From owner-freebsd-audit Sun Nov 11 4:50:18 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id EFA9437B416 for ; Sun, 11 Nov 2001 04:50:11 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 162u4o-0004D0-00; Sun, 11 Nov 2001 14:51:06 +0200 From: Sheldon Hearn To: "Akinori MUSHA" Cc: audit@FreeBSD.org Subject: Re: make test(1) a sh(1) builtin command In-reply-to: Your message of "Sat, 10 Nov 2001 05:39:18 +0900." <86n11vel1l.wl@archon.local.idaemons.org> Date: Sun, 11 Nov 2001 14:51:06 +0200 Message-ID: <16181.1005483066@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 10 Nov 2001 05:39:18 +0900, "Akinori MUSHA" wrote: > I think it would be a great trade to pay just 0.6% size increase for a > test(1) builtin command. What do you guys think? I think if you drop the builtin printf to make way for the builtin test, you've got a good deal. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sun Nov 11 4:54: 4 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 8015937B418 for ; Sun, 11 Nov 2001 04:53:54 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 162u8W-0004Db-00; Sun, 11 Nov 2001 14:54:56 +0200 From: Sheldon Hearn To: "Akinori MUSHA" Cc: audit@FreeBSD.org Subject: Re: make test(1) a sh(1) builtin command In-reply-to: Your message of "Sun, 11 Nov 2001 14:51:06 +0200." <16181.1005483066@axl.seasidesoftware.co.za> Date: Sun, 11 Nov 2001 14:54:56 +0200 Message-ID: <16218.1005483296@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 11 Nov 2001 14:51:06 +0200, Sheldon Hearn wrote: > I think if you drop the builtin printf to make way for the builtin test, > you've got a good deal. :-) Oops, I forgot to mention... Please patch the test.1 manual page as per rev 1.6 of builtin.1, specifically |* Add appropriate xrefs for builtin(1) to the csh(1) and sh(1) manpages, | as well as to the manpages of standalone utilities which are supported | as shell builtin commands in at least one of the shells. In such | manpages, explain that similar functionality may be provided as a | shell builtin command. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Wed Nov 14 15: 4:27 2001 Delivered-To: freebsd-audit@freebsd.org Received: from Veronica.wmol.com (veronica.wmol.com [208.242.83.241]) by hub.freebsd.org (Postfix) with ESMTP id D263E37B405 for ; Wed, 14 Nov 2001 15:04:22 -0800 (PST) Received: from rain.hill.hom (24.247.81.122.bay.mi.chartermi.net [24.247.81.122]) by Veronica.wmol.com (Vircom SMTPRS 5.0.193) with ESMTP id for ; Wed, 14 Nov 2001 17:54:47 -0500 Date: Wed, 14 Nov 2001 17:57:12 +0000 From: David Hill To: freebsd-audit@freebsd.org Subject: ping.c patch - select() -> kqueue() Message-Id: <20011114175712.46522c21.david@phobia.ms> X-Mailer: Sylpheed version 0.6.4 (GTK+ 1.2.10; i386--freebsd5.0) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="Multipart_Wed__14_Nov_2001_17:57:12_+0000_0816f400" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --Multipart_Wed__14_Nov_2001_17:57:12_+0000_0816f400 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit I am not sure if converting ping from using select() to kqueue() is worth anything, but here is a patch. David Hill david@phobia.ms --Multipart_Wed__14_Nov_2001_17:57:12_+0000_0816f400 Content-Type: application/octet-stream; name="ping.c.diff" Content-Disposition: attachment; filename="ping.c.diff" Content-Transfer-Encoding: base64 LS0tIHBpbmcuYy5vcmlnCVR1ZSBTZXAgMjUgMjA6MjI6MzMgMjAwMQorKysgcGluZy5jCVdlZCBO b3YgMTQgMTc6MDU6MzkgMjAwMQpAQCAtODEsNiArODEsOCBAQAogI2luY2x1ZGUgPHRlcm1pb3Mu aD4KICNpbmNsdWRlIDx1bmlzdGQuaD4KIAorI2luY2x1ZGUgPHN5cy90eXBlcy5oPgorI2luY2x1 ZGUgPHN5cy9ldmVudC5oPgogI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4KICNpbmNsdWRlIDxzeXMv dGltZS5oPgogI2luY2x1ZGUgPHN5cy91aW8uaD4KQEAgLTIwMSw4ICsyMDMsOSBAQAogCXN0cnVj dCBob3N0ZW50ICpocDsKIAlzdHJ1Y3Qgc29ja2FkZHJfaW4gKnRvLCBzaW47CiAJc3RydWN0IHRl cm1pb3MgdHM7CisJc3RydWN0IGtldmVudCBrZTsKIAlyZWdpc3RlciBpbnQgaTsKLQlpbnQgY2gs IGhvbGQsIHBhY2tsZW4sIHByZWxvYWQsIHNvY2tlcnJubywgYWxtb3N0X2RvbmUgPSAwLCB0dGw7 CisJaW50IGNoLCBob2xkLCBwYWNrbGVuLCBwcmVsb2FkLCBzb2NrZXJybm8sIGFsbW9zdF9kb25l ID0gMCwgdHRsLCBrcTsKIAlzdHJ1Y3QgaW5fYWRkciBpZmFkZHI7CiAJdW5zaWduZWQgY2hhciBt dHRsLCBsb29wOwogCXVfY2hhciAqZGF0YXAsICpwYWNrZXQ7CkBAIC02MzMsMTYgKzYzNiwyMSBA QAogCiAJcGluZ2VyKCk7CQkJLyogc2VuZCB0aGUgZmlyc3QgcGluZyAqLwogCSh2b2lkKWdldHRp bWVvZmRheSgmbGFzdCwgTlVMTCk7Ci0KKwkKKwlpZiAoKGtxID0ga3F1ZXVlKCkpIDwgMCkKKwkJ ZXJyKEVYX09TRVJSLCAia3F1ZXVlIik7CisJCisJRVZfU0VUKCZrZSwgcywgRVZGSUxUX1JFQUQs IEVWX0FERCB8IEVWX0VOQUJMRSwgTlVMTCwgMCwgTlVMTCk7CisJaWYgKGtldmVudChrcSwgJmtl LCAxLCBOVUxMLCAwLCBOVUxMKSA8IDApCisJCWVycihFWF9PU0VSUiwgImtldmVudCIpOworCQkK IAl3aGlsZSAoIWZpbmlzaF91cCkgewogCQlyZWdpc3RlciBpbnQgY2M7CiAJCWludCBuOwogCQlz dHJ1Y3QgdGltZXZhbCB0aW1lb3V0LCBub3c7Ci0JCWZkX3NldCByZmRzOworCQlzdHJ1Y3QgdGlt ZXNwZWMgdHM7CiAKIAkJY2hlY2tfc3RhdHVzKCk7Ci0JCUZEX1pFUk8oJnJmZHMpOwotCQlGRF9T