Date: Sat, 17 Nov 2001 13:46:57 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: audit@freebsd.org, security@freebsd.org Subject: periodic(8)-ifying Daily Security Check (with attachment) Message-ID: <20011117134657.C63067@blossom.cjclark.org>
next in thread | raw e-mail | index | archive | help
--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
[Let's try this again with the attachment this time.]
I've gone through the /etc/security script and converted it into a
bunch of smaller scripts to be run by periodic(8). I think this is one
of those things someone has always meant to do, but never gotten
around to. The approach was pretty straight forward. The actions
actually taken by /etc/security have not been changed or upgraded,
just broken into pieces. Continuing to improve the daily security
checks can take place once the new format is in place.
Attached is a modified shell archive. Save it to a file and,
# sh <file>
To install the new periodic(8)-ified daily security checks. It will
patch /etc/defaults/periodic.conf and
/etc/periodic/daily/450.status-security. It will then add the new
scripts in /etc/periodic/security. Note that the patch process will
leave a 450.status-security.orig in the daily scripts, and _both_
450.status-security and 450.status-security.orig will be executed by
periodic(8). For now, I consider this a debugging feature. Please make
sure that the output of the two is the same. If you wish to disable
the .orig file, change its permissions so it is not executable. Also
note that /etc/security (and any customizations you may have there) is
not touched at all.
I would really appreciate if a few people would take the time to
install these and let them run a few days to make sure they actually
work on systems besides mine.
The patches and scripts are meant for -CURRENT, but extrapolation to
-STABLE is straightforward. If anyone wants -STABLE patches and
scripts to test, just say the word.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
--HcAYCG3uE/tztfnV
Content-Type: application/x-shar
Content-Disposition: attachment; filename="periodic_security.shar"
cd /
(sed 's/^X//' | patch) << 'END-periodic_security.patch'
XIndex: etc/defaults/periodic.conf
X===================================================================
XRCS file: /export/ncvs/src/etc/defaults/periodic.conf,v
Xretrieving revision 1.17
Xdiff -u -r1.17 periodic.conf
X--- etc/defaults/periodic.conf 25 Oct 2001 11:27:55 -0000 1.17
X+++ etc/defaults/periodic.conf 17 Nov 2001 20:58:21 -0000
X@@ -105,9 +105,7 @@
X
X # 450.status-security
X daily_status_security_enable="YES" # Security check
X-daily_status_security_inline="NO" # Run inline ?
X-daily_status_security_output="root" # user or /file
X-daily_status_security_noamd="NO" # Don't check amd mounts
X+# See "Security options" below for more options
X
X # 460.status-mail-rejects
X daily_status_mail_rejects_enable="YES" # Check mail rejects
X@@ -122,6 +120,51 @@
X
X # 999.local
X daily_local="/etc/daily.local" # Local scripts
X+
X+
X+# Security options
X+
X+# These options are used by the security periodic(8) scripts spawned in
X+# 450.status-security above.
X+daily_status_security_inline="NO" # Run inline ?
X+daily_status_security_output="root" # user or /file
X+daily_status_security_noamd="NO" # Don't check amd mounts
X+daily_status_security_logdir="/var/log" # Directory for logs
X+
X+# 100.chksetuid
X+daily_status_security_chksetuid_enable="YES"
X+
X+# 200.chkmounts
X+daily_status_security_chkmounts_enable="YES"
X+#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching
X+ # FS types
X+
X+# 300.chkuid0
X+daily_status_security_chkuid0_enable="YES"
X+
X+# 400.passwdless
X+daily_status_security_passwdless_enable="YES"
X+
X+# 500.ipfwdenied
X+daily_status_security_ipfwdenied_enable="YES"
X+
X+# 550.ipfwlimit
X+daily_status_security_ipfwlimit_enable="YES"
X+
X+# 600.ip6fwdenied
X+daily_status_security_ip6fwdenied_enable="YES"
X+
X+# 650.ip6fwlimit
X+daily_status_security_ip6fwlimit_enable="YES"
X+
X+# 700.kernelmsg
X+daily_status_security_kernelmsg_enable="YES"
X+
X+# 800.loginfail
X+daily_status_security_loginfail_enable="YES"
X+
X+# 900.tcpwrap
X+daily_status_security_tcpwrap_enable="YES"
X
X
X # Weekly options
XIndex: etc/periodic/daily/450.status-security
