diff options
| author | Jeremie Le Hen <jlh@FreeBSD.org> | 2013-08-27 21:20:28 +0000 |
|---|---|---|
| committer | Jeremie Le Hen <jlh@FreeBSD.org> | 2013-08-27 21:20:28 +0000 |
| commit | 69b55c23cb93350a21cd39c317881cda0b9187ca (patch) | |
| tree | aeca29c177cf44d51cbba1cb6a179a3bb74302ef /etc/periodic | |
| parent | f729ede69e0e05c8b11660bb2bc6b87b800b7dbb (diff) | |
| download | src-69b55c23cb93350a21cd39c317881cda0b9187ca.tar.gz src-69b55c23cb93350a21cd39c317881cda0b9187ca.zip | |
Make the period of each periodic security script configurable.
There are now six additional variables
weekly_status_security_enable
weekly_status_security_inline
weekly_status_security_output
monthly_status_security_enable
monthly_status_security_inline
monthly_status_security_output
alongside their existing daily counterparts. They all have the same
default values.
All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.
"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script. The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".
Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.
When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
myfbsd security run output -> myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.
Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section. I left them in
place for this commit to make reviewing easier.
Reviewed by: hackers@
Notes
Notes:
svn path=/head/; revision=254974
Diffstat (limited to 'etc/periodic')
| -rwxr-xr-x | etc/periodic/monthly/450.status-security | 41 | ||||
| -rwxr-xr-x | etc/periodic/security/100.chksetuid | 12 | ||||
| -rwxr-xr-x | etc/periodic/security/110.neggrpperm | 9 | ||||
| -rwxr-xr-x | etc/periodic/security/200.chkmounts | 17 | ||||
| -rwxr-xr-x | etc/periodic/security/300.chkuid0 | 13 | ||||
| -rwxr-xr-x | etc/periodic/security/400.passwdless | 13 | ||||
| -rwxr-xr-x | etc/periodic/security/410.logincheck | 13 | ||||
| -rwxr-xr-x | etc/periodic/security/460.chkportsum | 12 | ||||
| -rwxr-xr-x | etc/periodic/security/500.ipfwdenied | 11 | ||||
| -rwxr-xr-x | etc/periodic/security/510.ipfdenied | 11 | ||||
| -rwxr-xr-x | etc/periodic/security/520.pfdenied | 11 | ||||
| -rwxr-xr-x | etc/periodic/security/550.ipfwlimit | 11 | ||||
| -rwxr-xr-x | etc/periodic/security/610.ipf6denied | 11 | ||||
| -rwxr-xr-x | etc/periodic/security/700.kernelmsg | 11 | ||||
| -rwxr-xr-x | etc/periodic/security/800.loginfail | 16 | ||||
| -rwxr-xr-x | etc/periodic/security/900.tcpwrap | 16 | ||||
| -rw-r--r-- | etc/periodic/security/security.functions | 12 | ||||
| -rwxr-xr-x | etc/periodic/weekly/450.status-security | 41 | ||||
| -rw-r--r-- | etc/periodic/weekly/Makefile | 1 |
19 files changed, 198 insertions, 84 deletions
diff --git a/etc/periodic/monthly/450.status-security b/etc/periodic/monthly/450.status-security new file mode 100755 index 000000000000..027c896d4d2f --- /dev/null +++ b/etc/periodic/monthly/450.status-security @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$monthly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$monthly_status_security_inline" in + [Yy][Ee][Ss]) + monthly_status_security_output="";; + esac + + export security_output="${monthly_status_security_output}" + case "${monthly_status_security_output}" in + "") + rc=3;; + /*) + echo " (output logged separately)" + rc=0;; + *) + echo " (output mailed separately)" + rc=0;; + esac + + periodic security || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid index 5b93b2043dc0..95920a6faf90 100755 --- a/etc/periodic/security/100.chksetuid +++ b/etc/periodic/security/100.chksetuid @@ -37,10 +37,12 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chksetuid_enable + rc=0 -case "$daily_status_security_chksetuid_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_chksetuid_enable +then echo "" echo 'Checking setuid files and devices:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` @@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_enable" in \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | check_diff setuid - "${host} setuid diffs:" rc=$? - ;; - *) - rc=0 - ;; -esac +fi exit $rc diff --git a/etc/periodic/security/110.neggrpperm b/etc/periodic/security/110.neggrpperm index 68d1e7b24d77..1d545ac5f7b6 100755 --- a/etc/periodic/security/110.neggrpperm +++ b/etc/periodic/security/110.neggrpperm @@ -35,10 +35,12 @@ then source_periodic_confs fi +security_daily_compat_var security_status_neggrpperm_enable + rc=0 -case "$daily_status_security_neggrpperm_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_neggrpperm_enable +then echo "" echo 'Checking negative group permissions:' MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'` @@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_enable" in \( ! -perm +040 -and -perm +004 \) \) \ -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 - ;; -esac +fi exit $rc diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts index 17b114ef0a8c..7b14866869bb 100755 --- a/etc/periodic/security/200.chkmounts +++ b/etc/periodic/security/200.chkmounts @@ -40,12 +40,16 @@ fi . /etc/periodic/security/security.functions -ignore="${daily_status_security_chkmounts_ignore}" +security_daily_compat_var security_status_chkmounts_enable +security_daily_compat_var security_status_chkmounts_ignore +security_daily_compat_var security_status_noamd + +ignore="${security_status_chkmounts_ignore}" rc=0 -case "$daily_status_security_chkmounts_enable" in - [Yy][Ee][Ss]) - case "$daily_status_security_noamd" in +if check_yesno_period security_status_chkmounts_enable +then + case "$security_status_noamd" in [Yy][Ee][Ss]) ignore="${ignore}|^amd:" esac @@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_enable" in fi mount -p | sort | ${cmd} | check_diff mount - "${host} changes in mounted filesystems:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit "$rc" diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0 index 32cc16c846c3..73578e241553 100755 --- a/etc/periodic/security/300.chkuid0 +++ b/etc/periodic/security/300.chkuid0 @@ -36,16 +36,19 @@ then source_periodic_confs fi -case "$daily_status_security_chkuid0_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_chkuid0_enable + +rc=0 + +if check_yesno_period security_status_chkuid0_enable +then echo "" echo 'Checking for uids of 0:' n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | tee /dev/stderr | sed -e '/^root 0$/d' -e '/^toor 0$/d' | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless index 42ece0453ccd..5e851ac847c7 100755 --- a/etc/periodic/security/400.passwdless +++ b/etc/periodic/security/400.passwdless @@ -35,14 +35,17 @@ then source_periodic_confs fi -case "$daily_status_security_passwdless_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_passwdless_enable + +rc=0 + +if check_yesno_period security_status_passwdless_enable +then echo "" echo 'Checking for passwordless accounts:' n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/410.logincheck b/etc/periodic/security/410.logincheck index f6cf4052bd7a..41e7f65ebf1b 100755 --- a/etc/periodic/security/410.logincheck +++ b/etc/periodic/security/410.logincheck @@ -35,8 +35,12 @@ then source_periodic_confs fi -case "$daily_status_security_logincheck_enable" in - [Yy][Ee][Ss]) +security_daily_compat_var security_status_logincheck_enable + +rc=0 + +if check_yesno_period security_status_logincheck_enable +then echo "" echo 'Checking login.conf permissions:' if [ -G /etc/login.conf -a -O /etc/login.conf ]; then @@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in echo "Bad ownership of /etc/login.conf" n=1 fi - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit "$rc" diff --git a/etc/periodic/security/460.chkportsum b/etc/periodic/security/460.chkportsum index 3a39c84d0835..18a12ecbadb3 100755 --- a/etc/periodic/security/460.chkportsum +++ b/etc/periodic/security/460.chkportsum @@ -35,13 +35,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_chkportsum_enable + rc=0 echo "" echo 'Checking for ports with mismatched checksums:' -case "${daily_status_security_chkportsum_enable}" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_chkportsum_enable +then set -f pkg_info -ga 2>/dev/null | \ while IFS= read -r line; do @@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum_enable}" in ;; esac done - ;; - *) - rc=0 - ;; -esac +fi exit $rc diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied index 6a6fb8b4f6a6..f39ca0ed9531 100755 --- a/etc/periodic/security/500.ipfwdenied +++ b/etc/periodic/security/500.ipfwdenied @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfwdenied_enable + rc=0 -case "$daily_status_security_ipfwdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfwdenied_enable +then TMP=`mktemp -t security` if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/510.ipfdenied b/etc/periodic/security/510.ipfdenied index 2058d2b1cb94..bed75e645c2a 100755 --- a/etc/periodic/security/510.ipfdenied +++ b/etc/periodic/security/510.ipfdenied @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipfdenied_enable + rc=0 -case "$daily_status_security_ipfdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfdenied_enable +then TMP=`mktemp -t security` if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf ${TMP} "${host} ipf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied index 5e5139363028..7a32bf2a193b 100755 --- a/etc/periodic/security/520.pfdenied +++ b/etc/periodic/security/520.pfdenied @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_pfdenied_enable + rc=0 -case "$daily_status_security_pfdenied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_pfdenied_enable +then TMP=`mktemp -t security` if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit index daa0f86321f8..86932c676c7a 100755 --- a/etc/periodic/security/550.ipfwlimit +++ b/etc/periodic/security/550.ipfwlimit @@ -38,10 +38,12 @@ then source_periodic_confs fi +security_daily_compat_var security_status_ipfwlimit_enable + rc=0 -case "$daily_status_security_ipfwlimit_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipfwlimit_enable +then IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then exit 0 @@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_enable" in echo 'ipfw log limit reached:' cat ${TMP} fi - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/610.ipf6denied b/etc/periodic/security/610.ipf6denied index 6c64d92eee7e..7e02cfc583f3 100755 --- a/etc/periodic/security/610.ipf6denied +++ b/etc/periodic/security/610.ipf6denied @@ -37,17 +37,18 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_ipf6denied_enable + rc=0 -case "$daily_status_security_ipf6denied_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_ipf6denied_enable +then TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" fi rc=$? - rm -f ${TMP};; - *) rc=0;; -esac + rm -f ${TMP} +fi exit $rc diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg index fb5ed633f461..8bf6491901ed 100755 --- a/etc/periodic/security/700.kernelmsg +++ b/etc/periodic/security/700.kernelmsg @@ -40,14 +40,15 @@ fi . /etc/periodic/security/security.functions +security_daily_compat_var security_status_kernelmsg_enable + rc=0 -case "$daily_status_security_kernelmsg_enable" in - [Yy][Ee][Ss]) +if check_yesno_period security_status_kernelmsg_enable +then dmesg 2>/dev/null | check_diff new_only dmesg - "${host} kernel log messages:" - rc=$?;; - *) rc=0;; -esac + rc=$? +fi exit $rc diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail index 767b9597ad41..a0de96dec10e 100755 --- a/etc/periodic/security/800.loginfail +++ b/etc/periodic/security/800.loginfail @@ -38,7 +38,10 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_loginfail_enable + +LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` @@ -55,14 +58,15 @@ catmsgs() { [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } -case "$daily_status_security_loginfail_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_yesno_period security_status_loginfail_enable +then echo "" echo "${host} login failures:" n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap index 55f77099bb7c..10b02e9e2bb6 100755 --- a/etc/periodic/security/900.tcpwrap +++ b/etc/periodic/security/900.tcpwrap @@ -38,7 +38,10 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_tcpwrap_enable + +LOG="${security_status_logdir}" yesterday=`date -v-1d "+%b %e "` @@ -55,14 +58,15 @@ catmsgs() { [ -f ${LOG}/messages ] && cat $LOG/messages } -case "$daily_status_security_tcpwrap_enable" in - [Yy][Ee][Ss]) +rc=0 + +if check_yesno_period security_status_tcpwrap_enable +then echo "" echo "${host} refused connections:" n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; - *) rc=0;; -esac + [ $n -gt 0 ] && rc=1 || rc=0 +fi exit $rc diff --git a/etc/periodic/security/security.functions b/etc/periodic/security/security.functions index f5b8dcd203d4..bc2bcba16877 100644 --- a/etc/periodic/security/security.functions +++ b/etc/periodic/security/security.functions @@ -27,11 +27,19 @@ # $FreeBSD$ # +# This is a library file, so we only try to do something when sourced. +case "$0" in +*/security.functions) exit 0 ;; +esac + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_diff_flags + # # Show differences in the output of an audit command # -LOG="${daily_status_security_logdir}" +LOG="${security_status_logdir}" rc=0 # Usage: COMMAND | check_diff [new_only] LABEL - MSG @@ -67,7 +75,7 @@ check_diff() { [ $rc -lt 1 ] && rc=1 echo "" echo "${msg}" - diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \ + diff ${security_status_diff_flags} ${LOG}/${label}.today \ ${tmpf} | eval "${filter}" mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3 diff --git a/etc/periodic/weekly/450.status-security b/etc/periodic/weekly/450.status-security new file mode 100755 index 000000000000..513fbda7b60d --- /dev/null +++ b/etc/periodic/weekly/450.status-security @@ -0,0 +1,41 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$weekly_status_security_inline" in + [Yy][Ee][Ss]) + weekly_status_security_output="";; + esac + + export security_output="${weekly_status_security_output}" + case "${weekly_status_security_output}" in + "") + rc=3;; + /*) + echo " (output logged separately)" + rc=0;; + *) + echo " (output mailed separately)" + rc=0;; + esac + + periodic security || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/etc/periodic/weekly/Makefile b/etc/periodic/weekly/Makefile index 7f2eae22de3e..057653d590f3 100644 --- a/etc/periodic/weekly/Makefile +++ b/etc/periodic/weekly/Makefile @@ -3,6 +3,7 @@ .include <bsd.own.mk> FILES= 340.noid \ + 450.status-security \ 999.local # NB: keep these sorted by MK_* knobs |