Don't test whether a non-blocking read from /dev/random would return
data.
For the sake of availability, /dev/random will unblock based on sources
like timer interrupts, which we can't confidently assert anything about
the actual unpredictability of.
Here, the goal is to highlight systems that have neither obtained
entropy from an HWRNG with a confident entropy assessment, nor been
seeded from a source the operator knows about.
XXX pullup-10
- New /etc/security check for entropy in daily security report.
- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:
. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy
. set `entropy=wait' to make multiuser boot wait until enough entropy
Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.
- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.
- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.
This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.
I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.
mostly just on general principle... this resulted in one or two minor
code reformattings to keep 80 char limits - a few needless uses of
quotes ("no" ??) were also removed (sh is not C. strings are strings
without quotes around them...)
already redirected stdout, rather than duping stdout to stderr!
Without this fix, the disklabel output is included in the log file
rather than being discarded as intended. (The purpose of running
disklabel this first time is only to check for success.)
whose home is (allowed to be) owned by another user.
It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.
Fixes the second half of PR misc/36063
PR/47645.
Add a separate file which contains the paths for the pkg_admin and
pkg_info utilities. This is called /etc/pkgpath.conf (to distinguish it
from pkg.conf).
Thanks also to Edgar Fuss for the sanity check.
favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose
of this is to only have to define the location of the packages database
in a single place and have all other system components pick it up.
pkgdb_dir is still honored if defined and the scripts will spit out a
warning in that case, asking the administrator to migrate to the
PKG_DBDIR setting. We can't remove this compatibility workaround until,
at least, after NetBSD 6 is released.
packages vulnerability database up to date. This will only fetch the
file from the server if it has changed since the last run.
Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.
All of these options are enabled by default but they will only run if
there is, at least, one installed package.
This allows users to override mtree/special entries in mtree/special.local,
which is useful if you've replaced a directory with a symlink (for example).
This effectively makes $check_mtree_follow_symlinks=YES pointless, but
I'm retaining that for compatibility reasons.
Fix bug in generation of $MPBYUID (used "/^+/" instead of "/^\+/" as a regex),
which has existed for a long time but only failed with our awk; GNU awk seems
to have permitted this. (This meant that the duplicate UID check was broken
when using our awk.)
Rename some temp files to more accurately reflect their purpose, to
aid debugging.
name where the user should look at for documentation about rcvar. It defaults
to 'rc.subr(5)', as rc.subr is mainly used by rc.d scripts.
This variable is useful to let the daily, weekly, monthly and security scripts
tune the warning message shown when any of the variables they handle is not
properly set.
Closes PR misc/23908.
When /dev is an fdesc, and /dev/tty is stat()ed without a controlling tty,
a "Device not configured" error is returned.
Filter mtree's stderr to ignore this error.
If fdesc is fixed to not behave in this fashion, this workaround can
be removed; bin/12900 should remain open until that time.
Make ls -A explicit, to help n debugging when not run as root
(-A is implied when ls is run as root)
Ignore dotfiles, as they are not mailboxes (e.g. .jhawk.pop)
/etc/security should produce no output (and thus suppress the report)
when nothing is wrong.
While we're here, use printf instead of two echos, like the rest of
the script.
Default diff_options to -u, for unified-format context diffs,
because context is essential to a useful evaluation of differences.
This represents a behavior change.
Implements change-request PR security/17247 from
Takahiro Kambe <taca@sky.yamashina.kyoto.jp>.
martin