X===================================================================
XRCS file: /export/ncvs/src/etc/periodic/daily/450.status-security,v
Xretrieving revision 1.7
Xdiff -u -r1.7 450.status-security
X--- etc/periodic/daily/450.status-security 1 Jun 2001 10:07:16 -0000 1.7
X+++ etc/periodic/daily/450.status-security 17 Nov 2001 20:57:13 -0000
X@@ -16,30 +16,23 @@
X echo ""
X echo "Security check:"
X
X- case "$daily_status_security_noamd" in
X- [Yy][Ee][Ss])
X- args=-a;;
X- *)
X- args=;;
X- esac
X-
X case "$daily_status_security_inline" in
X [Yy][Ee][Ss])
X- sh /etc/security -s $args
X- rc=$?;;
X-
X+ export security_output="";;
X *)
X- case "${daily_status_security_output:=root}" in
X+ export security_output="${daily_status_security_output}"
X+ case "${daily_status_security_output}" in
X+ "")
X+ ;;
X /*)
X- echo " (output logged separately)"
X- sh /etc/security -s $args \
X- >$daily_status_security_output 2>&1;;
X+ echo " (output logged separately)";;
X *)
X- echo " (output mailed separately)"
X- sh /etc/security $args 2>&1 |
X- sendmail $daily_status_security_output;;
X+ echo " (output mailed separately)";;
X esac;;
X- esac;;
X+ esac
X+
X+ periodic /etc/periodic/security
X+ rc=$?;;
X
X *) rc=0;;
X esac
END-periodic_security.patch
mkdir -p etc/periodic/security
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# etc/periodic/security/100.chksetuid
# etc/periodic/security/200.chkmounts
# etc/periodic/security/300.chkuid0
# etc/periodic/security/400.passwdless
# etc/periodic/security/500.ipfwdenied
# etc/periodic/security/550.ipfwlimit
# etc/periodic/security/600.ip6fwdenied
# etc/periodic/security/650.ip6fwlimit
# etc/periodic/security/700.kernelmsg
# etc/periodic/security/800.loginfail
# etc/periodic/security/900.tcpwrap
#
echo x - etc/periodic/security/100.chksetuid
sed 's/^X//' >etc/periodic/security/100.chksetuid << 'END-of-etc/periodic/security/100.chksetuid'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XTMP=/var/run/_secure.$$
XLOG="${daily_status_security_logdir}"
Xrc=0
X
Xcase "$daily_status_security_chksetuid_enable" in
X [Yy][Ee][Ss])
X echo ""
X echo 'Checking setuid files and devices:'
X # XXX Note that there is the possibility of overrunning the args to ls
X MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
X set ${MP}
X while [ $# -ge 1 ]; do
X mount=$1
X shift
X find $mount -xdev -type f \
X \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
X \( -perm -u+s -or -perm -g+s \) -print0
X done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
X
X if [ ! -f ${LOG}/setuid.today ]; then
X [ $rc -lt 1 ] && rc=1
X echo "No ${LOG}/setuid.today"
X cp ${TMP} ${LOG}/setuid.today || rc=3
X fi
X
X if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null
X then
X [ $rc -lt 1 ] && rc=1
X echo "${host} setuid diffs:"
X diff -w ${LOG}/setuid.today ${TMP}
X mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
X mv ${TMP} ${LOG}/setuid.today || rc=3
X fi
X rm -f ${TMP};;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-etc/periodic/security/100.chksetuid
echo x - etc/periodic/security/200.chkmounts
sed 's/^X//' >etc/periodic/security/200.chkmounts << 'END-of-etc/periodic/security/200.chkmounts'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# Show changes in the way filesystems are mounted
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XTMP=/var/run/_secure.$$
XLOG="${daily_status_security_logdir}"
Xignore="${daily_status_security_chkmounts_ignore}"
Xrc=0
X
Xcase "$daily_status_securitychkmounts_enable" in
X [Yy][Ee][Ss])
X case "$daily_status_security_noamd" in
X [Yy][Ee][Ss])
X ignore="${ignore}|^amd:"
X esac
X [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
X if mount -p | ${cmd} > ${TMP}; then
X if [ ! -f ${LOG}/mount.today ]; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo "No ${LOG}/mount.today"
X cp ${TMP} ${LOG}/mount.today || rc=3
X fi
X if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo "${host} changes in mounted filesystems:"
X diff -b ${LOG}/mount.today ${TMP}
X mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3
X mv ${TMP} ${LOG}/mount}.today || rc=3
X fi
X fi
X rm -f ${TMP};;
X *) rc=0;;
Xesac
X
Xexit "$rc"
END-of-etc/periodic/security/200.chkmounts
echo x - etc/periodic/security/300.chkuid0
