From 679aed2dc9f4c89930e7aae262179714ef30a797 Mon Sep 17 00:00:00 2001 From: Matthias Schmidt Date: Sat, 29 Dec 2007 21:44:44 +0000 Subject: [PATCH] Sync etc/periodic with FreeBSD. Short summary: - Display information about blocked counts from pf(4) - Make df output more human readable - Add login.conf checking to security - Fix several bugs and add some enhancements to various scripts The list of all relevant FreeBSD Revisions is available here: http://leaf.dragonflybsd.org/mailarchive/submit/2007-12/msg00009.html Obtained-From: FreeBSD --- etc/defaults/periodic.conf | 18 ++++++++++-- etc/periodic/daily/110.clean-tmps | 13 +++++---- etc/periodic/daily/440.status-mailq | 20 +++++++------ etc/periodic/daily/460.status-mail-rejects | 8 ++--- etc/periodic/daily/470.status-named | 22 +++++++------- .../security/{800.loginfail => 410.logincheck} | 34 ++++++++-------------- .../security/{800.loginfail => 520.pfdenied} | 33 ++++++++------------- etc/periodic/security/800.loginfail | 16 ++++++---- etc/periodic/security/Makefile | 6 ++-- etc/periodic/security/security.functions | 11 +++---- etc/periodic/weekly/310.locate | 6 ++-- 11 files changed, 95 insertions(+), 92 deletions(-) copy etc/periodic/security/{800.loginfail => 410.logincheck} (70%) copy etc/periodic/security/{800.loginfail => 520.pfdenied} (69%) diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index 2890b66dd0..115a7d08b4 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -10,8 +10,11 @@ # values set in this file. This eases the upgrade path when defaults # are changed and new features are added. # +# For a more detailed explanation of all the periodic.conf variables, please +# refer to the periodic.conf(5) manual page. +# # $FreeBSD: src/etc/defaults/periodic.conf,v 1.7.2.13 2002/11/07 19:43:16 thomas Exp $ -# $DragonFly: src/etc/defaults/periodic.conf,v 1.6 2007/03/25 11:35:11 swildner Exp $ +# $DragonFly: src/etc/defaults/periodic.conf,v 1.7 2007/12/29 21:44:44 matthias Exp $ # # What files override these defaults ? @@ -43,7 +46,9 @@ daily_clean_disks_verbose="YES" # Mention files deleted daily_clean_tmps_enable="NO" # Delete stuff daily daily_clean_tmps_dirs="/tmp" # Delete under here daily_clean_tmps_days="3" # If not accessed for -daily_clean_tmps_ignore=".X*-lock quota.user quota.group" # Don't delete these +daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix" +daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group" + # Don't delete these daily_clean_tmps_verbose="YES" # Mention files deleted # 120.clean-preserve @@ -89,7 +94,10 @@ daily_news_expire_enable="YES" # Run news.expire # 400.status-disks daily_status_disks_enable="YES" # Check disk status -daily_status_disks_df_flags="-k -t nonfs" # df(1) flags for check +daily_status_disks_df_flags="-k -l -h" # df(1) flags for check + +# 410.logincheck # Check /etc/login.conf +daily_status_security_logincheck_enable="YES" # 420.status-network daily_status_network_enable="YES" # Check network status @@ -132,6 +140,7 @@ daily_status_security_output="root" # user or /file daily_status_security_noamd="NO" # Don't check amd mounts daily_status_security_nomfs="NO" # Don't check mfs mounts daily_status_security_logdir="/var/log" # Directory for logs +daily_status_security_diff_flags="-b" # flags for diff output # 100.chksetuid daily_status_security_chksetuid_enable="YES" @@ -153,6 +162,9 @@ daily_status_security_ipfwdenied_enable="YES" # 510.ipfdenied