From owner-freebsd-security Sat Nov 17 13:48:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 647F337B416; Sat, 17 Nov 2001 13:47:27 -0800 (PST) Received: from dialup-209.247.143.121.dial1.sanjose1.level3.net ([209.247.143.121] helo=blossom.cjclark.org) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 165DJ3-0002md-00; Sat, 17 Nov 2001 13:47:21 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAHLkvt66409; Sat, 17 Nov 2001 13:46:57 -0800 (PST) (envelope-from cjc) Date: Sat, 17 Nov 2001 13:46:57 -0800 From: "Crist J. Clark" To: audit@freebsd.org, security@freebsd.org Subject: periodic(8)-ifying Daily Security Check (with attachment) Message-ID: <20011117134657.C63067@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [Let's try this again with the attachment this time.] I've gone through the /etc/security script and converted it into a bunch of smaller scripts to be run by periodic(8). I think this is one of those things someone has always meant to do, but never gotten around to. The approach was pretty straight forward. The actions actually taken by /etc/security have not been changed or upgraded, just broken into pieces. Continuing to improve the daily security checks can take place once the new format is in place. Attached is a modified shell archive. Save it to a file and, # sh To install the new periodic(8)-ified daily security checks. It will patch /etc/defaults/periodic.conf and /etc/periodic/daily/450.status-security. It will then add the new scripts in /etc/periodic/security. Note that the patch process will leave a 450.status-security.orig in the daily scripts, and _both_ 450.status-security and 450.status-security.orig will be executed by periodic(8). For now, I consider this a debugging feature. Please make sure that the output of the two is the same. If you wish to disable the .orig file, change its permissions so it is not executable. Also note that /etc/security (and any customizations you may have there) is not touched at all. I would really appreciate if a few people would take the time to install these and let them run a few days to make sure they actually work on systems besides mine. The patches and scripts are meant for -CURRENT, but extrapolation to -STABLE is straightforward. If anyone wants -STABLE patches and scripts to test, just say the word. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org --HcAYCG3uE/tztfnV Content-Type: application/x-shar Content-Disposition: attachment; filename="periodic_security.shar" cd / (sed 's/^X//' | patch) << 'END-periodic_security.patch' XIndex: etc/defaults/periodic.conf X=================================================================== XRCS file: /export/ncvs/src/etc/defaults/periodic.conf,v Xretrieving revision 1.17 Xdiff -u -r1.17 periodic.conf X--- etc/defaults/periodic.conf 25 Oct 2001 11:27:55 -0000 1.17 X+++ etc/defaults/periodic.conf 17 Nov 2001 20:58:21 -0000 X@@ -105,9 +105,7 @@ X X # 450.status-security X daily_status_security_enable="YES" # Security check X-daily_status_security_inline="NO" # Run inline ? X-daily_status_security_output="root" # user or /file X-daily_status_security_noamd="NO" # Don't check amd mounts X+# See "Security options" below for more options X X # 460.status-mail-rejects X daily_status_mail_rejects_enable="YES" # Check mail rejects X@@ -122,6 +120,51 @@ X X # 999.local X daily_local="/etc/daily.local" # Local scripts X+ X+ X+# Security options X+ X+# These options are used by the security periodic(8) scripts spawned in X+# 450.status-security above. X+daily_status_security_inline="NO" # Run inline ? X+daily_status_security_output="root" # user or /file X+daily_status_security_noamd="NO" # Don't check amd mounts X+daily_status_security_logdir="/var/log" # Directory for logs X+ X+# 100.chksetuid X+daily_status_security_chksetuid_enable="YES" X+ X+# 200.chkmounts X+daily_status_security_chkmounts_enable="YES" X+#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching X+ # FS types X+ X+# 300.chkuid0 X+daily_status_security_chkuid0_enable="YES" X+ X+# 400.passwdless X+daily_status_security_passwdless_enable="YES" X+ X+# 500.ipfwdenied X+daily_status_security_ipfwdenied_enable="YES" X+ X+# 550.ipfwlimit X+daily_status_security_ipfwlimit_enable="YES" X+ X+# 600.ip6fwdenied X+daily_status_security_ip6fwdenied_enable="YES" X+ X+# 650.ip6fwlimit X+daily_status_security_ip6fwlimit_enable="YES" X+ X+# 700.kernelmsg X+daily_status_security_kernelmsg_enable="YES" X+ X+# 800.loginfail X+daily_status_security_loginfail_enable="YES" X+ X+# 900.tcpwrap X+daily_status_security_tcpwrap_enable="YES" X X X # Weekly options XIndex: etc/periodic/daily/450.status-security X=================================================================== XRCS file: /export/ncvs/src/etc/periodic/daily/450.status-security,v Xretrieving revision 1.7 Xdiff -u -r1.7 450.status-security X--- etc/periodic/daily/450.status-security 1 Jun 2001 10:07:16 -0000 1.7 X+++ etc/periodic/daily/450.status-security 17 Nov 2001 20:57:13 -0000 X@@ -16,30 +16,23 @@ X echo "" X echo "Security check:" X X- case "$daily_status_security_noamd" in