RVQocywgJnJmZHMpOwogCQkodm9pZClnZXR0aW1lb2ZkYXkoJm5vdywgTlVMTCk7CiAJCXRpbWVv dXQudHZfc2VjID0gbGFzdC50dl9zZWMgKyBpbnR2bC50dl9zZWMgLSBub3cudHZfc2VjOwogCQl0 aW1lb3V0LnR2X3VzZWMgPSBsYXN0LnR2X3VzZWMgKyBpbnR2bC50dl91c2VjIC0gbm93LnR2X3Vz ZWM7CkBAIC02NTYsNyArNjY0LDExIEBACiAJCX0KIAkJaWYgKHRpbWVvdXQudHZfc2VjIDwgMCkK IAkJCXRpbWVvdXQudHZfc2VjID0gdGltZW91dC50dl91c2VjID0gMDsKLQkJbiA9IHNlbGVjdChz ICsgMSwgJnJmZHMsIE5VTEwsIE5VTEwsICZ0aW1lb3V0KTsKKwkJCQorCQl0cy50dl9zZWMgPSB0 aW1lb3V0LnR2X3NlYzsKKwkJdHMudHZfbnNlYyA9IHRpbWVvdXQudHZfdXNlYyAqIDEwMDA7CisJ CQorCQluID0ga2V2ZW50KGtxLCBOVUxMLCAwLCAma2UsIDEsICZ0cyk7CiAJCWlmIChuIDwgMCkK IAkJCWNvbnRpbnVlOwkvKiBNdXN0IGJlIEVJTlRSLiAqLwogCQlpZiAobiA9PSAxKSB7CkBAIC03 MTQsNiArNzI2LDkgQEAKIAkJCX0KIAkJfQogCX0KKwkKKwljbG9zZShzKTsKKwljbG9zZShrcSk7 CiAJZmluaXNoKCk7CiAJLyogTk9UUkVBQ0hFRCAqLwogCWV4aXQoMCk7CS8qIE1ha2UgdGhlIGNv bXBpbGVyIGhhcHB5ICovCg== --Multipart_Wed__14_Nov_2001_17:57:12_+0000_0816f400-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 16 8:52:26 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id DD8FE37B418; Fri, 16 Nov 2001 08:52:22 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 164mFF-000IZh-00; Fri, 16 Nov 2001 18:53:37 +0200 From: Sheldon Hearn To: Poul-Henning Kamp Cc: ru@FreeBSD.org, audit@FreeBSD.org Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c In-reply-to: Your message of "Wed, 31 Oct 2001 08:08:49 PST." <200110311608.f9VG8nd19655@freefall.freebsd.org> Date: Fri, 16 Nov 2001 18:53:37 +0200 Message-ID: <71404.1005929617@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 31 Oct 2001 08:08:49 PST, Poul-Henning Kamp wrote: > Modified files: > sbin/natd natd.8 natd.c > Log: > Do not uselessly whine in syslog about packets denied by ipfw rules. > > Set 'log_ipfw_denied' option if you want the old behaviour. Yuk. Wouldn't a better idea simply to make the whining more useful, with something like this? Ciao, Sheldon. Index: natd.c =================================================================== RCS file: /home/ncvs/src/sbin/natd/natd.c,v retrieving revision 1.36 diff -u -d -r1.36 natd.c --- natd.c 31 Oct 2001 16:08:49 -0000 1.36 +++ natd.c 16 Nov 2001 16:50:08 -0000 @@ -589,6 +589,8 @@ { int wrote; char msgBuf[80]; + char hostBuf[NI_MAXHOST]; + char servBuf[NI_MAXSERV]; /* * Put packet back for processing. */ @@ -618,7 +620,15 @@ } else if (errno == EACCES && log_ipfw_denied) { - sprintf (msgBuf, "failed to write packet back"); + if (getnameinfo((struct sockaddr *)&packetAddr, + packetAddr.sin_len, hostBuf, sizeof(hostBuf), + servBuf, sizeof(servBuf), + NI_NUMERICHOST | NI_NUMERICSERV) != 0) { + sprintf(hostBuf, "unknown"); + sprintf(servBuf, "unknown"); + } + sprintf (msgBuf, "failed to write packet to %s:%s", + hostBuf, servBuf); Warn (msgBuf); } } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 16 8:54:43 2001 Delivered-To: freebsd-audit@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id ED3A537B416; Fri, 16 Nov 2001 08:54:37 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.6/8.11.6) with ESMTP id fAGGr5e16865; Fri, 16 Nov 2001 17:53:05 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Sheldon Hearn Cc: ru@FreeBSD.org, audit@FreeBSD.org Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c In-Reply-To: Your message of "Fri, 16 Nov 2001 18:53:37 +0200." <71404.1005929617@axl.seasidesoftware.co.za> Date: Fri, 16 Nov 2001 17:53:04 +0100 Message-ID: <16863.1005929584@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <71404.1005929617@axl.seasidesoftware.co.za>, Sheldon Hearn writes: > > >On Wed, 31 Oct 2001 08:08:49 PST, Poul-Henning Kamp wrote: > >> Modified files: >> sbin/natd natd.8 natd.c >> Log: >> Do not uselessly whine in syslog about packets denied by ipfw rules. >> >> Set 'log_ipfw_denied' option if you want the old behaviour. > >Yuk. Wouldn't a better idea simply to make the whining more useful, >with something like this? You are not proposing a log message per packet that people cannot turn off are you ? Poul-Henning > >Ciao, >Sheldon. > >Index: natd.c >=================================================================== >RCS file: /home/ncvs/src/sbin/natd/natd.c,v >retrieving revision 1.36 >diff -u -d -r1.36 natd.c >--- natd.c 31 Oct 2001 16:08:49 -0000 1.36 >+++ natd.c 16 Nov 2001 16:50:08 -0000 >@@ -589,6 +589,8 @@ > { > int wrote; > char msgBuf[80]; >+ char hostBuf[NI_MAXHOST]; >+ char servBuf[NI_MAXSERV]; > /* > * Put packet back for processing. > */ >@@ -618,7 +620,15 @@ > } > else if (errno == EACCES && log_ipfw_denied) { > >- sprintf (msgBuf, "failed to write packet back"); >+ if (getnameinfo((struct sockaddr *)&packetAddr, >+ packetAddr.sin_len, hostBuf, sizeof(hostBuf), >+ servBuf, sizeof(servBuf), >+ NI_NUMERICHOST | NI_NUMERICSERV) != 0) { >+ sprintf(hostBuf, "unknown"); >+ sprintf(servBuf, "unknown"); >+ } >+ sprintf (msgBuf, "failed to write packet to %s:%s", >+ hostBuf, servBuf); > Warn (msgBuf); > } > } > -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 16 9: 2:10 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 0314437B416; Fri, 16 Nov 2001 09:02:07 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 164mOZ-000Idn-00; Fri, 16 Nov 2001 19:03:15 +0200 From: Sheldon Hearn To: Poul-Henning Kamp Cc: ru@FreeBSD.org, audit@FreeBSD.org Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c In-reply-to: Your message of "Fri, 16 Nov 2001 17:53:04 +0100." <16863.1005929584@critter.freebsd.dk> Date: Fri, 16 Nov 2001 19:03:15 +0200 Message-ID: <71658.1005930195@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 16 Nov 2001 17:53:04 +0100, Poul-Henning Kamp wrote: > >Yuk. Wouldn't a better idea simply to make the whining more useful, > >with something like this? > > You are not proposing a log message per packet that people cannot > turn off are you ? I don't think that's what the patch does. I'm pretty sure it simply enhances the previously ineffective message, leaving the conditions for printing alone. Personally, I'd like to see your new option inverted so that the default is still to log these problems, but allow you to turn them off if you like. And I'd like the suggested change to the actual content of the log message. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 16 9:11:58 2001 Delivered-To: freebsd-audit@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id 8320A37B416; Fri, 16 Nov 2001 09:11:54 -0800 (PST) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.6/8.11.6) with ESMTP id fAGHAQe17184; Fri, 16 Nov 2001 18:10:26 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Sheldon Hearn Cc: ru@FreeBSD.org, audit@FreeBSD.org Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c In-Reply-To: Your message of "Fri, 16 Nov 2001 19:03:15 +0200." <71658.1005930195@axl.seasidesoftware.co.za> Date: Fri, 16 Nov 2001 18:10:26 +0100 Message-ID: <17182.1005930626@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <71658.1005930195@axl.seasidesoftware.co.za>, Sheldon Hearn writes: >> >Yuk. Wouldn't a better idea simply to make the whining more useful, >> >with something like this? >> >> You are not proposing a log message per packet that people cannot >> turn off are you ? > >I don't think that's what the patch does. I'm pretty sure it simply >enhances the previously ineffective message, leaving the conditions for >printing alone. Well, the condition for printing was "once per packet" which is why people have objected to this in the first place. >Personally, I'd like to see your new option inverted so that the default >is still to log these problems, but allow you to turn them off if you >like. And I'd like the suggested change to the actual content of the >log message. The compromise Ruslan and I ended up with when we discussed this in Brighton was that the print would be disabled unless enabled specifically and that the verbose option should also enable it, and that yes, adding useful info to it makes sense. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 16 9:17: 9 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 961BA37B418; Fri, 16 Nov 2001 09:16:59 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 164mcx-000IjC-00; Fri, 16 Nov 2001 19:18:07 +0200 From: Sheldon Hearn To: Poul-Henning Kamp Cc: ru@FreeBSD.org, audit@FreeBSD.org Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c In-reply-to: Your message of "Fri, 16 Nov 2001 18:10:26 +0100." <17182.1005930626@critter.freebsd.dk> Date: Fri, 16 Nov 2001 19:18:07 +0200 Message-ID: <71993.1005931087@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 16 Nov 2001 18:10:26 +0100, Poul-Henning Kamp wrote: > The compromise Ruslan and I ended up with when we discussed this in Brighton > was that the print would be disabled unless enabled specifically and that > the verbose option should also enable it, and that yes, adding useful > info to it makes sense. I guess one argument in favour of this is the default brevity of the IPFW code itself, where the "log" keyword does nothing until special action is taken. Okay, so Ruslan, are you happy with using getnameinfo() to add additional detail? The only drawback I can think of is that it will defeat syslog(3) message coalescing (message repeated X times). However, given the default behaviour that Poul-Henning describes, I don't think it makes too much sense to worry about that. