Commit Graph

131 Commits

Author SHA1 Message Date
martin 1095510aed Fix sysctl invocation testing for missing entropy. 2023-07-05 12:07:21 +00:00
riastradh 2cfa14dfd4 security(5): Check kern.entropy.needed for confident entropy.
Don't test whether a non-blocking read from /dev/random would return
data.

For the sake of availability, /dev/random will unblock based on sources
like timer interrupts, which we can't confidently assert anything about
the actual unpredictability of.

Here, the goal is to highlight systems that have neither obtained
entropy from an HWRNG with a confident entropy assessment, nor been
seeded from a source the operator knows about.

XXX pullup-10
2023-06-30 21:42:29 +00:00
nia 8e79eccae6 Recognize argon2 passwords as valid in daily security reports.
from RVP in misc/56486
2021-11-04 12:40:00 +00:00
riastradh cba96d16f7 Various entropy integration improvements.
- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
  check for entropy at boot -- in rc.conf, you can:

  . set `entropy=check' to halt multiuser boot and enter single-user
    mode if not enough entropy

  . set `entropy=wait' to make multiuser boot wait until enough entropy

  Default is to always boot without waiting -- and rely on other
  channels like security report to alert the operator if there's a
  problem.

- New man page entropy(7) discussing the higher-level concepts and
  system integration with cross-references.

- New paragraph in afterboot(8) about entropy citing entropy(7) for
  more details.

This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.

I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
  users who have power to affect the entropy estimate (maybe it is,
  just haven't decided).
- We only have a mechanism for changing once at boot; the message would
  remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
  conditionally from boot to boot.
2021-01-10 23:24:25 +00:00
wiz d5fdd803ef Update default pkgsrc database location from /var/db/pkg to /usr/pkg/pkgdb. 2020-12-02 14:18:13 +00:00
riastradh c91905c4be Save the entropy seed daily in /etc/security. 2019-12-06 14:43:29 +00:00
uwe c3e808d597 Use $file instead of $(echo $file). I don't think the extra round of
word expansions was really intended here.
2019-09-18 22:27:55 +00:00
kre d65b3b7a40 Fix an obvious botch in the previous rev, found by martin@ 2018-10-04 11:50:34 +00:00
kre 9ae2b31ff9 Convert uses of test (aka '[') to use only posix specified forms,
mostly just on general principle...   this resulted in one or two minor
code reformattings to keep 80 char limits - a few needless uses of
quotes ("no" ??) were also removed (sh is not C. strings are strings
without quotes around them...)
2018-09-23 23:48:33 +00:00
mlelstv 2f6dbbcf88 Use sysctl to retrieve iostat names instead of parsing possibly
truncated iostat output.

Check dkctl listwedges output with grep.

Fixes PR 59205.
2018-01-06 23:44:06 +00:00
riastradh 25e09ac3be Record current raid configurations too in /etc/security. 2016-02-29 16:16:42 +00:00
pgoyette 6b45f4ed79 Set the redirection correctly, so that stderr gets duped to the
already redirected stdout, rather than duping stdout to stderr!

Without this fix, the disklabel output is included in the log file
rather than being discarded as intended.  (The purpose of running
disklabel this first time is only to check for success.)
2015-04-20 22:46:35 +00:00
nakayama 29acffa014 Avoid nfs devices correctly. 2015-02-14 19:46:55 +00:00
uebayasi b249d4b6e0 Indent and space fixes. 2014-12-13 02:17:35 +00:00
christos 3c3f7bb88a - generate the list of disks only once and select from them later
- don't generate empty/useless files when disklabel or dkctl don't have data
2014-11-23 16:36:03 +00:00
apb 8ce568ce88 Split some long lines. 2014-08-27 13:56:02 +00:00
spz acaf72ec02 Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.

It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.

Fixes the second half of PR misc/36063
2013-11-06 19:37:05 +00:00
spz 0d7af235a1 having more than one line with the same group name and gid is not only
allowed, it's even recommended for groups with lots of members, so
do not warn about duplicate group name lines if the gid is the same
2013-11-06 19:30:20 +00:00
prlw1 dc76b0b003 Add defaults for pkg_info and pkg_admin variables in case pkgpath.conf
is not installed.
2013-09-08 08:19:40 +00:00
agc 1410cf30c2 Fix for problematic paths in /etc/daily and /etc/security reported in
PR/47645.