X- [Yy][Ee][Ss]) X- args=-a;; X- *) X- args=;; X- esac X- X case "$daily_status_security_inline" in X [Yy][Ee][Ss]) X- sh /etc/security -s $args X- rc=$?;; X- X+ export security_output="";; X *) X- case "${daily_status_security_output:=root}" in X+ export security_output="${daily_status_security_output}" X+ case "${daily_status_security_output}" in X+ "") X+ ;; X /*) X- echo " (output logged separately)" X- sh /etc/security -s $args \ X- >$daily_status_security_output 2>&1;; X+ echo " (output logged separately)";; X *) X- echo " (output mailed separately)" X- sh /etc/security $args 2>&1 | X- sendmail $daily_status_security_output;; X+ echo " (output mailed separately)";; X esac;; X- esac;; X+ esac X+ X+ periodic /etc/periodic/security X+ rc=$?;; X X *) rc=0;; X esac END-periodic_security.patch mkdir -p etc/periodic/security # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # etc/periodic/security/100.chksetuid # etc/periodic/security/200.chkmounts # etc/periodic/security/300.chkuid0 # etc/periodic/security/400.passwdless # etc/periodic/security/500.ipfwdenied # etc/periodic/security/550.ipfwlimit # etc/periodic/security/600.ip6fwdenied # etc/periodic/security/650.ip6fwlimit # etc/periodic/security/700.kernelmsg # etc/periodic/security/800.loginfail # etc/periodic/security/900.tcpwrap # echo x - etc/periodic/security/100.chksetuid sed 's/^X//' >etc/periodic/security/100.chksetuid << 'END-of-etc/periodic/security/100.chksetuid' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_chksetuid_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking setuid files and devices:' X # XXX Note that there is the possibility of overrunning the args to ls X MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` X set ${MP} X while [ $# -ge 1 ]; do X mount=$1 X shift X find $mount -xdev -type f \ X \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ X \( -perm -u+s -or -perm -g+s \) -print0 X done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP} X X if [ ! -f ${LOG}/setuid.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "No ${LOG}/setuid.today" X cp ${TMP} ${LOG}/setuid.today || rc=3 X fi X X if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null X then X [ $rc -lt 1 ] && rc=1 X echo "${host} setuid diffs:" X diff -w ${LOG}/setuid.today ${TMP} X mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3 X mv ${TMP} ${LOG}/setuid.today || rc=3 X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/100.chksetuid echo x - etc/periodic/security/200.chkmounts sed 's/^X//' >etc/periodic/security/200.chkmounts << 'END-of-etc/periodic/security/200.chkmounts' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show changes in the way filesystems are mounted X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xignore="${daily_status_security_chkmounts_ignore}" Xrc=0 X Xcase "$daily_status_securitychkmounts_enable" in X [Yy][Ee][Ss]) X case "$daily_status_security_noamd" in X [Yy][Ee][Ss]) X ignore="${ignore}|^amd:" X esac X [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat X if mount -p | ${cmd} > ${TMP}; then X if [ ! -f ${LOG}/mount.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/mount.today" X cp ${TMP} ${LOG}/mount.today || rc=3 X fi X if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} changes in mounted filesystems:" X diff -b ${LOG}/mount.today ${TMP} X mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3 X mv ${TMP} ${LOG}/mount}.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/200.chkmounts echo x - etc/periodic/security/300.chkuid0 sed 's/^X//' >etc/periodic/security/300.chkuid0 << 'END-of-etc/periodic/security/300.chkuid0' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X Xrc=0 X Xcase "$daily_status_security_chkuid0_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking for uids of 0:' X n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | X tee /dev/stderr | X sed -e '/^root 0$/d' -e '/^toor 0$/d' | X wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/300.chkuid0 echo x - etc/periodic/security/400.passwdless sed 's/^X//' >etc/periodic/security/400.passwdless << 'END-of-etc/periodic/security/400.passwdless' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X Xrc=0 X Xcase "$daily_status_security_passwdless_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking for passwordless accounts:' X n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/400.passwdless echo x - etc/periodic/security/500.ipfwdenied sed 's/^X//' >etc/periodic/security/500.ipfwdenied << 'END-of-etc/periodic/security/500.ipfwdenied' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show denied packets X# X X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_ipfwdenied_enable" in X [Yy][Ee][Ss]) X if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then X if [ ! -f ${LOG}/ipfw.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/ipfw.today" X cp ${TMP} ${LOG}/ipfw.today || rc=3 X fi X X if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} denied packets:" X diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" X mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3 X mv ${TMP} ${LOG}/ipfw.