Date: Thu, 29 Jun 2000 21:10:28 +0100 From: Ben Smithurst <ben@scientia.demon.co.uk> To: Brian Somers <brian@Awfulhak.org> Cc: James Howard <howardjp@wam.umd.edu>, freebsd-hackers@FreeBSD.ORG Subject: Re: /etc/security -> /etc/periodic/security ? Message-ID: <20000629211028.B48373@strontium.scientia.demon.co.uk> In-Reply-To: <200006291727.SAA00460@hak.lan.Awfulhak.org> References: <howardjp@wam.umd.edu> <200006291727.SAA00460@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--5G06lTa6Jq83wMTw
Content-Type: multipart/mixed; boundary="Bn2rw/3z4jIqBvZU"
Content-Disposition: inline
--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Brian Somers wrote:
>> Will we be seeing a move in this direction towards a more configurable
>> security script? Is anyone planning it?
>>=20
>> I am porting the scripts to Linux and will hold off on security if
>> nothing is being planned or make the changes myself. I just do not want
>> to duplicate efforts.
>>=20
>> Also, I found a bug with a patch in conf/19567. Please apply :)
>=20
> I've changed /etc/security in -current by adding switches to the=20
> scripts command line and making those switches configurable in=20
> /etc/periodic.conf.
>=20
> If you want to take this further, I would think it best to keep it=20
> controllable from periodic.conf - but feel free to argue about=20
> specifics :-)
>=20
> I wouldn't mind if you wanted to pass any patches by me.
Try the attached. They haven't been thoroughly tested, but that's what
-CURRENT is for, right? :-) I even remembered to update the manual page
this time...
--=20
Ben Smithurst / ben@scientia.demon.co.uk / PGP: 0x99392F7D
--Bn2rw/3z4jIqBvZU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="security.diff"
Content-Transfer-Encoding: quoted-printable
Index: ../man5/periodic.conf.5
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/cvs/src/share/man/man5/periodic.conf.5,v
retrieving revision 1.4
diff -u -r1.4 periodic.conf.5
--- periodic.conf.5 2000/06/27 12:04:43 1.4
+++ periodic.conf.5 2000/06/29 20:09:19
@@ -34,7 +34,7 @@
.Sh DESCRIPTION
The file
.Nm periodic.conf
-contains a description of how daily, weekly and montly system maintenance
+contains a description of how daily, weekly and monthly system maintenance
jobs should run.
It resides in the
.Pa /etc/defaults
@@ -216,7 +216,7 @@
.Dq YES
if you want to run
.Pa /etc/uuclean.daily .
-.it Ar daily_status_disks_enable
+.It Ar daily_status_disks_enable
(bool) Set to
.Dq YES
if you want to run
@@ -271,28 +271,17 @@
.It Ar daily_status_security_enable
(bool) Set to
.Dq YES
-if you want to run
-.Pa /etc/security .
+if you want to run the scripts in
+.Pa /etc/periodic/security .
.It Ar daily_status_security_inline
(bool) Set to
.Dq YES
-if you want to run
-.Pa /etc/security
-inline.
+if you want to include the output of the scripts in
+.Pa /etc/periodic/security
+inline in the daily report.
The alternative is to run it as a background job, mailing the output to
-.An root .
-.It Ar daily_status_security_noamd
-(bool) Set to
-.Dq YES
-if you want to ignore
-.Xr amd 8
-mounts when comparing against yesterdays filesystem mounts.
-.It Ar daily_status_security_nomfs
-(bool) Set to
-.Dq YES
-if you want to ignore
-.Xr mfs 8
-mounts when comparing against yesterdays filesystem mounts.
+.An root
+separately.
.It Ar daily_status_mail_rejects_enable
(bool) Set to
.Dq YES
@@ -303,6 +292,23 @@
(str) Set to a list of extra scripts that should be run after all other
daily scripts.
All scripts must be absolute path names.
+.El
+.Pp
+The following variables are used by the standard scripts that reside in
+.Pa /etc/periodic/security :
+.Bl -tag -offset 4n -width 2n
+.It Ar security_mount_ignore_amd
+(bool) Set to
+.Dq YES
+if you want to ignore
+.Xr amd 8
+mounts when comparing against yesterdays filesystem mounts.
+.It Ar security_mount_ignore_mfs
+(bool) Set to
+.Dq YES
+if you want to ignore
+.Xr mfs 8
+mounts when comparing against yesterdays filesystem mounts.
.El
.Pp
The following variables are used by the standard scripts that reside in
Index: defaults/periodic.conf
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/cvs/src/etc/defaults/periodic.conf,v
retrieving revision 1.4
diff -u -r1.4 periodic.conf
--- periodic.conf 2000/06/28 06:51:37 1.4
+++ periodic.conf 2000/06/29 17:23:33
@@ -99,14 +99,19 @@
# 450.status-security
daily_status_security_enable=3D"YES" # Security check
daily_status_security_inline=3D"NO" # Run inline ?