Add a separate file which contains the paths for the pkg_admin and
pkg_info utilities. This is called /etc/pkgpath.conf (to distinguish it
from pkg.conf).

Thanks also to Edgar Fuss for the sanity check.
2013-05-01 05:36:25 +00:00
spz c6302b7410 change security so that there is a configuration value for the list of
users who will not be considered for duplicate uid check.
Seed it with 'toor' in defaults/security.conf.
2012-04-05 09:09:27 +00:00
christos 6f0af47a9f too much quoting. pointed by anon ymous 2011-03-02 17:00:28 +00:00
christos 4f848eee4b `` -> $() 2010-12-27 03:38:52 +00:00
jmmv 53cb2117e8 Deprecate the pkgdb_dir settings from daily.conf and security.conf in
favor of the PKG_DBDIR variable in /etc/pkg_install.conf.  The purpose
of this is to only have to define the location of the packages database
in a single place and have all other system components pick it up.

pkgdb_dir is still honored if defined and the scripts will spit out a
warning in that case, asking the administrator to migrate to the
PKG_DBDIR setting.  We can't remove this compatibility workaround until,
at least, after NetBSD 6 is released.
2010-02-05 16:29:02 +00:00
jmmv 497b5f8044 Add the fetch_pkg_vulnerabilities option to the daily script to keep the
packages vulnerability database up to date.  This will only fetch the
file from the server if it has changed since the last run.

Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.

All of these options are enabled by default but they will only run if
there is, at least, one installed package.
2010-01-19 22:08:11 +00:00
haad a4e585254c Add support for lvm to security script. Backup lvm configuration to /var/backup/lvm with other system backups. Disable lvm check until MKLVM is enabled by default. no objections on tech-userlevel@. 2009-01-27 10:32:18 +00:00
dholland d08cb6cf65 Handle non-trivial NIS compat entries (like +joe:::::::::) in the password
file. Fixes (my own) PR bin/33138.

reviewed: christos
2007-11-23 15:51:27 +00:00
adrianp 67b08a07ec The location of the pkg_info binary can now be specified in /etc/security.conf.
The default remains as /usr/sbin/pkg_info.  This should fix PR# 36746.
2007-08-27 19:57:02 +00:00
tron b21dec1752 Add code to monitor the disk wedges (see dk(4)) configured on the
system. Based on a patch contributed by Andreas Wrede in PR misc/36747.
2007-08-09 07:50:58 +00:00
martti d405da7f9d Use "mktemp -d -t xxx" to create the temporary directories. This will use
TMPDIR environment variable if set, otherwise use /tmp.  (misc/35544)
2007-06-06 13:30:47 +00:00
jnemeth f2e950685d PR/36058 -- fix check for group/other writable home directories from
Jukka Salmi
2007-03-27 08:37:58 +00:00
tron 820a357648 Improve security check for "/etc/exports":
1.) Properly handle line continuation and network exports.
2.) Make the report more compact.

Patch contributed by Jukka Salmi in PR bin/24583.
2006-09-26 08:32:40 +00:00
jmcneill 64b4f9dcf8 PR #26490: /etc/security is not aware of sha1 passwords 2006-09-23 04:07:01 +00:00
lukem 6d23caf285 Implement check_devices_ignore_paths, which is a list of paths to
avoid traversing during check_devices.
2006-05-25 02:38:10 +00:00
veego f43a65b85e Don't try to backup a 'nfs' disklabel, which will happen because of the
recent iostat changes.
Patch supplied in pr# 33274 by Geoff C. Wing.
2006-04-17 07:38:53 +00:00
rpaulo 17c8f9e65d PR 32666: /etc/security may cause tapes to rewind. By Duncan McEwan. 2006-01-29 23:17:24 +00:00
peter 271ad04cd9 Allow an underscore as first character and embedded underscores & dots
for login and group names.

