[Midnightbsd-cvs] src: periodic/security: Update security periodic to go with changes in
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Mar 19 23:10:41 EDT 2009
Log Message:
-----------
Update security periodic to go with changes in various system utilities including ipfw
Modified Files:
--------------
src/etc/periodic/security:
100.chksetuid (r1.2 -> r1.3)
200.chkmounts (r1.2 -> r1.3)
300.chkuid0 (r1.2 -> r1.3)
400.passwdless (r1.2 -> r1.3)
500.ipfwdenied (r1.2 -> r1.3)
510.ipfdenied (r1.2 -> r1.3)
520.pfdenied (r1.2 -> r1.3)
550.ipfwlimit (r1.2 -> r1.3)
610.ipf6denied (r1.2 -> r1.3)
700.kernelmsg (r1.2 -> r1.3)
800.loginfail (r1.3 -> r1.4)
900.tcpwrap (r1.2 -> r1.3)
Makefile (r1.2 -> r1.3)
security.functions (r1.2 -> r1.3)
Added Files:
-----------
src/etc/periodic/security:
410.logincheck (r1.1)
Removed Files:
-------------
src/etc/periodic/security:
600.ip6fwdenied
650.ip6fwlimit
-------------- next part --------------
Index: 500.ipfwdenied
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/500.ipfwdenied,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/500.ipfwdenied -L etc/periodic/security/500.ipfwdenied -u -r1.2 -r1.3
--- etc/periodic/security/500.ipfwdenied
+++ etc/periodic/security/500.ipfwdenied
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/500.ipfwdenied,v 1.6 2005/02/23 15:07:36 ssouhlal Exp $
-#
+# $MidnightBSD$
# If there is a global system configuration file, suck it in.
#
Index: security.functions
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/security.functions,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/security.functions -L etc/periodic/security/security.functions -u -r1.2 -r1.3
--- etc/periodic/security/security.functions
+++ etc/periodic/security/security.functions
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
+# $FreeBSD: src/etc/periodic/security/security.functions,v 1.5 2005/08/22 09:33:36 cperciva Exp $
# $MidnightBSD$
-# $FreeBSD: src/etc/periodic/security/security.functions,v 1.4.2.1 2005/08/25 19:07:28 cperciva Exp $
-#
#
# Show differences in the output of an audit command
--- etc/periodic/security/600.ip6fwdenied
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/bin/sh -
-#
-# Copyright (c) 2001 The FreeBSD Project
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-# $MidnightBSD: src/etc/periodic/security/600.ip6fwdenied,v 1.2 2006/08/28 02:13:43 laffer1 Exp $
-# $FreeBSD: src/etc/periodic/security/600.ip6fwdenied,v 1.5 2003/06/30 22:06:26 mtm Exp $
-#
-
-# If there is a global system configuration file, suck it in.
-#
-if [ -r /etc/defaults/periodic.conf ]
-then
- . /etc/defaults/periodic.conf
- source_periodic_confs
-fi
-
-. /etc/periodic/security/security.functions
-
-rc=0
-
-case "$daily_status_security_ip6fwdenied_enable" in
- [Yy][Ee][Ss])
- TMP=`mktemp -t security`
- if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
- check_diff new_only ip6fw ${TMP} "${host} ip6fw denied packets:"
- fi
- rc=$?
- rm -f ${TMP};;
- *) rc=0;;
-esac
-
-exit $rc
Index: 550.ipfwlimit
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/550.ipfwlimit,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/550.ipfwlimit -L etc/periodic/security/550.ipfwlimit -u -r1.2 -r1.3
--- etc/periodic/security/550.ipfwlimit
+++ etc/periodic/security/550.ipfwlimit
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
+# $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.10 2005/09/11 14:29:58 maxim Exp $
# $MidnightBSD$
-# $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.7.2.2 2005/09/13 14:31:34 maxim Exp $
-#
# Show ipfw rules which have reached the log limit
#
Index: 900.tcpwrap
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/900.tcpwrap,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/900.tcpwrap -L etc/periodic/security/900.tcpwrap -u -r1.2 -r1.3
--- etc/periodic/security/900.tcpwrap
+++ etc/periodic/security/900.tcpwrap
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/900.tcpwrap,v 1.3 2003/01/05 21:32:50 se Exp $
-#
+# $MidnightBSD$
# Show tcp_wrapper warning messages
#
--- etc/periodic/security/650.ip6fwlimit
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/sh -
-#
-# Copyright (c) 2001 The FreeBSD Project
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-# notice, this list of conditions and the following disclaimer in the
-# documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-# $MidnightBSD: src/etc/periodic/security/650.ip6fwlimit,v 1.2 2006/08/28 02:13:43 laffer1 Exp $
-# $FreeBSD: src/etc/periodic/security/650.ip6fwlimit,v 1.6 2003/06/30 22:06:26 mtm Exp $
-#
-
-# Show ip6fw rules which have reached the log limit
-#
-
-# If there is a global system configuration file, suck it in.