daily_status_security_ipfdenied_enable="YES" +# 520.pfdenied +daily_status_security_pfdenied_enable="YES" + # 550.ipfwlimit daily_status_security_ipfwlimit_enable="YES" diff --git a/etc/periodic/daily/110.clean-tmps b/etc/periodic/daily/110.clean-tmps index c9e9955adc..1643afe3a2 100644 --- a/etc/periodic/daily/110.clean-tmps +++ b/etc/periodic/daily/110.clean-tmps @@ -1,7 +1,7 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/110.clean-tmps,v 1.6.2.4 2002/10/13 19:59:01 joerg Exp $ -# $DragonFly: src/etc/periodic/daily/110.clean-tmps,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: src/etc/periodic/daily/110.clean-tmps,v 1.13 2004/02/28 04:58:40 ache Exp $ +# $DragonFly: src/etc/periodic/daily/110.clean-tmps,v 1.3 2007/12/29 21:44:44 matthias Exp $ # # Perform temporary directory cleaning so that long-lived systems # don't end up with excessively old files there. @@ -29,9 +29,13 @@ case "$daily_clean_tmps_enable" in set -f noglob args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days" args="${args} -ctime +$daily_clean_tmps_days" - [ -n "$daily_clean_tmps_ignore" ] && + dargs="-empty -mtime +$daily_clean_tmps_days" + [ -n "$daily_clean_tmps_ignore" ] && { args="$args "`echo " ${daily_clean_tmps_ignore% }" | sed 's/[ ][ ]*/ ! -name /g'` + dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" | + sed 's/[ ][ ]*/ ! -name /g'` + } case "$daily_clean_tmps_verbose" in [Yy][Ee][Ss]) print=-print;; @@ -43,8 +47,7 @@ case "$daily_clean_tmps_enable" in do [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && { find -d . -type f $args -delete $print - find -d . ! -name . -type d -empty -mtime \ - +$daily_clean_tmps_days -delete $print + find -d . ! -name . -type d $dargs -delete $print } | sed "s,^\\., $dir," done | tee /dev/stderr | wc -l) [ -z "$print" ] && rc=0 diff --git a/etc/periodic/daily/440.status-mailq b/etc/periodic/daily/440.status-mailq index 8daf906a0d..bc6f142740 100644 --- a/etc/periodic/daily/440.status-mailq +++ b/etc/periodic/daily/440.status-mailq @@ -1,7 +1,7 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/440.status-mailq,v 1.9 2002/12/07 23:37:44 keramida Exp $ -# $DragonFly: src/etc/periodic/daily/440.status-mailq,v 1.3 2004/11/15 08:11:59 joerg Exp $ +# $FreeBSD: src/etc/periodic/daily/440.status-mailq,v 1.11 2006/03/08 17:26:53 matteo Exp $ +# $DragonFly: src/etc/periodic/daily/440.status-mailq,v 1.4 2007/12/29 21:44:44 matthias Exp $ # # If there is a global system configuration file, suck it in. @@ -30,11 +30,12 @@ case "$daily_status_mailq_enable" in sort | uniq -c | sort -nr | - awk '$1 > 1 {print $1, $2}';; + awk '$1 >= 1 {print $1, $2}';; *) mailq;; - esac | tee /dev/stderr | fgrep -v 'mqueue is empty' | wc -l) - [ $rc -gt 1 ] && rc=1 + esac | tee /dev/stderr | + egrep -v '(mqueue is empty|Total requests)' | wc -l) + [ $rc -gt 0 ] && rc=1 || rc=0 case "$daily_status_include_submit_mailq" in [Yy][Ee][Ss]) @@ -43,18 +44,19 @@ case "$daily_status_mailq_enable" in echo "" echo "Mail in submit queue:" - rc=$(case "$daily_status_mailq_shorten" in + rc_submit=$(case "$daily_status_mailq_shorten" in [Yy][Ee][Ss]) mailq -Ac | egrep -e '^[[:space:]]+[^[:space:]]+@' | sort | uniq -c | sort -nr | - awk '$1 > 1 {print $1, $2}';; + awk '$1 >= 1 {print $1, $2}';; *) mailq -Ac;; - esac | tee /dev/stderr | fgrep -v 'mqueue is empty' | wc -l) - [ $rc -gt 1 ] && rc=1 + esac | tee /dev/stderr | + egrep -v '(mqueue is empty|Total requests)' | wc -l) + [ $rc_submit -gt 0 ] && rc=1 fi;; esac fi;; diff --git a/etc/periodic/daily/460.status-mail-rejects b/etc/periodic/daily/460.status-mail-rejects index 191426c855..87cc8b3a86 100644 --- a/etc/periodic/daily/460.status-mail-rejects +++ b/etc/periodic/daily/460.status-mail-rejects @@ -1,7 +1,7 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/460.status-mail-rejects,v 1.16 2003/11/07 21:55:35 ru Exp $ -# $DragonFly: src/etc/periodic/daily/460.status-mail-rejects,v 1.3 2004/11/15 08:11:59 joerg Exp $ +# $FreeBSD: src/etc/periodic/daily/460.status-mail-rejects,v 1.20 2005/01/12 01:31:21 brian Exp $ +# $DragonFly: src/etc/periodic/daily/460.status-mail-rejects,v 1.4 2007/12/29 21:44:44 matthias Exp $ # # If there is a global system configuration file, suck it in. @@ -52,9 +52,7 @@ case "$daily_status_mail_rejects_enable" in done cat /var/log/maillog } | - fgrep 'reject=' | - egrep -e "^$start.*ruleset=check_[^[:space:]]+,[[:space:]]+arg1=(<[^@]+@)?([^>,]+).*reject=.*" | - sed -e 's/.*arg1=//' -e 's/.*@//' -e 's/[>[:space:]].*$//' | + sed -n -E "s/^$start"'.*ruleset=check_[^ ]+, +arg1=,]+).*reject=([^ ]+) .* ([^ ]+)$/\2 (\3... \4)/p' | sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l) [ $rc -gt 0 ] && rc=1 fi;; diff --git a/etc/periodic/daily/470.status-named b/etc/periodic/daily/470.status-named index 0afb0c4fa1..c132d8b55b 100644 --- a/etc/periodic/daily/470.status-named +++ b/etc/periodic/daily/470.status-named @@ -1,7 +1,7 @@ #!/bin/sh # -# $FreeBSD: src/etc/periodic/daily/470.status-named,v 1.6 2003/11/07 21:55:35 ru Exp $ -# $DragonFly: src/etc/periodic/daily/470.status-named,v 1.3 2004/11/15 08:11:59 joerg Exp $ +# $FreeBSD: src/etc/periodic/daily/470.status-named,v 1.8 2006/06/11 20:39:12 maxim Exp $ +# $DragonFly: src/etc/periodic/daily/470.status-named,v 1.4 2007/12/29 21:44:44 matthias Exp $ # # If there is a global system configuration file, suck it in. @@ -32,24 +32,22 @@ case "$daily_status_named_enable" in start=`date -v-1d '+%b %e'` rc=$(catmsgs | - fgrep '^'"$start"'.*named\[[[:digit:]]\+\]: denied [AI]XFR from \[.*\]\.[[:digit:]]\+ for' | \ - sed -e 's/.*: denied [AI]XFR from \[\(.*\)\]\.[[:digit:]]* for "\(.*\)".*$/\2 from \1/' + fgrep -E "^$start.*named\[[[:digit:]]+\]: transfer of .*failed .*: REFUSED" | + sed -e "s/.*transfer of \'\(.*\)\/IN\' from \(.*\)#[0-9]*: .*/\1 from \2/" | sort -f | uniq -ic | ( usedns=0 - if [ X"${daily_status_named_usedns}" != X"" ]; then - case $daily_status_named_usedns in - [yY][eE][sS]) usedns=1 ;; - esac - fi + case "$daily_status_named_usedns" in + '') ;; + [yY][eE][sS]) usedns=1 ;; + esac while read line ;do ipaddr=`echo "$line" | sed -e 's/^.*from //'` if [ $usedns -eq 1 ]; then name=`host "${ipaddr}" 2>/dev/null | \ - grep 'domain name pointer' | \ - sed -e 's/^.* //'` + sed 's/.*domain name pointer \(.*\)\./\1/'` fi - if [ X"${name}" != X"" ]; then + if [ -n "${name}" ]; then echo "${line} (${name})" else echo "${line}" diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/410.logincheck similarity index 70% copy from etc/periodic/security/800.loginfail copy to etc/periodic/security/410.logincheck index ec72bb51f9..7dae73d236 100644 --- a/etc/periodic/security/800.loginfail +++ b/etc/periodic/security/410.logincheck @@ -1,6 +1,6 @@ #!