| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
until we realize if ipfw(4) ever used.
PR: bin/85970
Submitted by: Andre Albsmeier
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
| |
'^>', in order to catch both normal and unified diffs.
Problem reported by: volker at vwsoft dot com via -stable
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
| |
rule itself, not in verbose_limit sysctl. [1]
- Do check rules, even if verbose_limit is set 0. Rules may have
their own log limits.
PR: conf/77929
Submitted by: Andriy Gapon [1]
Reviewed by: matteo
|
|
|
|
|
| |
PR: conf/35242
Submitted by: Annihilator <annihilator.c@usa.net>
|
|
|
|
| |
Approved by: grehan (mentor)
|
|
|
|
|
| |
Reviewed by: brian, ru
MFC after: 1 week
|
|
|
|
|
|
|
| |
As there are no tabs in maillog, reduce the expression so that only spaces
are used.
Problem raised by: Leif Neland root at internet dot dk
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
reject. For example:
Checking for rejected mail hosts:
48 getherbalnow.info (451... resolve)
46 absorb.com (451... resolve)
4 tgmart01.codns.com (553... exist)
3 kali.com.cn (451... resolve)
2 genie.com (451... resolve)
1 zv.qy (553... exist)
1 zd.hinet.hr (553... exist)
....
The bit in parenthesis is the reject code and the last word on the line -
enough to give the admin a better chance of seeing real problems (hopefully!).
While I'm here, remove the "<" at the start of rejects coming from "from"
addresses without a name@ part.
I had to rewrite the patch given by the submitter as this script has been
sed'ified (used to be perl) and I think the reject code is useful....
PR: 17377
Idea from: root at ns dot internet dot dk
MFC after: 7 days
|
|
|
|
|
|
| |
This also trims extraneous commas from domain names.
MFC after: 7 days
|
|
|
|
| |
OK'ed by: core
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
packet counts by pf(4).
This adds a ``daily_status_security_pfdenied_enable'' variable to
periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions.
The output will look like this (line wrapped):
pf denied packets:
> block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0
Bytes: 0 States: 0 ]
> block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578
States: 0 ]
Submitted by: clive (thanks a lot!)
MFC after: 2 weeks
|
|
|
|
|
|
|
| |
format of the 'diff' output generated during periodic(8) scripts.
Submitted by: keramida (script changes)
Reviewed by: keramida (man page changes)
|
|
|
|
|
|
|
| |
This is particularly convenient on a cluster of machines to prevent
having to rebuild the INDEX file on each.
Reviewed by: portmgr
|
|
|
|
|
| |
PR: misc/50154
Submitted by: Kimura Fuyuki <fuyuki@hadaly.org>
|
| |
|
|
|
|
|
|
|
|
| |
be properly mailwrapper'ed.
PR: conf/60676
Submitted by: Colin Percival <cperciva@daemonology.net>, maxim
MFC after: 4 days
|
| |
|
| |
|
|
|
|
|
|
| |
of providing a template manually.
Submitted by: Lars Eggert <larse@isi.edu>
|
|
|
|
|
| |
Reported by: mdodd
Pointy hat to: jhb
|
|
|
|
|
|
|
| |
removing the related 220.backup-distfile script and associatd periodic.conf
entry.
Discussed with: obrien
|
| |
|
| |
|
|
|
|
|
| |
Tell sendmail to clean up its own host status cache.
The error condition handling could probably be done better.
|
| |
|
|
|
|
|
|
| |
base system one step closer to being totally perl-free.
Approved by: re (jhb)
|
|
|
|
|
|
|
| |
is shorter than the other.
Reviewed by: roberto
MFC after: 3 days
|
|
|
|
|
|
| |
Reviewed by: roberto
Committed from: EuroBSDCon Amsterdam
MFC after: 3 days
|
|
|
|
| |
Reviewed by: roberto
|
|
|
|
|
|
|
|
| |
rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf
knob (daily_status_security_ipfdenied_enable).
Reviewed by: roberto
Approved by: re@
|
|
|
|
|
|
|
| |
separate file, /etc/periodic/security/security.functions.
Reviewed by: roberto (mentor)
Approved by: re@
|
|
|
|
|
|
|
|
|
| |
and atime only, but also the ctime. Otherwise, files extracted from
tar or zip archives will immediately be declared stale since they've
got their mtime reset to the original mtime.
Reviewed by: brian
MFC after: 1 week
|
|
|
|
| |
of pkg_version in periodic/weekly/400.status-pkg.
|
|
|
|
| |
All old sorts understand -k too.
|
|
|
|
|
|
|
|
|
| |
in the script. Eliminates a bug where we create a temp file, but don't
delete it since the rm(1) is only done if the check is enabled.
PR: bin/40960
Submitted by: frf <frf@xocolatl.com>
MFC after: 3 days
|
|
|
|
|
|
|
|
| |
o Bring if/then style in sync with /etc/rc scripts
PR: conf/41570
Submitted by: Konstantin M Volevatch <cox@rosnet.ru>
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
sets ${MP} to an empty string so the next line:
set ${MP}
actually just dumps all of the shells variables to stdout (and therefore
the security report). Fixed by surrounding the code which goes through the
mounts with a test for an empty string before using ${MP}.
Reviewed by: brian
MFC after: 3 days
|
|
|
|
| |
strip the suffixes).
|
| |
|
|
|
|
|
|
|
| |
no output.
PR: 39618
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
| |
of wtmp.0 is done as mode 600.
This ensures that tight permissions set in /etc/newsyslog.conf for
wtmp logging aren't ``betrayed''.
Suggested by: lumpy <lumpy@the.whole.net>
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
| |
The change was introduced in src/etc/security 1.53 almost a year ago
in an attempt to see ipfw deny message logs.
However, ipfw deny/reject logs have been displayed since version 1.13
of the same file as a separate ``job'' and have since moved to
src/etc/periodic/security/500.ipfwdenied.
MFC after: 3 days
|
|
|
|
|
| |
Problem reported by: lumpy <lumpy@the.whole.net>
MFC after: 3 days
|
|
|
|
|
|
| |
Returning $? masks security output when ``periodic security'' is successful !
MFC after: 3 days
|
|
|
|
|
|
| |
PR: 23766
Mostly submitted by: lambert@ssabsd.csw.net
MFC after: 3 days
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the way we run ls(1), through xargs(1), the leading whitespace
can change even when the setuid files haven't. To avoid displaying
these lines, we currently run diff(1) with the '-w' option. However,
this is probably not the ideal way to go; there is a very, very small
possibility for diff(1) to miss things is shouldn't. So, with the
leading space cleaned, we can revert to the '-b' option which is
"safer."
PR: conf/37618
Reviewed by: brian
MFC after: 3 days
|
|
|
|
|
|
| |
PR: 37529
Partially submitted by: Peter Hollaubek <fifteen@inext.hu>
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
clientmqueue (submit mail queue).
The new mailq display is only active if both the old
daily_status_mailq_enable is set to "YES" and the new
daily_status_include_submit_mailq is set to "YES" so people who disabled
440.status-mailq won't have any surprises.
Likewise, the new queue run is only active if both the old
daily_queuerun_enable is set to "YES" and the new daily_submit_queuerun
is set to "YES" so people who disabled 500.queuerun won't have any
surprises.
While I am here, remove the [ ! -d /var/spool/mqueue ] checks from
both scripts as the queue directory isn't always /var/spool/mqueue for
the main daemon -- it can be set to anything in the sendmail.cf file.
MFC after: 1 week
|