-#
-if [ -r /etc/defaults/periodic.conf ]
-then
- . /etc/defaults/periodic.conf
- source_periodic_confs
-fi
-
-rc=0
-
-case "$daily_status_security_ip6fwlimit_enable" in
- [Yy][Ee][Ss])
- TMP=`mktemp -t security`
- IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
- if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
- ip6fw -a l | grep " log " | \
- grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
- awk -v limit="$IPFW_LOG_LIMIT" \
- '{if ($2 > limit) {print $0}}' > ${TMP}
- if [ -s "${TMP}" ]; then
- rc=1
- echo ""
- echo 'ip6fw log limit reached:'
- cat ${TMP}
- fi
- fi
- rm -f ${TMP};;
- *) rc=0;;
-esac
-
-exit $rc
Index: 300.chkuid0
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/300.chkuid0,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/300.chkuid0 -L etc/periodic/security/300.chkuid0 -u -r1.2 -r1.3
--- etc/periodic/security/300.chkuid0
+++ etc/periodic/security/300.chkuid0
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/300.chkuid0,v 1.1 2001/12/07 23:57:38 cjc Exp $
-#
+# $MidnightBSD$
# If there is a global system configuration file, suck it in.
Index: 520.pfdenied
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/520.pfdenied,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/520.pfdenied -L etc/periodic/security/520.pfdenied -u -r1.2 -r1.3
--- etc/periodic/security/520.pfdenied
+++ etc/periodic/security/520.pfdenied
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/520.pfdenied,v 1.1 2004/11/24 18:41:53 mlaier Exp $
-#
+# $MidnightBSD$
# If there is a global system configuration file, suck it in.
#
Index: 800.loginfail
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/800.loginfail,v
retrieving revision 1.3
retrieving revision 1.4
diff -L etc/periodic/security/800.loginfail -L etc/periodic/security/800.loginfail -u -r1.3 -r1.4
--- etc/periodic/security/800.loginfail
+++ etc/periodic/security/800.loginfail
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
+# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.8 2007/02/23 21:42:54 remko Exp $
# $MidnightBSD$
-# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.5 2003/01/05 21:32:50 se Exp $
-#
# Show login failures
#
@@ -60,7 +59,7 @@
[Yy][Ee][Ss])
echo ""
echo "${host} login failures:"
- n=$(catmsgs | egrep -ia "^$yesterday.*(fail|invalid|bad|illegal)" |
+ n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" |
tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0;;
*) rc=0;;
Index: 200.chkmounts
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/200.chkmounts,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/200.chkmounts -L etc/periodic/security/200.chkmounts -u -r1.2 -r1.3
--- etc/periodic/security/200.chkmounts
+++ etc/periodic/security/200.chkmounts
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/200.chkmounts,v 1.5 2002/10/25 15:14:16 thomas Exp $
-#
+# $MidnightBSD$
# Show changes in the way filesystems are mounted
#
--- /dev/null
+++ etc/periodic/security/410.logincheck
@@ -0,0 +1,52 @@
+#!/bin/sh -
+#
+# Copyright (c) 2006 Tom Rhodes
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD: src/etc/periodic/security/410.logincheck,v 1.1 2006/08/25 07:34:36 trhodes Exp $
+# $MidnightBSD: src/etc/periodic/security/410.logincheck,v 1.1 2009/03/20 03:10:40 laffer1 Exp $
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$daily_status_security_logincheck_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo 'Checking login.conf permissions:'
+ if [ -G /etc/login.conf -a -O /etc/login.conf ] then
+ n=0
+ else
+ echo "Bad ownership of /etc/login.conf"
+ n=1
+ fi
+ [ $n -gt 0 ] && rc=1 || rc=0;;
+ *) rc=0;;
+esac
+
+exit "$rc"
Index: 510.ipfdenied
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/510.ipfdenied,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/510.ipfdenied -L etc/periodic/security/510.ipfdenied -u -r1.2 -r1.3
--- etc/periodic/security/510.ipfdenied
+++ etc/periodic/security/510.ipfdenied
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/510.ipfdenied,v 1.2 2003/06/30 22:06:26 mtm Exp $