/bin/sh - # -# Copyright (c) 2001 The FreeBSD Project +# Copyright (c) 2006 Tom Rhodes # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -24,11 +24,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.1.2.2 2002/04/15 00:44:16 dougb Exp $ -# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.2 2003/06/17 04:24:48 dillon Exp $ -# - -# Show login failures +# $FreeBSD: src/etc/periodic/security/410.logincheck,v 1.1 2006/08/25 07:34:36 trhodes Exp $ +# $DragonFly: src/etc/periodic/security/410.logincheck,v 1.1 2007/12/29 21:44:44 matthias Exp $ # # If there is a global system configuration file, suck it in. @@ -39,25 +36,18 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" - -yesterday=`date -v-1d "+%b %e "` - -catmsgs() { - find ${LOG} -name 'auth.log.*' -mtime -2 | - sort -t. -r -n +1 -2 | - xargs zcat -f - [ -f ${LOG}/auth.log ] && cat $LOG/auth.log -} - -case "$daily_status_security_loginfail_enable" in +case "$daily_status_security_logincheck_enable" in [Yy][Ee][Ss]) echo "" - echo "${host} login failures:" - n=$(catmsgs | grep -ia "^$yesterday.*fail" | - tee /dev/stderr | wc -l) + echo 'Checking login.conf permissions:' + if [ -G /etc/login.conf -a -O /etc/login.conf ] then + n=0 + else + echo "Bad ownership of /etc/login.conf" + n=1 + fi [ $n -gt 0 ] && rc=1 || rc=0;; *) rc=0;; esac -exit $rc +exit "$rc" diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/520.pfdenied similarity index 69% copy from etc/periodic/security/800.loginfail copy to etc/periodic/security/520.pfdenied index ec72bb51f9..1e5b9494ff 100644 --- a/etc/periodic/security/800.loginfail +++ b/etc/periodic/security/520.pfdenied @@ -1,6 +1,6 @@ #!/bin/sh - # -# Copyright (c) 2001 The FreeBSD Project +# Copyright (c) 2004 The FreeBSD Project # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -24,11 +24,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.1.2.2 2002/04/15 00:44:16 dougb Exp $ -# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.2 2003/06/17 04:24:48 dillon Exp $ -# - -# Show login failures +# $FreeBSD: src/etc/periodic/security/520.pfdenied,v 1.1.2.1 2004/12/08 00:37:50 mlaier Exp $ +# $DragonFly: src/etc/periodic/security/520.pfdenied,v 1.1 2007/12/29 21:44:44 matthias Exp $ # # If there is a global system configuration file, suck it in. @@ -39,24 +36,18 @@ then source_periodic_confs fi -LOG="${daily_status_security_logdir}" - -yesterday=`date -v-1d "+%b %e "` +. /etc/periodic/security/security.functions -catmsgs() { - find ${LOG} -name 'auth.log.*' -mtime -2 | - sort -t. -r -n +1 -2 | - xargs zcat -f - [ -f ${LOG}/auth.log ] && cat $LOG/auth.log -} +rc=0 -case "$daily_status_security_loginfail_enable" in +case "$daily_status_security_pfdenied_enable" in [Yy][Ee][Ss]) - echo "" - echo "${host} login failures:" - n=$(catmsgs | grep -ia "^$yesterday.*fail" | - tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0;; + TMP=`mktemp -t security` + if pfctl -sr -v 2>/dev/null | awk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" + fi + rc=$? + rm -f ${TMP};; *) rc=0;; esac diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail index ec72bb51f9..c86736a20c 100644 --- a/etc/periodic/security/800.loginfail +++ b/etc/periodic/security/800.loginfail @@ -24,8 +24,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.1.2.2 2002/04/15 00:44:16 dougb Exp $ -# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.8 2007/02/23 21:42:54 remko Exp $ +# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.3 2007/12/29 21:44:44 matthias Exp $ # # Show login failures @@ -45,8 +45,14 @@ yesterday=`date -v-1d "+%b %e "` catmsgs() { find ${LOG} -name 'auth.log.