From owner-freebsd-ports@freebsd.org  Sat Jun 11 14:13:59 2016
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB7A0AEFAF4
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Sat, 11 Jun 2016 14:13:59 +0000 (UTC) (envelope-from freebsd@grem.de)
Received: from mail.grem.de (outcast.grem.de [213.239.217.27])
 by mx1.freebsd.org (Postfix) with SMTP id 032F22AC4
 for <freebsd-ports@freebsd.org>; Sat, 11 Jun 2016 14:13:58 +0000 (UTC)
 (envelope-from freebsd@grem.de)
Received: (qmail 7021 invoked by uid 89); 11 Jun 2016 14:07:09 -0000
Received: from unknown (HELO ?192.168.250.192?) (mg@grem.de@88.217.181.157)
 by mail.grem.de with ESMTPA; 11 Jun 2016 14:07:09 -0000
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (1.0)
Subject: Re: Jail's emails
From: Michael Gmelin <freebsd@grem.de>
X-Mailer: iPhone Mail (13F69)
In-Reply-To: <575C0BD2.1090302@abinet.ru>
Date: Sat, 11 Jun 2016 16:07:08 +0200
Cc: freebsd-ports@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <FFBE170C-A46C-4F7B-9731-F98B2FB64114@grem.de>
References: <a917ff9b-b0af-d14b-0374-c621fc6ce809@gjunka.com>
 <575C0BD2.1090302@abinet.ru>
To: abi <abi@abinet.ru>
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jun 2016 14:13:59 -0000



> On 11 Jun 2016, at 15:02, abi <abi@abinet.ru> wrote:
>=20
> Most of work is done by host, so the plan is to disable some of periodic s=
tuff, leaving only serious matters like port security.
>=20
> This can be done by creating /etc/periodic.conf.local file with contents l=
ike this:
> ## This is JAILED systems periodic configuration ##
>=20
> # Daily options
>=20
> daily_status_network_enable=3D"NO"
> daily_clean_hoststat_enable=3D"NO"
> daily_status_mail_rejects_enable=3D"NO"
> daily_status_include_submit_mailq=3D"NO"
> daily_status_mailq_enable=3D"NO"
> daily_submit_queuerun=3D"NO"
> daily_status_disks_enable=3D"NO"                          # Check disk sta=
tus
> daily_status_rwho_enable=3D"NO"
> daily_status_security_pkgaudit_enable=3D"YES"
> daily_pgsql_backup_enable=3D"YES"
>=20
> daily_show_empty_output=3D"NO"
> daily_show_success=3D"NO"
>=20
> security_status_kernelmsg_enable=3D"NO"
>=20
> security_show_empty_output=3D"NO"
> security_show_success=3D"NO"
>=20
> # Weekly options
>=20
> weekly_whatis_enable=3D"NO"       # our jails are read-only /usr
>=20
> weekly_show_success=3D"NO"
> weekly_show_info=3D"NO"
> weekly_show_empty_output=3D"NO"
>=20
> With this config files most of the time jail has nothing to report.

You can also install ports-mgmt/jailaudit on the host to audit packages in a=
ll jails and get the result in the host's security output (afaik this way in=
dividual jails won't have to fetch the audit database).

- m