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/500.ipfwdenied echo x - etc/periodic/security/550.ipfwlimit sed 's/^X//' >etc/periodic/security/550.ipfwlimit << 'END-of-etc/periodic/security/550.ipfwlimit' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show ipfw rules which have reached the log limit X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ Xrc=0 X Xcase "$daily_status_security_ipfwlimit_enable" in X [Yy][Ee][Ss]) X IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` X if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then X ipfw -a l | grep " log " | perl -n -e \ X '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} X if [ -s "${TMP}" ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo 'ipfw log limit reached:' X cat ${TMP} X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/550.ipfwlimit echo x - etc/periodic/security/600.ip6fwdenied sed 's/^X//' >etc/periodic/security/600.ip6fwdenied << 'END-of-etc/periodic/security/600.ip6fwdenied' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show IPv6 denied packets X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_ip6fwdenied_enable" in X [Yy][Ee][Ss]) X if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then X if [ ! -f ${LOG}/ip6fw.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/ip6fw.today" X cp ${TMP} ${LOG}/ip6fw.today || rc=3 X fi X X if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} IPv6 denied packets:" X diff -b ${LOG}/ip6fw.today ${TMP} | X egrep "^>" X mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3 X mv ${TMP} ${LOG}/ip6fw.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/600.ip6fwdenied echo x - etc/periodic/security/650.ip6fwlimit sed 's/^X//' >etc/periodic/security/650.ip6fwlimit << 'END-of-etc/periodic/security/650.ip6fwlimit' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show ip6fw rules which have reached the log limit X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ Xrc=0 X Xcase "$daily_status_security_ip6fwlimit_enable" in X [Yy][Ee][Ss]) X IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null` X if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then X ip6fw -a l | grep " log " | perl -n -e \ X '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP} X if [ -s "${TMP}" ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo 'ip6fw log limit reached:' X cat ${TMP} X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/650.ip6fwlimit echo x - etc/periodic/security/700.kernelmsg sed 's/^X//' >etc/periodic/security/700.kernelmsg << 'END-of-etc/periodic/security/700.kernelmsg' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show kernel log messages X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_kernelmsg_enable" in X [Yy][Ee][Ss]) X if dmesg -a 2>/dev/null > ${TMP}; then X if [ ! -f ${LOG}/dmesg.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/dmesg.today" X cp ${TMP} ${LOG}/dmesg.today || rc=3 X fi X X if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} kernel log messages:" X diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" X mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3 X mv ${TMP} ${LOG}/dmesg.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/700.kernelmsg echo x - etc/periodic/security/800.loginfail sed 's/^X//' >etc/periodic/security/800.loginfail << 'END-of-etc/periodic/security/800.loginfail' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show login failures X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XLOG="${daily_status_security_logdir}" Xrc=0 X Xcatmsgs() { X find ${LOG} -name 'messages.*' -mtime -2 | X sort -t. -r -n +1 -2 | X xargs zcat -f X [ -f ${LOG}/messages ] && cat $LOG/messages X} X Xcase "$daily_status_security_loginfail_enable" in X [Yy][Ee][Ss]) X echo "" X echo "${host} login failures:" X n=$(catmsgs | grep -ia "^$yesterday.*login failure" | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/800.loginfail echo x - etc/periodic/security/900.tcpwrap sed 's/^X//' >etc/periodic/security/900.tcpwrap << 'END-of-etc/periodic/security/900.tcpwrap' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show tcp_wrapper warning messages X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XLOG="${daily_status_security_logdir}" Xrc=0 X Xcatmsgs() { X find ${LOG} -name 'messages.*' -mtime -2 | X sort -t. -r -n +1 -2 | X xargs zcat -f X [ -f ${LOG}/messages ] && cat $LOG/messages X} X Xcase "$daily_status_security_tcpwrap_enable" in X [Yy][Ee][Ss]) X echo "" X echo "${host} refused connections:" X n=$(catmsgs | grep -i "^$yesterday.*refused connect" | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/900.tcpwrap for F in etc/periodic/security/100.chksetuid \ etc/periodic/security/200.chkmounts \ etc/periodic/security/300.chkuid0 \ etc/periodic/security/400.passwdless \ etc/periodic/security/500.ipfwdenied \ etc/periodic/security/550.ipfwlimit \ etc/periodic/security/600.ip6fwdenied \ etc/periodic/security/650.ip6fwlimit \ etc/periodic/security/700.kernelmsg \ etc/periodic/security/800.loginfail \ etc/periodic/security/900.tcpwrap; do chmod 755 $F done exit --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message