Fixes PR misc/29913 from Arto Selonen.
2005-04-11 15:46:42 +00:00
jdolecek 8e401e6c31 add a check_passwd_permin_nonalpha option, which changes the passwd
test to permit non-alphanumeric characters in login names
2005-02-05 15:26:37 +00:00
kim f7dc8a9650 When checking /etc/exports, account for "-network=XXX" as restricting
the mount (i.e. it is not considered globally exported).

Fixes PR: 26890
2004-11-21 19:00:12 +00:00
erh 7da8bb106d PR misc/7716: add configuration options find_core_ignore_fstypes and
check_devices_ignore_fstypes to allow the filesystem types that are
ignored during the daily and security runs to be adjusted.
2004-09-28 15:03:58 +00:00
lukem 610ee5bd6f Merge /etc/mtree/special & /etc/mtree/special.local using "mtree -M".
This allows users to override mtree/special entries in mtree/special.local,
which is useful if you've replaced a directory with a symlink (for example).
This effectively makes $check_mtree_follow_symlinks=YES pointless, but
I'm retaining that for compatibility reasons.

Fix bug in generation of $MPBYUID (used "/^+/" instead of "/^\+/" as a regex),
which has existed for a long time but only failed with our awk; GNU awk seems
to have permitted this.  (This meant that the duplicate UID check was broken
when using our awk.)

Rename some temp files to more accurately reflect their purpose, to
aid debugging.
2004-07-23 06:12:16 +00:00
kim 4d55452261 Catch STDERR from /etc/security.local (not just STDOUT). 2004-04-09 17:33:35 +00:00
jmmv 3c8a1444d9 Introduce and use the rcvar_manpage variable, which contains the manual page
name where the user should look at for documentation about rcvar.  It defaults
to 'rc.subr(5)', as rc.subr is mainly used by rc.d scripts.

This variable is useful to let the daily, weekly, monthly and security scripts
tune the warning message shown when any of the variables they handle is not
properly set.

Closes PR misc/23908.
2004-04-02 13:13:47 +00:00
jdolecek ba30c144ea add missing && in the home directory group writability condition;
gawk somehow coped even without (defaults to && ?), but nawk printed
bogus warnings (defaults to || ?)
2004-02-09 09:04:13 +00:00
jhawk 6a6c54a1d0 Provide a workaround for PR bin/12900.
When /dev is an fdesc, and /dev/tty is stat()ed without a controlling tty,
a "Device not configured" error is returned.

Filter mtree's stderr to ignore this error.

If fdesc is fixed to not behave in this fashion, this workaround can
be removed; bin/12900 should remain open until that time.
2003-11-19 20:28:19 +00:00
jhawk 3460455823 In check_varmail (mailbox ownership/permissions check):
Make ls -A explicit, to help n debugging when not run as root
    (-A is implied when ls is run as root)
  Ignore dotfiles, as they are not mailboxes (e.g. .jhawk.pop)
2003-11-18 03:30:40 +00:00
jhawk ea872628e6 XXX: note pairwise cascaded test inversion in permit_star.
Add checkyesno check_homes_permit_usergroups to allow group writability
  when the groupname matches the username.  Defaults to off.
2003-11-18 03:23:53 +00:00
jhawk 6a61a211cf Suppress output when running security.local if it produces no output.
/etc/security should produce no output (and thus suppress the report)
when nothing is wrong.

While we're here, use printf instead of two echos, like the rest of
the script.
2003-10-01 04:29:03 +00:00
jhawk 1d79603c81 Use $diff_options when running diff in /etc/security.
Default diff_options to -u, for unified-format context diffs,
because context is essential to a useful evaluation of differences.
This represents a behavior change.

Implements change-request PR security/17247 from
Takahiro Kambe <taca@sky.yamashina.kyoto.jp>.
2003-02-21 22:47:51 +00:00
jhawk 687107d3c0 Under check_mtree, invoke mtree with -L if check_mtree_follow_symlinks is set.
Apparently mtree -L is imperfect, but it is far better than the lack thereof
if symlinks are involved reaching files mtree verifies.
2003-02-13 02:42:06 +00:00