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 16 9:41:33 2001 Delivered-To: freebsd-audit@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 160E437B405 for ; Fri, 16 Nov 2001 09:41:21 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id fAGHdvb51990; Fri, 16 Nov 2001 19:39:57 +0200 (EET) (envelope-from ru) Date: Fri, 16 Nov 2001 19:39:56 +0200 From: Ruslan Ermilov To: Sheldon Hearn Cc: Poul-Henning Kamp , audit@FreeBSD.ORG Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c Message-ID: <20011116193956.A46779@sunbay.com> References: <17182.1005930626@critter.freebsd.dk> <71993.1005931087@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <71993.1005931087@axl.seasidesoftware.co.za> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 16, 2001 at 07:18:07PM +0200, Sheldon Hearn wrote: > > > On Fri, 16 Nov 2001 18:10:26 +0100, Poul-Henning Kamp wrote: > > > The compromise Ruslan and I ended up with when we discussed this in Brighton > > was that the print would be disabled unless enabled specifically and that > > the verbose option should also enable it, and that yes, adding useful > > info to it makes sense. > > I guess one argument in favour of this is the default brevity of the > IPFW code itself, where the "log" keyword does nothing until special > action is taken. > > Okay, so Ruslan, are you happy with using getnameinfo() to add > additional detail? The only drawback I can think of is that it will > defeat syslog(3) message coalescing (message repeated X times). > > However, given the default behaviour that Poul-Henning describes, I > don't think it makes too much sense to worry about that. > Funny thing is that I was just working on this. :-) The below patch implements what we were discussing with Poul-Henning, i.e., have the -log_ipfw_denied option enabled by default in -verbose mode, when it really makes any sense. Index: natd.8 =================================================================== RCS file: /home/ncvs/src/sbin/natd/natd.8,v retrieving revision 1.48 diff -u -p -r1.48 natd.8 --- natd.8 2001/10/31 16:08:49 1.48 +++ natd.8 2001/11/16 17:39:57 @@ -463,7 +463,11 @@ rules starting from the rule number will be used for punching firewall holes. The range will be cleared for all rules on startup. .It Fl log_ipfw_denied -Log when a packet can't be re-injected because a ipfw rule deny it. +Log when a packet can not be re-injected because an +.Xr ipfw 8 +rule blocks it. +This is the default with +.Fl verbose . .El .Sh RUNNING NATD The following steps are necessary before attempting to run Index: natd.c =================================================================== RCS file: /home/ncvs/src/sbin/natd/natd.c,v retrieving revision 1.36 diff -u -p -r1.36 natd.c --- natd.c 2001/10/31 16:08:49 1.36 +++ natd.c 2001/11/16 17:40:02 @@ -126,7 +126,7 @@ static int packetDirection; static int dropIgnoredIncoming; static int logDropped; static int logFacility; -static int log_ipfw_denied; +static int logIpfwDenied; int main (int argc, char** argv) { @@ -161,7 +161,7 @@ int main (int argc, char** argv) dynamicMode = 0; logDropped = 0; logFacility = LOG_DAEMON; - log_ipfw_denied = 0; + logIpfwDenied = -1; /* * Mark packet buffer empty. */ @@ -170,6 +170,11 @@ int main (int argc, char** argv) ParseArgs (argc, argv); /* + * Log ipfw(8) denied packets by default in verbose mode. + */ + if (logIpfwDenied == -1) + logIpfwDenied = verbose; +/* * Open syslog channel. */ openlog ("natd", LOG_CONS | LOG_PID | (verbose ? LOG_PERROR : 0), @@ -616,7 +621,7 @@ static void FlushPacketBuffer (int fd) (struct ip*) packetBuf, ifMTU - aliasOverhead); } - else if (errno == EACCES && log_ipfw_denied) { + else if (errno == EACCES && logIpfwDenied) { sprintf (msgBuf, "failed to write packet back"); Warn (msgBuf); @@ -1257,7 +1262,7 @@ static void ParseOption (const char* opt break; case LogDenied: - logDropped = 1; + logDropped = yesNoValue; break; case LogFacility: @@ -1283,8 +1288,10 @@ static void ParseOption (const char* opt case PunchFW: SetupPunchFW(strValue); break; + case LogIpfwDenied: - log_ipfw_denied=1; + logIpfwDenied = yesNoValue;; + break; } } -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Fri Nov 16 9:46:17 2001 Delivered-To: freebsd-audit@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 51E3037B416; Fri, 16 Nov 2001 09:46:14 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 164n5L-000Iso-00; Fri, 16 Nov 2001 19:47:27 +0200 From: Sheldon Hearn To: Ruslan Ermilov Cc: Poul-Henning Kamp , audit@FreeBSD.ORG Subject: Re: cvs commit: src/sbin/natd natd.8 natd.c In-reply-to: Your message of "Fri, 16 Nov 2001 19:39:56 +0200." <20011116193956.A46779@sunbay.com> Date: Fri, 16 Nov 2001 19:47:27 +0200 Message-ID: <72589.1005932847@axl.seasidesoftware.co.za> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 16 Nov 2001 19:39:56 +0200, Ruslan Ermilov wrote: > The below patch implements what we were discussing with Poul-Henning, > i.e., have the -log_ipfw_denied option enabled by default in -verbose > mode, when it really makes any sense. The patch doesn't include the change I suggested, for providing more detail in the log message. Don't you like the idea? Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Nov 17 13:44:47 2001 Delivered-To: freebsd-audit@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 2BD8C37B416; Sat, 17 Nov 2001 13:44:42 -0800 (PST) Received: from dialup-209.247.143.121.dial1.sanjose1.level3.net ([209.247.143.121] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 165DGS-0004L5-00; Sat, 17 Nov 2001 13:44:41 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAHLiEF66373; Sat, 17 Nov 2001 13:44:14 -0800 (PST) (envelope-from cjc) Date: Sat, 17 Nov 2001 13:44:14 -0800 From: "Crist J. Clark" To: audit@freebsd.org, security@freebsd.org Subject: periodic(8)-ifying Daily Security Check Message-ID: <20011117134414.A66323@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've gone through the /etc/security script and converted it into a bunch of smaller scripts to be run by periodic(8). I think this is one of those things someone has always meant to do, but never gotten around to. The approach was pretty straight forward. The actions actually taken by /etc/security have not been changed or upgraded, just broken into pieces. Continuing to improve the daily security checks can take place once the new format is in place. Attached is a modified shell archive. Save it to a file and, # sh To install the new periodic(8)-ified daily security checks. It will patch /etc/defaults/periodic.conf and /etc/periodic/daily/450.status-security. It will then add the new scripts in /etc/periodic/security. Note that the patch process will leave a 450.status-security.orig in the daily scripts, and _both_ 450.status-security and 450.status-security.orig will be executed by periodic(8). For now, I consider this a debugging feature. Please make sure that the output of the two is the same. If you wish to disable the .orig file, change its permissions so it is not executable. Also note that /etc/security (and any customizations you may have there) is not touched at all. I would really appreciate if a few people would take the time to install these and let them run a few days to make sure they actually work on systems besides mine. The patches and scripts are meant for -CURRENT, but extrapolation to -STABLE is straightforward. If anyone wants -STABLE patches and scripts to test, just say the word. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message From owner-freebsd-audit Sat Nov 17 13:48:31 2001 Delivered-To: freebsd-audit@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 647F337B416; Sat, 17 Nov 2001 13:47:27 -0800 (PST) Received: from dialup-209.247.143.121.dial1.sanjose1.level3.net ([209.247.143.121] helo=blossom.cjclark.org) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 165DJ3-0002md-00; Sat, 17 Nov 2001 13:47:21 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAHLkvt66409; Sat, 17 Nov 2001 13:46:57 -0800 (PST) (envelope-from cjc) Date: Sat, 17 Nov 2001 13:46:57 -0800 From: "Crist J. Clark" To: audit@freebsd.org, security@freebsd.org Subject: periodic(8)-ifying Daily Security Check (with attachment) Message-ID: <20011117134657.C63067@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [Let's try this again with the attachment this time.] I've gone through the /etc/security script and converted it into a bunch of smaller scripts to be run by periodic(8). I think this is one of those things someone has always meant to do, but never gotten around to. The approach was pretty straight forward. The actions actually taken by /etc/security have not been changed or upgraded, just broken into pieces. Continuing to improve the daily security checks can take place once the new format is in place. Attached is a modified shell archive. Save it to a file and, # sh To install the new periodic(8)-ified daily security checks. It will patch /etc/defaults/periodic.conf and /etc/periodic/daily/450.status-security. It will then add the new scripts in /etc/periodic/security. Note that the patch process will leave a 450.status-security.orig in the daily scripts, and _both_ 450.status-security and 450.status-security.orig will be executed by periodic(8). For now, I consider this a debugging feature. Please make sure that the output of the two is the same. If you wish to disable the .orig file, change its permissions so it is not executable. Also note that /etc/security (and any customizations you may have there) is not touched at all. I would really appreciate if a few people would take the time to install these and let them run a few days to make sure they actually work on systems besides mine. The patches and scripts are meant for -CURRENT, but extrapolation to -STABLE is straightforward. If anyone wants -STABLE patches and scripts to test, just say the word. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org --HcAYCG3uE/tztfnV Content-Type: application/x-shar Content-Disposition: attachment; filename="periodic_security.shar" cd / (sed 's/^X//' | patch) << 'END-periodic_security.patch' XIndex: etc/defaults/periodic.conf X=================================================================== XRCS file: /export/ncvs/src/etc/defaults/periodic.conf,v Xretrieving revision 1.17 Xdiff -u -r1.17 periodic.conf X--- etc/defaults/periodic.conf 25 Oct 2001 11:27:55 -0000 1.17 X+++ etc/defaults/periodic.conf 17 Nov 2001 20:58:21 -0000 X@@ -105,9 +105,7 @@ X X # 450.status-security X daily_status_security_enable="YES" # Security check X-daily_status_security_inline="NO" # Run inline ? X-daily_status_security_output="root" # user or /file X-daily_status_security_noamd="NO" # Don't check amd mounts X+# See "Security options" below for more options X X # 460.status-mail-rejects X daily_status_mail_rejects_enable="YES" # Check mail rejects X@@ -122,6 +120,51 @@ X X # 999.local X daily_local="/etc/daily.local" # Local scripts X+ X+ X+# Security options X+ X+# These options are used by the security periodic(8) scripts spawned in X+# 450.status-security above. X+daily_status_security_inline="NO" # Run inline ? X+daily_status_security_output="root" # user or /file X+daily_status_security_noamd="NO" # Don't check amd mounts X+daily_status_security_logdir="/var/log" # Directory for logs X+ X+# 100.chksetuid X+daily_status_security_chksetuid_enable="YES" X+ X+# 200.chkmounts X+daily_status_security_chkmounts_enable="YES" X+#daily_status_security_chkmounts_ignore="^amd:" # Don't check matching X+ # FS types X+ X+# 300.chkuid0 X+daily_status_security_chkuid0_enable="YES" X+ X+# 400.passwdless X+daily_status_security_passwdless_enable="YES" X+ X+# 500.ipfwdenied X+daily_status_security_ipfwdenied_enable="YES" X+ X+# 550.ipfwlimit X+daily_status_security_ipfwlimit_enable="YES" X+ X+# 600.ip6fwdenied X+daily_status_security_ip6fwdenied_enable="YES" X+ X+# 650.ip6fwlimit X+daily_status_security_ip6fwlimit_enable="YES" X+ X+# 700.kernelmsg X+daily_status_security_kernelmsg_enable="YES" X+ X+# 800.loginfail X+daily_status_security_loginfail_enable="YES" X+ X+# 900.tcpwrap X+daily_status_security_tcpwrap_enable="YES" X X X # Weekly options XIndex: etc/periodic/daily/450.status-security X=================================================================== XRCS file: /export/ncvs/src/etc/periodic/daily/450.status-security,v Xretrieving revision 1.7 Xdiff -u -r1.7 450.status-security X--- etc/periodic/daily/450.status-security 1 Jun 2001 10:07:16 -0000 1.7 X+++ etc/periodic/daily/450.status-security 17 Nov 2001 20:57:13 -0000 X@@ -16,30 +16,23 @@ X echo "" X echo "Security check:" X X- case "$daily_status_security_noamd" in X- [Yy][Ee][Ss]) X- args=-a;; X- *) X- args=;; X- esac X- X case "$daily_status_security_inline" in X [Yy][Ee][Ss]) X- sh /etc/security -s $args X- rc=$?;; X- X+ export security_output="";; X *) X- case "${daily_status_security_output:=root}" in X+ export security_output="${daily_status_security_output}" X+ case "${daily_status_security_output}" in X+ "") X+ ;; X /*) X- echo " (output logged separately)" X- sh /etc/security -s $args \ X- >$daily_status_security_output 2>&1;; X+ echo " (output logged separately)";; X *) X- echo " (output mailed separately)" X- sh /etc/security $args 2>&1 | X- sendmail $daily_status_security_output;; X+ echo " (output mailed separately)";; X esac;; X- esac;; X+ esac X+ X+ periodic /etc/periodic/security X+ rc=$?;; X X *) rc=0;; X esac END-periodic_security.patch mkdir -p etc/periodic/security # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # etc/periodic/security/100.chksetuid # etc/periodic/security/200.chkmounts # etc/periodic/security/300.chkuid0 # etc/periodic/security/400.passwdless # etc/periodic/security/500.ipfwdenied # etc/periodic/security/550.ipfwlimit # etc/periodic/security/600.ip6fwdenied # etc/periodic/security/650.ip6fwlimit # etc/periodic/security/700.kernelmsg # etc/periodic/security/800.loginfail # etc/periodic/security/900.tcpwrap # echo x - etc/periodic/security/100.chksetuid sed 's/^X//' >etc/periodic/security/100.chksetuid << 'END-of-etc/periodic/security/100.chksetuid' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_chksetuid_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking setuid files and devices:' X # XXX Note that there is the possibility of overrunning the args to ls X MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort` X set ${MP} X while [ $# -ge 1 ]; do X mount=$1 X shift X find $mount -xdev -type f \ X \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ X \( -perm -u+s -or -perm -g+s \) -print0 X done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP} X X if [ ! -f ${LOG}/setuid.