From owner-freebsd-questions@FreeBSD.ORG Sun Mar 10 15:52:05 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 26AF838D for ; Sun, 10 Mar 2013 15:52:05 +0000 (UTC) (envelope-from sr@genyosha.net) Received: from ns1.genyosha.net (ns1.genyosha.net [108.86.149.91]) by mx1.freebsd.org (Postfix) with ESMTP id E0A432DA for ; Sun, 10 Mar 2013 15:52:04 +0000 (UTC) Received: from dragon.genyosha.home (dragon.genyosha.net [108.86.149.92]) by ns1.genyosha.net (8.14.6/8.14.4) with ESMTP id r2AFfoDr004646 for ; Sun, 10 Mar 2013 08:41:51 -0700 (PDT) (envelope-from sr@genyosha.net) Received: from dragon.genyosha.home (localhost.localdomain [127.0.0.1]) by dragon.genyosha.home (8.14.4/8.14.4) with ESMTP id r2AFfjHW013159 for ; Sun, 10 Mar 2013 08:41:45 -0700 Received: (from sr@localhost) by dragon.genyosha.home (8.14.4/8.14.4/Submit) id r2AFfjw2013158 for freebsd-questions@freebsd.org; Sun, 10 Mar 2013 08:41:45 -0700 Date: Sun, 10 Mar 2013 08:41:45 -0700 From: Steve Rikli To: freebsd-questions@freebsd.org Subject: Re: periodic security always sends output mail Message-ID: <20130310154145.GA13034@dragon.genyosha.home> References: <513C800A.2030605@qeng-ho.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <513C800A.2030605@qeng-ho.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (ns1.genyosha.net [108.86.149.91]); Sun, 10 Mar 2013 08:41:51 -0700 (PDT) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Mar 2013 15:52:05 -0000 On Sun, Mar 10, 2013 at 12:43:54PM +0000, Arthur Chance wrote: > On 03/10/13 03:26, Steve Rikli wrote: > >I would like to configure periodic on my FreeBSD servers to only send > >daily/weekly/monthly/security mails (or logs) when there is something > >"important" to report. > > > >I'm close, but periodic security seems to _always_ send mail, even > >when there is nothing to report. > > I suspect the logic is that by always sending a mail, even if it > contains nothing important, it means that when you don't get mail > you should check to see what happened. Otherwise an attacker could > simply prevent periodic security checks to cover up any changes made > and you'd just think there was nothing important to report. You may be correct. It may also be nothing more complicated than "security is important", which is hard to argue with. :-) However it appears the logic has changed somewhat in FreeBSD-9 (my 1st example was from an 8.3 server), where the 450.status-security script now sets and resets rc= conditionally, and it seems to behave more closely to my desired behavior, though I need to test a bit. One undesireable thing in the FreeBSD-9 scripts is it appears that if you have daily_status_security_inline enabled, and mask away the daily success & info results, the security results are also masked away regardless of security success,info settings. E.g. this config on a FreeBSD 9.1 system: daily_show_success="NO" security_show_success="NO" daily_show_info="NO" security_show_info="YES" daily_status_security_inline="YES" apparently won't include security info events either, though I'm not sure why not. I'm still tuning and testing to get it set the way I want. Cheers, sr.