
MFC after: 3 days
|
|
|
|
|
|
|
|
| |
sendmail support the use of /etc/aliases.
PR: conf/176098
Submitted by: ak
MFC after: 2 weeks
|
| |
|
|
|
|
| |
knob
|
|
|
|
|
|
| |
/etc/periodic/weekly/400.status-pkg to be friendly with pkgng.
MFC after: 1 week
|
|
|
|
|
|
|
| |
has a non-empty dumpdates file.
Reviewed by: brooks
MFC after: 1 week
|
|
|
|
|
|
| |
PR: conf/165956
Submitted by: Jeremy Chadwick
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
zfs pools on the system.
While here, document daily_status_zfs_enable in periodic.conf(5).
Discussed on: -fs [1]
Reviewed by: netchild [1]
Approved by: jhb
MFC after: 1 week
[1] - http://lists.freebsd.org/pipermail/freebsd-fs/2011-June/011869.html
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
only 1 old file to be saved, so fix this. Problem raised in the PR,
but actually required a different solution.
While I'm here, fix a very old off-by-one error causing 1 more file
than specified in daily_accounting_save to be saved because acct.0
was not taken into account (pun intended). Change that, and use a more
thorough method of finding old files to delete. Partly just because this
is the right thing to do, but also to silently fix the extra log that
would have been left behind forever with the previous method.
PR: conf/160848
Submitted by: Andrey Zonov <andrey@zonov.org>
|
|
|
|
|
|
|
| |
whole weeks makes it easier to predicate when the scrub would
happen.
MFC after: 1 week
|
|
|
|
|
| |
cannot be created ($daily_backup_pkgdb_dbdir -> $daily_backup_pkgdb_dir).
MFC after: 1 week
|
|
|
|
|
|
|
|
|
| |
This knob removes the tools that are exclusively used to view and
maintain the databases maintained by utmpx, namely last, users, who,
wtmpcvt, ac, lastlogin and utxrm.
The tool w is not in this list, because it has some other functionality
which is unrelated to utmpx; it is hardlinked to the uptime tool.
|
|
|
|
|
|
|
| |
The WITHOUT_ACCT switch is supposed to omit tools related to process
accounting, namely accton and sa. ac(8) is just a simple tool that
prints statistics based on data in the utx.log database. It has nothing
to do with the former.
|
|
|
|
|
| |
Approved by: kib (mentor)
MFC after: 3 days
|
|
|
|
|
|
|
|
|
| |
to avoid causing errors in the shell script.
Submitted by: William Grzybowski <william88@gmail.com>
Approved by: kib (mentor)
MFC after: 7 days
Sponsored by: iXsystems
|
|
|
|
|
|
|
|
| |
2. Add the -H flag to tar in case /var/db/pkg itself is a symlink
3. Direct stderr to /dev/null to suppress the leading slash warning [1]
PR: ports/156810 [1]
Submitted by: Jeremy Chadwick <freebsd@jdc.parodius.com> [1]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tell that there is a separate email or that the output is logged to a file.
This commit changes the return code for the non-inline case to tell that
this message is not important enough and can be masked if necessary. The
messages from the security checks themself are not affected by this and
show up as before in the periodic security email/file.
The inline case still requests to not mask the output, as with the current
way of handling this there is no easy way to handle this.
PR: 138692
Analysis/patch atch by: Chris Cowart <ccowart@timesinks.net>
X-MFC after: on request
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
|
|
| |
Hook up 610.ipf6denied based on MK_IPFILTER as 510.ipfdenied is now
Poked by: Andrzej Tobola <ato@iem.pw.edu.pl>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The final product contains work from the originator, and
Florent Thoumie <florent.thoumie@gmail.com>. The final
product contains considerable re-working by me, so all
responsibility for bugs rests under my pointy hat.
PR: ports/145957
Submitted by: Eitan Adler <EitanAdlerList@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old version had a race between the time that the old file was
cp'ed to acct.0 and the time that 'sa -s' was run that prevented
the commands that occurred in the meantime from being backed up.
It's also arguable that the old version was inefficient in using
cp which can be a problem on a space-constrained system.
This version avoids both problems, albeit it's considerably more
complicated. The advantage of putting the log rotation in the rc.d
script is that it can handle the _enable and _file questions without
having to do gymnastics to discover either value in the periodic script.
As a side effect of reviewing the rc.d script I cleaned it up a bit.
|
|
|
|
|
|
|
|
| |
Along the way make some efficiency improvements.