-daily_status_security_noamd=3D"NO" # Don't check amd mounts
-daily_status_security_nomfs=3D"NO" # Don't check mfs mounts
=20
# 460.status-mail-rejects
daily_status_mail_rejects_enable=3D"YES" # Check mail rejects
=20
# 999.local
daily_local=3D"/etc/daily.local" # Local scripts
+
+
+# Security options
+
+# 110.mount-changes
+security_mount_ignore_amd=3D"NO" # Don't check amd mounts
+security_mount_ignore_mfs=3D"NO" # Don't check mfs mounts
=20
=20
# Weekly options
Index: periodic/daily/450.status-security
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/cvs/src/etc/periodic/daily/450.status-security,v
retrieving revision 1.4
diff -u -r1.4 450.status-security
--- 450.status-security 2000/06/23 01:18:23 1.4
+++ 450.status-security 2000/06/29 17:31:30
@@ -13,30 +13,28 @@
=20
case "$daily_status_security_enable" in
[Yy][Ee][Ss])
- if [ -f /etc/security -a -x /usr/sbin/sendmail ]
+ if [ -d /etc/periodic/security -a -x /usr/sbin/sendmail ]
then
echo ""
echo "Security check:"
=20
- case "$daily_status_security_noamd" in
- [Yy][Ee][Ss])
- args=3D-a;;
- *)
- args=3D;;
- esac
+ ou=3D$(umask)
+ umask 027
=20
- case "$daily_status_security_nomfs" in
- [Yy][Ee][Ss])
- args=3D"$args -m";;
- esac
-
case "$daily_status_security_inline" in
[Yy][Ee][Ss])
- sh /etc/security -s $args;;
+ # XXX duplication of /usr/sbin/periodic
+ for file in /etc/periodic/security/*; do
+ if [ -x $file -a ! -d $file ]; then
+ $file
+ fi
+ done ;;
=20
*)
echo " (output mailed separately)"
- sh /etc/security $args 2>&1 | sendmail root;;
+ periodic security 2>&1 | sendmail root ;;
esac
+
+ umask $ou
fi;;
esac
--Bn2rw/3z4jIqBvZU
Content-Type: application/x-tar-gz
Content-Disposition: attachment; filename="security.tar.gz"
Content-Transfer-Encoding: base64
H4sIAPyHWzkAA+1Z+2/bNhDOr9FfcVWEulmqh99bA2fA1nUIsG4F2mEY8nBlibKJyJIqSnG9
JPvbd6QkW45lK1syD0P5AYks8nhHUvf4REUkpqFLHZMRJ41pMjf3nhzQsfrdLuwBNPtdi18B
Wp3smsEC6Ddbvb6Ff10Ua3U73T3oPv1U1pGyxI4B9kYk2CqHYp63iwntFtHa82+2LOMPEod6
St2nsdG0rF6ns/n5t9rd4vlb/XYLxTrdfmcPrKcxvx1f+PM/eGaOaGCyiXKgHID2Jibku/ev
NXH3/YQ4V+CFMdiOE6ZBwmBGkwnY8Ovpawg94G6CkgpxJiGoan51+DAajMVIdCLGRa1XqmLP
rkB/8woaWnswsOAmimmQgNZ8qbXvGmCSxDGnNktIbEQ2YzNX+a835wtARfxblsFI8mTRXxv/
TV4cFvHfsnj8t7s9Gf+7wMPi35nYwZgwoAFkrgEe9fHeDlxwyTV1CFOUn375cWBe27Hph2Pl
w9t32U2cBuZQOBcxNE2ZhCwZaC/4JbCn5HBj8thkB/MITu11GDQSmNjXBAIx5CWM0gSSCWXg
hjgimRAgn1J6bfsEkwxmIN7ihNMp3hIXQpQe+aFzZaC2n8OEYL+NcgEpZMOYjmlg+xDF4cgn
