daily_status_security_inline

  • Thread starter Deleted member 36389
  • Start date
D

Deleted member 36389

Guest
I've just installed and configured FreeBSD 9.1 and I found that when I add
Code: 
daily_status_security_inline="YES"
in /etc/periodic.conf.local that I get no security output at all. The only other custom variable I have in /etc/periodic.conf.local is
Code: 
daily_show_success="NO"

I know it's not a matter of no security output to report because I've experimented with purposely typing the root password wrong which should produce a warning in the daily security output but it doesn't. If I leave daily_status_security_inline at the default of 'NO' then I will get the daily security output (and see my invalid root logins) but it's its own email not inline.

This works as intended in 8.2 so I'm wondering if something's changed in 9.x and I'm just not seeing it or is this a bug?

Thanks for any tips or info, I appreciate it.
 
Right, forgot to mention that I'm running 9.1-RELEASE and it's fully updated.

I've tried both /etc/periodic.conf and /etc/periodic.conf.local not really expecting it to make a difference but just in case.

Here's a complete sample of what I got today (disk info has been removed but nothing else has). As you can see absolutely no security output.

Code: 
Disk status:
Filesystem                             Size    Used   Avail Capacity  Mounted on
.....                                  ...     ...    ...   ...       ...


Local system status:
 3:01AM  up 6 days,  4:06, 0 users, load averages: 0.06, 0.02, 0.00

-- End of daily output --

By comparison this is what I get from a server running 8.2-RELEASE with the exact same settings in /etc/periodic.conf and the server setup in the exact same way, etc:

Code: 
Disk status:
Filesystem                             Size    Used   Avail Capacity  Mounted on
.....                                  ...     ...    ...   ...       ...

Last dump(s) done (Dump '>' file systems):

Local system status:
 3:01AM  up 88 days,  6:34, 0 users, load averages: 0.22, 0.08, 0.02

Security check:

Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

Checking for ports with mismatched checksums:

example.com pf denied packets:
+++ /tmp/security.oPrjKFJ1	2013-04-16 03:58:49.000000000 +0000
+block return in quick proto udp from any to any port = tcpmux [ Evaluations: 17270781 Packets: 417768 Bytes: 15039648 States: 0 ]
+block drop in log quick inet from any to xxx.xxx.xxx.xx [ Evaluations: 7677623 Packets: 9 Bytes: 372 States: 0 ]
+block drop in log inet from any to xxx.xxx.xxx.xx [ Evaluations: 95745 Packets: 39793 Bytes: 2310610 States: 0 ]

example.com kernel log messages:
+++ /tmp/security.8qBFLdUi	2013-04-16 03:58:49.000000000 +0000
+pid 79241 (httpd), uid 80: exited on signal 11

example.com login failures:
Apr 16 14:05:43 example su: BAD SU <username_removed> to root on /dev/pts/1
Apr 16 14:38:35 example sshd[98321]: Invalid user <username_removed> from xxx.xxx.xxx.xxx

example.com refused connections:

-- End of security output --

-- End of daily output --
 
@maniac9978,

I've had the same issue so you are not alone here. I initially just reverted to show successes again but after seeing your post I've dug a little deeper and I believe I have come up with both a permanent fix as well as a workaround. I'm testing now and will provide my comments tomorrow.
 
Last edited by a moderator:
Nevermind my prior comment. My changes have not been tested yet but I'll post up my comments now. Please let me know if this makes sense. @wblock@, I would appreciate your comments because if I am understanding the code in 9-STABLE properly I would expect that this still should not be working for you.

Here are the assumptions.

/etc/periodic.conf has been configured with the following lines:
Code: 
daily_show_success="NO"
daily_status_security_inline="YES"

/etc/defaults/periodic.conf contains the following defaults:
Code: 
daily_status_security_output="root"

Here is the current version of /etc/periodic/daily/450.status-security

http://svnweb.freebsd.org/base/head/etc/periodic/daily/450.status-security?diff_format=h&revision=221432&view=markup
Code: 
19		case "$daily_status_security_inline" in
20		    [Yy][Ee][Ss])
21			export security_output="";;
22		    *)
23			export security_output="${daily_status_security_output}"
24			case "${daily_status_security_output}" in
25			    "")
26				rc=3;;
27			    /*)
28				echo "    (output logged separately)"
29				rc=0;;
30			    *)
31				echo "    (output mailed separately)"
32				rc=0;;
33			esac;;
34		esac
35	
36		periodic security || rc=3;;
37	
38	    *)  rc=0;;
39	esac
40	
41	exit $rc

Discussion: With inline being "YES", we hit the first case statement in line 19 and set security_output="". We never hit the second case block starting at line 24 where the blank variable triggers rc=3 to show the output in the final version. The result is the esac in line 34 ends the case block and we immediately execute periodic security. That will exit successfully with $?=0 the final results won't show because we aren't showing successes.