Submitted by: jilles
Approved by: kib (mentor)
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
|
| |
zpool the output causes the script to bail out with syntax errors.
Since a scrub of a faulted zpool is pointless, just skip over any pools
marked as such.
PR: conf/150228
Submitted by: jpaetzel
Approved by: kib (mentor)
MFC after: 3 days
MFC note: only for RELENG_8
|
|
|
|
|
|
|
|
| |
group on a object has less permissions that everyone). These
permissions will not work reliably over NFS if you have more than
14 supplemental groups and are usually not what you mean.
MFC after: 1 week
|
|
|
|
|
| |
Submitted by: Alex Kozlov <spam rm-rf kiev ua>
MFC after: 2 weeks
|
|
|
|
|
|
|
|
| |
last one' to 'running next scrub the <value>th day after the last one'.
- Improve wording.
Requested by: jhell <jhell@DataIX.net>
MFC after: 1 week
|
|
|
|
|
|
|
| |
to the build, so it gets actually installed.
Approved by: des (mentor)
MFC after: 17 days
|
|
|
|
|
|
|
| |
like spaces in filename
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by: delphij (mentor)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
changes to the package database, i.e. any packages that
have been added, updated or deleted in the past 24 hours.
The format is intentionally simple and concise.
That information is particularly useful on servers that
are maintained by multiple administrators. When someone
adds, updates or deletes a package, the others will see
it in the daily periodic output.
This script is disabled by default.
PR: conf/113913
Submitted by: olli
Approved by: des (mentor)
MFC after: 3 weeks
|
|
|
|
|
|
|
|
| |
mismatched checksum
PR: conf/124641
Submitted by: Alex Kozlov <spam@rm-rf.kiev.ua>
Approved by: delphij (mentor)
|
|
|
|
|
|
|
| |
- move the zfs status script into the MK_ZFS conditional to respect
WITHOUT_ZFS
Noticed by: Andrzej Tobola <ato@iem.pw.edu.pl>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Features:
- configurable amount of days between scrubs (default value or per pool)
- do not scrub directly after pool creation (respects the configured
number of days between scrubs)
- do not scrub if a scrub is in progress
- tells how to see the status of the scrub
- tells how many days since the last scrub if it skips the scrubbing
- warns if a non-existent pool is specified explicitely
(default: no pools specified -> all currently imported pools are
handled)
- runs late in the periodic run to not slow down the other periodic daily
scripts
Discussed on: fs@
|
|
|
|
|
|
|
|
|
| |
utilities and related support files for manual pages, which were previously
controlled by MAN. For POLA, the default depends on MAN, i.e., WITHOUT_MAN
implies WITHOUT_MAN_UTILS and WITH_MAN implies WITH_MAN_UTILS. This patch
is slightly improved by me from:
PR: misc/145212
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
fstab: /etc/fstab:0: No such file or directory
and from dump(8) when setfsent(3) fails due to /etc/fstab not existing:
DUMP: Can't open /etc/fstab for dump table information: No such...
This makes daily and security periodic runs somewhat cleaner in jails
which lack /etc/fstab files.
MFC after: 1 month
|
|
|
|
|
|
|
|
|
|
|
|
| |
and -delete (which implies depth-first traversal), avoid using -delete in
favour of -execdir.
This has a side-effect of not removing directories that contain files,
even if we delete all of those files, but IMHO that's a better option
than specifying all possible local filesystem types in this script.
PR: 122811
MFC after: 3 weeks
|
|
|
|
|
|
|
|
|
|
| |
differently. The output now shows the ruleset and shortens to
slightly different text (using $daily_status_mail_rejects_shorten),
but it should be more descriptive.
PR: 35018
Inspired by: Mikhail Teterin - mi at aldan dot algebra dot com
MFC after: 3 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
I noticed on a system at home that restarting named(8) causes the
/var/named/dev mount to be moved to the bottom of the mount list,
because it gets remounted. When I received the daily security email this
morning, I was quite amazed to see that the security report listed the
differences, while it was nothing out of the ordinary.
If we just throw the `mount -p' output through sort(1), we'll only
receive notifications about changes to mounts if something has really
changed.
|
|
|
|
|
|
|
|
| |
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd
Reviewed by: various (posted to arch)
MFC after: 1 month
|
|
|
|
|
|
|
|
|
| |
- don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
- handle rules without logging limit correctly [1]
(those rules show up without logamount in "ipfw -a list")
PR: conf/126060 [1]
MFC after: 1 month
|