-#
+# $MidnightBSD$
# If there is a global system configuration file, suck it in.
#
Index: Makefile
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/Makefile,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/Makefile -L etc/periodic/security/Makefile -u -r1.2 -r1.3
--- etc/periodic/security/Makefile
+++ etc/periodic/security/Makefile
@@ -1,16 +1,14 @@
# $MidnightBSD$
-# $FreeBSD: src/etc/periodic/security/Makefile,v 1.4 2004/11/24 18:41:53 mlaier Exp $
FILES= 100.chksetuid \
200.chkmounts \
300.chkuid0 \
400.passwdless \
+ 410.logincheck \
500.ipfwdenied \
510.ipfdenied \
520.pfdenied \
550.ipfwlimit \
- 600.ip6fwdenied \
- 650.ip6fwlimit \
700.kernelmsg \
800.loginfail \
900.tcpwrap \
Index: 700.kernelmsg
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/700.kernelmsg,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/700.kernelmsg -L etc/periodic/security/700.kernelmsg -u -r1.2 -r1.3
--- etc/periodic/security/700.kernelmsg
+++ etc/periodic/security/700.kernelmsg
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/700.kernelmsg,v 1.7 2002/11/16 14:57:12 thomas Exp $
-#
+# $MidnightBSD$
# Show kernel log messages
#
Index: 100.chksetuid
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/100.chksetuid,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/100.chksetuid -L etc/periodic/security/100.chksetuid -u -r1.2 -r1.3
--- etc/periodic/security/100.chksetuid
+++ etc/periodic/security/100.chksetuid
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
+# $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.8.14.1 2008/01/29 00:22:33 dougb Exp $
# $MidnightBSD$
-# $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.8 2005/01/13 15:07:35 glebius Exp $
-#
# If there is a global system configuration file, suck it in.
#
@@ -45,7 +44,7 @@
echo ""
echo 'Checking setuid files and devices:'
# XXX Note that there is the possibility of overrunning the args to ls
- MP=`mount -t ufs | egrep -v " no(suid|exec)" | awk '{ print $3 }' | sort`
+ MP=`mount -t ufs,zfs | egrep -v " no(suid|exec)" | awk '{ print $3 }' | sort`
if [ -n "${MP}" ]
then
set ${MP}
Index: 610.ipf6denied
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/610.ipf6denied,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/610.ipf6denied -L etc/periodic/security/610.ipf6denied -u -r1.2 -r1.3
--- etc/periodic/security/610.ipf6denied
+++ etc/periodic/security/610.ipf6denied
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/610.ipf6denied,v 1.1 2004/04/20 13:44:57 darrenr Exp $
-#
+# $MidnightBSD$
# If there is a global system configuration file, suck it in.
#
Index: 400.passwdless
===================================================================
RCS file: /home/cvs/src/etc/periodic/security/400.passwdless,v
retrieving revision 1.2
retrieving revision 1.3
diff -L etc/periodic/security/400.passwdless -L etc/periodic/security/400.passwdless -u -r1.2 -r1.3
--- etc/periodic/security/400.passwdless
+++ etc/periodic/security/400.passwdless
@@ -24,9 +24,8 @@
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
-# $MidnightBSD$
# $FreeBSD: src/etc/periodic/security/400.passwdless,v 1.1 2001/12/07 23:57:38 cjc Exp $
-#
+# $MidnightBSD$
# If there is a global system configuration file, suck it in.
#
More information about the Midnightbsd-cvs
mailing list