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "No ${LOG}/setuid.today" X cp ${TMP} ${LOG}/setuid.today || rc=3 X fi X X if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null X then X [ $rc -lt 1 ] && rc=1 X echo "${host} setuid diffs:" X diff -w ${LOG}/setuid.today ${TMP} X mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3 X mv ${TMP} ${LOG}/setuid.today || rc=3 X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/100.chksetuid echo x - etc/periodic/security/200.chkmounts sed 's/^X//' >etc/periodic/security/200.chkmounts << 'END-of-etc/periodic/security/200.chkmounts' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show changes in the way filesystems are mounted X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xignore="${daily_status_security_chkmounts_ignore}" Xrc=0 X Xcase "$daily_status_securitychkmounts_enable" in X [Yy][Ee][Ss]) X case "$daily_status_security_noamd" in X [Yy][Ee][Ss]) X ignore="${ignore}|^amd:" X esac X [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat X if mount -p | ${cmd} > ${TMP}; then X if [ ! -f ${LOG}/mount.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/mount.today" X cp ${TMP} ${LOG}/mount.today || rc=3 X fi X if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} changes in mounted filesystems:" X diff -b ${LOG}/mount.today ${TMP} X mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3 X mv ${TMP} ${LOG}/mount}.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/200.chkmounts echo x - etc/periodic/security/300.chkuid0 sed 's/^X//' >etc/periodic/security/300.chkuid0 << 'END-of-etc/periodic/security/300.chkuid0' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X Xrc=0 X Xcase "$daily_status_security_chkuid0_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking for uids of 0:' X n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | X tee /dev/stderr | X sed -e '/^root 0$/d' -e '/^toor 0$/d' | X wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/300.chkuid0 echo x - etc/periodic/security/400.passwdless sed 's/^X//' >etc/periodic/security/400.passwdless << 'END-of-etc/periodic/security/400.passwdless' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X Xrc=0 X Xcase "$daily_status_security_passwdless_enable" in X [Yy][Ee][Ss]) X echo "" X echo 'Checking for passwordless accounts:' X n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit "$rc" END-of-etc/periodic/security/400.passwdless echo x - etc/periodic/security/500.ipfwdenied sed 's/^X//' >etc/periodic/security/500.ipfwdenied << 'END-of-etc/periodic/security/500.ipfwdenied' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show denied packets X# X X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_ipfwdenied_enable" in X [Yy][Ee][Ss]) X if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then X if [ ! -f ${LOG}/ipfw.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/ipfw.today" X cp ${TMP} ${LOG}/ipfw.today || rc=3 X fi X X if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} denied packets:" X diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>" X mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3 X mv ${TMP} ${LOG}/ipfw.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/500.ipfwdenied echo x - etc/periodic/security/550.ipfwlimit sed 's/^X//' >etc/periodic/security/550.ipfwlimit << 'END-of-etc/periodic/security/550.ipfwlimit' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show ipfw rules which have reached the log limit X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ Xrc=0 X Xcase "$daily_status_security_ipfwlimit_enable" in X [Yy][Ee][Ss]) X IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null` X if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then X ipfw -a l | grep " log " | perl -n -e \ X '/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP} X if [ -s "${TMP}" ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo 'ipfw log limit reached:' X cat ${TMP} X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/550.ipfwlimit echo x - etc/periodic/security/600.ip6fwdenied sed 's/^X//' >etc/periodic/security/600.ip6fwdenied << 'END-of-etc/periodic/security/600.ip6fwdenied' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show IPv6 denied packets X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_ip6fwdenied_enable" in X [Yy][Ee][Ss]) X if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then X if [ ! -f ${LOG}/ip6fw.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/ip6fw.today" X cp ${TMP} ${LOG}/ip6fw.today || rc=3 X fi X X if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} IPv6 denied packets:" X diff -b ${LOG}/ip6fw.today ${TMP} | X egrep "^>" X mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3 X mv ${TMP} ${LOG}/ip6fw.