sed 's/^X//' >etc/periodic/security/300.chkuid0 << 'END-of-etc/periodic/security/300.chkuid0'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
Xrc=0
X
Xcase "$daily_status_security_chkuid0_enable" in
X [Yy][Ee][Ss])
X echo ""
X echo 'Checking for uids of 0:'
X n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
X tee /dev/stderr |
X sed -e '/^root 0$/d' -e '/^toor 0$/d' |
X wc -l)
X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;;
X *) rc=0;;
Xesac
X
Xexit "$rc"
END-of-etc/periodic/security/300.chkuid0
echo x - etc/periodic/security/400.passwdless
sed 's/^X//' >etc/periodic/security/400.passwdless << 'END-of-etc/periodic/security/400.passwdless'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
Xrc=0
X
Xcase "$daily_status_security_passwdless_enable" in
X [Yy][Ee][Ss])
X echo ""
X echo 'Checking for passwordless accounts:'
X n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
X tee /dev/stderr | wc -l)
X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;;
X *) rc=0;;
Xesac
X
Xexit "$rc"
END-of-etc/periodic/security/400.passwdless
echo x - etc/periodic/security/500.ipfwdenied
sed 's/^X//' >etc/periodic/security/500.ipfwdenied << 'END-of-etc/periodic/security/500.ipfwdenied'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# Show denied packets
X#
X
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XTMP=/var/run/_secure.$$
XLOG="${daily_status_security_logdir}"
Xrc=0
X
Xcase "$daily_status_security_ipfwdenied_enable" in
X [Yy][Ee][Ss])
X if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
X if [ ! -f ${LOG}/ipfw.today ]; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo "No ${LOG}/ipfw.today"
X cp ${TMP} ${LOG}/ipfw.today || rc=3
X fi
X
X if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo "${host} denied packets:"
X diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
X mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
X mv ${TMP} ${LOG}/ipfw.today || rc=3
X fi
X fi
X rm -f ${TMP};;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-etc/periodic/security/500.ipfwdenied
echo x - etc/periodic/security/550.ipfwlimit
sed 's/^X//' >etc/periodic/security/550.ipfwlimit << 'END-of-etc/periodic/security/550.ipfwlimit'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# Show ipfw rules which have reached the log limit
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XTMP=/var/run/_secure.$$
Xrc=0
X
Xcase "$daily_status_security_ipfwlimit_enable" in
X [Yy][Ee][Ss])
X IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
X if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
X ipfw -a l | grep " log " | perl -n -e \
X '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
X if [ -s "${TMP}" ]; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo 'ipfw log limit reached:'
X cat ${TMP}
X fi
X fi
X rm -f ${TMP};;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-etc/periodic/security/550.ipfwlimit
echo x - etc/periodic/security/600.ip6fwdenied
sed 's/^X//' >etc/periodic/security/600.ip6fwdenied << 'END-of-etc/periodic/security/600.ip6fwdenied'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# Show IPv6 denied packets
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XTMP=/var/run/_secure.$$
XLOG="${daily_status_security_logdir}"
Xrc=0
X
Xcase "$daily_status_security_ip6fwdenied_enable" in
X [Yy][Ee][Ss])
X if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
X if [ ! -f ${LOG}/ip6fw.today ]; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo "No ${LOG}/ip6fw.today"
X cp ${TMP} ${LOG}/ip6fw.today || rc=3
X fi
X
X if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo "${host} IPv6 denied packets:"
X diff -b ${LOG}/ip6fw.today ${TMP} |
X egrep "^>"
X mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
X mv ${TMP} ${LOG}/ip6fw.today || rc=3
X fi
X fi
X rm -f ${TMP};;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-etc/periodic/security/600.ip6fwdenied
echo x - etc/periodic/security/650.ip6fwlimit
sed 's/^X//' >etc/periodic/security/650.ip6fwlimit << 'END-of-etc/periodic/security/650.ip6fwlimit'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# Show ip6fw rules which have reached the log limit
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XTMP=/var/run/_secure.$$
Xrc=0
X
Xcase "$daily_status_security_ip6fwlimit_enable" in
X [Yy][Ee][Ss])
X IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