Here are my untested changes:
Code: 
19		case "$daily_status_security_inline" in
20		    [Yy][Ee][Ss])
21			export security_output="";;
22		    *)
23			export security_output="${daily_status_security_output}";;
24		esac
25	
26		case "$security_output" in
27		    "")
28			rc=3;;
29		    /*)
30			echo "    (output logged separately)"
31			rc=0;;
32		    *)
33			echo "    (output mailed separately)"
34			rc=0;;
35		esac
36
37		periodic security || rc=3;;
38
39	    *)  rc=0;;
40	esac
41
42	exit $rc

Discussion: By modifying line 23 and 24 to end the first case statement early, we'll now move into the second case block properly. Inline mode triggers security_output="". The second case entry triggers "") and the subsequent rc=3. Finally periodic security will run and it should show the results. When inline has not been set, the default of daily_status_security_output="root" will trigger the *) on line 32 and work as intended.

In the prior version in FreeBSD 8, the prior code from 2002 always ended with rc=3. This is why it works in 8.2-RELEASE. See those changes here.
http://svnweb.freebsd.org/base/stable/9/etc/periodic/daily/450.status-security?view=diff&r1=221432&r2=96804&diff_format=h
 
Last edited by a moderator:
Looking at the code, I see what you mean, but don't have the time to check right now. One difference on my system was that I also had
Code: 
security_show_success="NO"
although that may not matter. I may also have misunderstood the original question.
 
My version did not work. I missed the second case statement ignores what the security_output variable gets set to anyway.

Code: 
26		case "${daily_status_security_output}" in

I've modified to it the following so now it takes the prior statement's output and uses it accordingly. I'll let this run its course on the next run and try out a few different test cases afterward.

Code: 
26		case "$security_output" in
 
Thanks for looking into this, @junovitch! Looking forward to it getting fixed.
 
Last edited by a moderator:
@maniac9978,
You can fetch the fixed version by doing this.
fetch [url]https://raw.github.com/junovitch/my-freebsd-build/master/patches/450.status-security[/url]

PR conf/178611 has been submitted with the patch for a permanent fix.
http://www.freebsd.org/cgi/query-pr.cgi?pr=178611


All tests passed just fine.

Code: 
daily_show_success="NO"
daily_status_security_inline="YES"

Passes. Security shows in daily email.

Code: 
daily_show_success="NO"
daily_status_security_inline="NO"

Passes. Shows in 2 separate emails.

Code: 
daily_show_success="NO"
daily_status_security_inline="NO"
daily_status_security_output="/var/log/daily_status_security.log"

Passes. Logs to file but and doesn't say anything in the daily message because of the rc=0.

Code: 
daily_show_success="YES"
daily_status_security_inline="NO"
daily_status_security_output="/var/log/daily_status_security.log"

Passes. Shows "Security check: ... (output logged separately)" and logs to file.

Code: 
daily_show_success="NO"
daily_status_security_inline="NO"
daily_status_security_output="logcheck"

Passes. Delivers to "logcheck" user and doesn't mention success in the daily message.

Code: 
daily_show_success="YES"
daily_status_security_inline="NO"
daily_status_security_output="logcheck"

Passes. Delivers to "logcheck" and says "Security check: ... (output mailed separately)".
 
Last edited by a moderator:
Been using your fixed version for a few days now and it works great. Thanks for taking your time!
 
Thanks! I had been wondering if you had a chance to download the fix. It's hard to believe nobody noticed it and submitted a PR since the last revision two years ago. There must be very few of us actually using it with those two particular options.
 
Yeah, I should have let you know sooner, have just been very busy. That was really bothering me. I'm also surprised no one caught this sooner ... I noticed it as soon as I upgraded to 9.1 and having all that info in one email seems so much more efficient than getting two emails. Anyway, I really do appreciate it. Thanks!
 
You must log in or register to reply here.
Back
Top