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/600.ip6fwdenied echo x - etc/periodic/security/650.ip6fwlimit sed 's/^X//' >etc/periodic/security/650.ip6fwlimit << 'END-of-etc/periodic/security/650.ip6fwlimit' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show ip6fw rules which have reached the log limit X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ Xrc=0 X Xcase "$daily_status_security_ip6fwlimit_enable" in X [Yy][Ee][Ss]) X IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null` X if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then X ip6fw -a l | grep " log " | perl -n -e \ X '/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP} X if [ -s "${TMP}" ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo 'ip6fw log limit reached:' X cat ${TMP} X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/650.ip6fwlimit echo x - etc/periodic/security/700.kernelmsg sed 's/^X//' >etc/periodic/security/700.kernelmsg << 'END-of-etc/periodic/security/700.kernelmsg' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show kernel log messages X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XTMP=/var/run/_secure.$$ XLOG="${daily_status_security_logdir}" Xrc=0 X Xcase "$daily_status_security_kernelmsg_enable" in X [Yy][Ee][Ss]) X if dmesg -a 2>/dev/null > ${TMP}; then X if [ ! -f ${LOG}/dmesg.today ]; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "No ${LOG}/dmesg.today" X cp ${TMP} ${LOG}/dmesg.today || rc=3 X fi X X if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then X [ $rc -lt 1 ] && rc=1 X echo "" X echo "${host} kernel log messages:" X diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>" X mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3 X mv ${TMP} ${LOG}/dmesg.today || rc=3 X fi X fi X rm -f ${TMP};; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/700.kernelmsg echo x - etc/periodic/security/800.loginfail sed 's/^X//' >etc/periodic/security/800.loginfail << 'END-of-etc/periodic/security/800.loginfail' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show login failures X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XLOG="${daily_status_security_logdir}" Xrc=0 X Xcatmsgs() { X find ${LOG} -name 'messages.*' -mtime -2 | X sort -t. -r -n +1 -2 | X xargs zcat -f X [ -f ${LOG}/messages ] && cat $LOG/messages X} X Xcase "$daily_status_security_loginfail_enable" in X [Yy][Ee][Ss]) X echo "" X echo "${host} login failures:" X n=$(catmsgs | grep -ia "^$yesterday.*login failure" | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/800.loginfail echo x - etc/periodic/security/900.tcpwrap sed 's/^X//' >etc/periodic/security/900.tcpwrap << 'END-of-etc/periodic/security/900.tcpwrap' X#!/bin/sh - X# X# Copyright (c) 2001 The FreeBSD Project X# All rights reserved. X# X# Redistribution and use in source and binary forms, with or without X# modification, are permitted provided that the following conditions X# are met: X# 1. Redistributions of source code must retain the above copyright X# notice, this list of conditions and the following disclaimer. X# 2. Redistributions in binary form must reproduce the above copyright X# notice, this list of conditions and the following disclaimer in the X# documentation and/or other materials provided with the distribution. X# X# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND X# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE X# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE X# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE X# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL X# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS X# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) X# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT X# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY X# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF X# SUCH DAMAGE. X# X# $FreeBSD:$ X# X X# Show tcp_wrapper warning messages X# X X# If there is a global system configuration file, suck it in. X# Xif [ -r /etc/defaults/periodic.conf ] Xthen X . /etc/defaults/periodic.conf X source_periodic_confs Xfi X XLOG="${daily_status_security_logdir}" Xrc=0 X Xcatmsgs() { X find ${LOG} -name 'messages.*' -mtime -2 | X sort -t. -r -n +1 -2 | X xargs zcat -f X [ -f ${LOG}/messages ] && cat $LOG/messages X} X Xcase "$daily_status_security_tcpwrap_enable" in X [Yy][Ee][Ss]) X echo "" X echo "${host} refused connections:" X n=$(catmsgs | grep -i "^$yesterday.*refused connect" | X tee /dev/stderr | wc -l) X [ $n -gt 0 -a $rc -lt 1 ] && rc=1;; X *) rc=0;; Xesac X Xexit $rc END-of-etc/periodic/security/900.tcpwrap for F in etc/periodic/security/100.chksetuid \ etc/periodic/security/200.chkmounts \ etc/periodic/security/300.chkuid0 \ etc/periodic/security/400.passwdless \ etc/periodic/security/500.ipfwdenied \ etc/periodic/security/550.ipfwlimit \ etc/periodic/security/600.ip6fwdenied \ etc/periodic/security/650.ip6fwlimit \ etc/periodic/security/700.kernelmsg \ etc/periodic/security/800.loginfail \ etc/periodic/security/900.tcpwrap; do chmod 755 $F done exit --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message