X if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
X ip6fw -a l | grep " log " | perl -n -e \
X '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
X if [ -s "${TMP}" ]; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo 'ip6fw log limit reached:'
X cat ${TMP}
X fi
X fi
X rm -f ${TMP};;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-etc/periodic/security/650.ip6fwlimit
echo x - etc/periodic/security/700.kernelmsg
sed 's/^X//' >etc/periodic/security/700.kernelmsg << 'END-of-etc/periodic/security/700.kernelmsg'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# Show kernel log messages
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XTMP=/var/run/_secure.$$
XLOG="${daily_status_security_logdir}"
Xrc=0
X
Xcase "$daily_status_security_kernelmsg_enable" in
X [Yy][Ee][Ss])
X if dmesg -a 2>/dev/null > ${TMP}; then
X if [ ! -f ${LOG}/dmesg.today ]; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo "No ${LOG}/dmesg.today"
X cp ${TMP} ${LOG}/dmesg.today || rc=3
X fi
X
X if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
X [ $rc -lt 1 ] && rc=1
X echo ""
X echo "${host} kernel log messages:"
X diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
X mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
X mv ${TMP} ${LOG}/dmesg.today || rc=3
X fi
X fi
X rm -f ${TMP};;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-etc/periodic/security/700.kernelmsg
echo x - etc/periodic/security/800.loginfail
sed 's/^X//' >etc/periodic/security/800.loginfail << 'END-of-etc/periodic/security/800.loginfail'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# Show login failures
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XLOG="${daily_status_security_logdir}"
Xrc=0
X
Xcatmsgs() {
X find ${LOG} -name 'messages.*' -mtime -2 |
X sort -t. -r -n +1 -2 |
X xargs zcat -f
X [ -f ${LOG}/messages ] && cat $LOG/messages
X}
X
Xcase "$daily_status_security_loginfail_enable" in
X [Yy][Ee][Ss])
X echo ""
X echo "${host} login failures:"
X n=$(catmsgs | grep -ia "^$yesterday.*login failure" |
X tee /dev/stderr | wc -l)
X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-etc/periodic/security/800.loginfail
echo x - etc/periodic/security/900.tcpwrap
sed 's/^X//' >etc/periodic/security/900.tcpwrap << 'END-of-etc/periodic/security/900.tcpwrap'
X#!/bin/sh -
X#
X# Copyright (c) 2001 The FreeBSD Project
X# All rights reserved.
X#
X# Redistribution and use in source and binary forms, with or without
X# modification, are permitted provided that the following conditions
X# are met:
X# 1. Redistributions of source code must retain the above copyright
X# notice, this list of conditions and the following disclaimer.
X# 2. Redistributions in binary form must reproduce the above copyright
X# notice, this list of conditions and the following disclaimer in the
X# documentation and/or other materials provided with the distribution.
X#
X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X# SUCH DAMAGE.
X#
X# $FreeBSD:$
X#
X
X# Show tcp_wrapper warning messages
X#
X
X# If there is a global system configuration file, suck it in.
X#
Xif [ -r /etc/defaults/periodic.conf ]
Xthen
X . /etc/defaults/periodic.conf
X source_periodic_confs
Xfi
X
XLOG="${daily_status_security_logdir}"
Xrc=0
X
Xcatmsgs() {
X find ${LOG} -name 'messages.*' -mtime -2 |
X sort -t. -r -n +1 -2 |
X xargs zcat -f
X [ -f ${LOG}/messages ] && cat $LOG/messages
X}
X
Xcase "$daily_status_security_tcpwrap_enable" in
X [Yy][Ee][Ss])
X echo ""
X echo "${host} refused connections:"
X n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
X tee /dev/stderr | wc -l)
X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;;
X *) rc=0;;
Xesac
X
Xexit $rc
END-of-etc/periodic/security/900.tcpwrap
for F in etc/periodic/security/100.chksetuid \
etc/periodic/security/200.chkmounts \
etc/periodic/security/300.chkuid0 \
etc/periodic/security/400.passwdless \
etc/periodic/security/500.ipfwdenied \
etc/periodic/security/550.ipfwlimit \
etc/periodic/security/600.ip6fwdenied \
etc/periodic/security/650.ip6fwlimit \
etc/periodic/security/700.kernelmsg \
etc/periodic/security/800.loginfail \
etc/periodic/security/900.tcpwrap; do
chmod 755 $F
done
exit
--HcAYCG3uE/tztfnV--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011117134657.C63067>