U/ZSNEchY3REfQwVLhlekxiXGOCUUREXsOMxmg/BxwE4G5ZQ34cJweUbaEvBffk45ckU9ARS
j8EtjGMSgX4NKgQhw0Wr2MZwjg12bOKqzePn8XED23j+bNxAnjbbcNf4qOA2gXbz9t2dMpvg
VsEZaAegjwk04eIYt0LZF8YGWlPZZxPqJcq+R3E3tXwOn9EAzmQeEfDgXNnfP38BOiaFKejp
0WfQ8eHnt+PV2xBvzw/XhrDVIYzL6GLGluLy3b2Fz2KHdAv0ADDaffztf3D5msM4gaNv4ARX
9IEvSaEeLugZ6B62oHvdmZlXGEno2nO+QNzwQNkvXCj/EYRV4tjtRLnmqn7Fo8LgM3CmUaW9
fOyJeChB6vsb7Gs33L3vChd2qedxt93nP0AfbdGNT+t6Q3e5bU54leRzzuS3Lok/CNw/lKmq
pxX5/2vLSJxoFtsRduozO+bOzR6RY+r4X7vdWeb/Ls//favXlPl/F9iW/99PwhmgKwxzX4Dc
F2BKGLOxHnDut5L167J7ERkx8VKe4ZwwCIiT0DDgAfKHgxmY+yrqNAsbhvXVasMiYVJQL7VF
KBhf3VOqSvr4AFTEf9MyRHHQ86r/aBs18d+yuv3S+z9//+v22pL/7QS18V+ifpzdzLAYCU42
x7ibIjOLCQhvIe5aNng4BzyAU0G6UBlSJhvGfjhC5pUZ4QHt0XEa2zxRCOsvgaVITWmC0+Kk
SvAEPc7eIV3i2amfMLPwbYMrgAtFFGvuccY2QSHBwjR2yLDoGPIOljGEcRDGZMDnPLKdK0yJ
PONMI5xcxgqVV1iKi2gair0ZZoOG9tR9NdBcm/rzIfpTkrLhQjAIsfduy+ApkojNg7EX+ZJj
M4JZdqN1FfdLrO/s9/nF2Q/k4uw9uzhU9vNFqVr24/aSz1SF42OFMNup0YumH6yXL6Kk94xz
wKJXhQt4/hzZlztQScGJtZus8+D2DmnxrejFMsGfeM5gIywIGjYXBPJEcJ2CmpUYpCgifMx9
+rjkbyUCeU+ad3L6iKrX+pD3+UvieN+MGLLkjNA6ed7caFnjQVGOuTy2yjHHqeSSS1aZw37O
C9e6lg0lBilEq5eF/l7PICX+z6io/20rO38LYxd97vHlv57/W+Xz3w6v/92+Jev/LvBPzn8x
PRYOwt9xa06Ay760UFQ+Df75DebsJk/9WhOe/Qnm5dnBkX5hipbWYKCqi6NiS54TPzEq4r9j
GS4JKHH1CAkOSR6dAerOf5H13zv/7WIakPG/Czws/nNHgMwvYDQHGnmzRxB+pEtcA+g2cEa0
ZEe3kFE/FU3Nb2OC+eU2DWJiOxN1cTBYQe6ywy+u80Hs7r54Qe9WjtKW3asMb83WxoPBdX6X
H4DkG5nv6yqj26R+sTWXJ2pO2ypEly33Od7GtUma9+WiIv93LYN7h44R7dMpTR5to47/9Zbn
P0X+77Xl+e9OUHv+I9J0nPKvcLMJdSbZRzeRkDGB8SMh9BMQjsLrwaYSoJy+e/PbEFPP8KfT
t6cfBh/xZdZJfP7+H5DEoOJfZGBSuibxKGRkKFRibYBFVv2YnfNo34JOPoHFiwcm1FXFdyqq
JNi5yP/LOpMfHKtixvwjGzq/mIFOxHeshnl57h6ds6MXeDk0j/MvbWj0BTLTkwE0tFVjjcPG
8mNVVo10xufEG9QtJUjMabFvxW6KMsDPwAuNO0jMFfHfs4wrEgfE5xngKWzUxX+/vxb/zaaM
/52gNv4zVxDOuvGzz9/ifS6qGa9wvlpaJ4b8DV5Xkq8kdqX+KmZXNrdG7WrO73J+V7FrVSSv
wtJGlrcqW2rayvNWllqRTyriv28ZOG8a6J5NfXyS//b7H7StUvx3euL9T57/7Aa18S9cAQpX
+MdffFfVPP5j74o++alXQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkLiC8VfphGa
JwBQAAA=
--Bn2rw/3z4jIqBvZU--
--5G06lTa6Jq83wMTw
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: N12c67a9SmFjDedyMNpsB5giUEpxVB63
iQCVAwUBOVutMysPVtiZOS99AQHnrgQAi9J0pwmZYWl56mnedaHq6SR5yWSI8pz6
1iaiJzkyxPxtuwXHeFRgh8z4QcVT6pvuHUDY0xFCf3x61u5T/5vP2HBFIOAVOVwJ
KtOG7AEsQL1WCuhuRjilWRKX0McVJ+CzvZI3Dd+yB6iDM9ulixpVFYKTpaYcQRNN
JD7RqZlOOsE=
=tern
-----END PGP SIGNATURE-----
--5G06lTa6Jq83wMTw--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000629211028.B48373>