*' -mtime -2 | - sort -t. -r -n +1 -2 | - xargs zcat -f + sort -t. -r -n -k 2,2 | + while read f + do + case $f in + *.gz) zcat -f $f;; + *.bz2) bzcat -f $f;; + esac + done [ -f ${LOG}/auth.log ] && cat $LOG/auth.log } @@ -54,7 +60,7 @@ case "$daily_status_security_loginfail_enable" in [Yy][Ee][Ss]) echo "" echo "${host} login failures:" - n=$(catmsgs | grep -ia "^$yesterday.*fail" | + n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0;; *) rc=0;; diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile index 426d7f4f06..4e16ba51ec 100644 --- a/etc/periodic/security/Makefile +++ b/etc/periodic/security/Makefile @@ -1,12 +1,14 @@ -# $FreeBSD: src/etc/periodic/security/Makefile,v 1.1.2.3 2002/11/07 19:38:46 thomas Exp $ -# $DragonFly: src/etc/periodic/security/Makefile,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: src/etc/periodic/security/Makefile,v 1.6 2006/08/25 07:34:36 trhodes Exp $ +# $DragonFly: src/etc/periodic/security/Makefile,v 1.3 2007/12/29 21:44:44 matthias Exp $ FILES= 100.chksetuid \ 200.chkmounts \ 300.chkuid0 \ 400.passwdless \ + 410.logincheck \ 500.ipfwdenied \ 510.ipfdenied \ + 520.pfdenied \ 550.ipfwlimit \ 600.ip6fwdenied \ 650.ip6fwlimit \ diff --git a/etc/periodic/security/security.functions b/etc/periodic/security/security.functions index f48e602e25..deb7ef2c41 100644 --- a/etc/periodic/security/security.functions +++ b/etc/periodic/security/security.functions @@ -24,8 +24,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD: src/etc/periodic/security/security.functions,v 1.1.2.2 2002/11/19 19:00:39 thomas Exp $ -# $DragonFly: src/etc/periodic/security/security.functions,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: src/etc/periodic/security/security.functions,v 1.5 2005/08/22 09:33:36 cperciva Exp $ +# $DragonFly: src/etc/periodic/security/security.functions,v 1.3 2007/12/29 21:44:44 matthias Exp $ # # @@ -44,7 +44,7 @@ check_diff() { rc=0 if [ "$1" = "new_only" ]; then shift - filter="grep '^>'" + filter="grep '^[>+]'" else filter="cat" fi @@ -53,7 +53,7 @@ check_diff() { msg="$1"; shift if [ "${tmpf}" = "-" ]; then - tmpf=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` + tmpf=`mktemp -t security` cat > ${tmpf} fi @@ -68,7 +68,8 @@ check_diff() { [ $rc -lt 1 ] && rc=1 echo "" echo "${msg}" - diff -b ${LOG}/${label}.today ${tmpf} | eval "${filter}" + diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \ + ${tmpf} | eval "${filter}" mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 mv ${tmpf} ${LOG}/${label}.today || rc=3 fi diff --git a/etc/periodic/weekly/310.locate b/etc/periodic/weekly/310.locate index 9774422b90..b4eff9ea32 100644 --- a/etc/periodic/weekly/310.locate +++ b/etc/periodic/weekly/310.locate @@ -1,7 +1,7 @@ #!/bin/sh - # -# $FreeBSD: src/etc/periodic/weekly/310.locate,v 1.4.2.2 2000/09/20 02:46:17 jkh Exp $ -# $DragonFly: src/etc/periodic/weekly/310.locate,v 1.2 2003/06/17 04:24:48 dillon Exp $ +# $FreeBSD: src/etc/periodic/weekly/310.locate,v 1.7 2007/02/23 18:44:20 remko Exp $ +# $DragonFly: src/etc/periodic/weekly/310.locate,v 1.3 2007/12/29 21:44:44 matthias Exp $ # # If there is a global system configuration file, suck it in. @@ -24,7 +24,7 @@ case "$weekly_locate_enable" in chmod 644 $locdb || rc=3 cd / - echo /usr/libexec/locate.updatedb | nice -5 su -fm nobody || rc=3 + echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 chmod 444 $locdb || rc=3;; *) rc=0;; -- 2.11.4.GIT