# daily_status_security_inline



## Deleted member 36389 (Apr 15, 2013)

I've just installed and configured FreeBSD 9.1 and I found that when I add 
	
	



```
daily_status_security_inline="YES"
```
 in /etc/periodic.conf.local that I get no security output at all. The only other custom variable I have in /etc/periodic.conf.local is 
	
	



```
daily_show_success="NO"
```

I know it's not a matter of no security output to report because I've experimented with purposely typing the root password wrong which should produce a warning in the daily security output but it doesn't. If I leave daily_status_security_inline at the default of 'NO' then I will get the daily security output (and see my invalid root logins) but it's its own email not inline.

This works as intended in 8.2 so I'm wondering if something's changed in 9.x and I'm just not seeing it or is this a bug?

Thanks for any tips or info, I appreciate it.


----------



## wblock@ (Apr 16, 2013)

Those settings work for me in /etc/periodic.conf on 9-STABLE.


----------



## Deleted member 36389 (Apr 16, 2013)

Right, forgot to mention that I'm running 9.1-RELEASE and it's fully updated.

I've tried both /etc/periodic.conf and /etc/periodic.conf.local not really expecting it to make a difference but just in case.

Here's a complete sample of what I got today (disk info has been removed but nothing else has). As you can see absolutely no security output.


```
Disk status:
Filesystem                             Size    Used   Avail Capacity  Mounted on
.....                                  ...     ...    ...   ...       ...


Local system status:
 3:01AM  up 6 days,  4:06, 0 users, load averages: 0.06, 0.02, 0.00

-- End of daily output --
```

By comparison this is what I get from a server running 8.2-RELEASE with the exact same settings in /etc/periodic.conf and the server setup in the exact same way, etc:


```
Disk status:
Filesystem                             Size    Used   Avail Capacity  Mounted on
.....                                  ...     ...    ...   ...       ...

Last dump(s) done (Dump '>' file systems):

Local system status:
 3:01AM  up 88 days,  6:34, 0 users, load averages: 0.22, 0.08, 0.02

Security check:

Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

Checking for ports with mismatched checksums:

example.com pf denied packets:
+++ /tmp/security.oPrjKFJ1	2013-04-16 03:58:49.000000000 +0000
+block return in quick proto udp from any to any port = tcpmux [ Evaluations: 17270781 Packets: 417768 Bytes: 15039648 States: 0 ]
+block drop in log quick inet from any to xxx.xxx.xxx.xx [ Evaluations: 7677623 Packets: 9 Bytes: 372 States: 0 ]
+block drop in log inet from any to xxx.xxx.xxx.xx [ Evaluations: 95745 Packets: 39793 Bytes: 2310610 States: 0 ]

example.com kernel log messages:
+++ /tmp/security.8qBFLdUi	2013-04-16 03:58:49.000000000 +0000
+pid 79241 (httpd), uid 80: exited on signal 11

example.com login failures:
Apr 16 14:05:43 example su: BAD SU <username_removed> to root on /dev/pts/1
Apr 16 14:38:35 example sshd[98321]: Invalid user <username_removed> from xxx.xxx.xxx.xxx

example.com refused connections:

-- End of security output --

-- End of daily output --
```


----------



## junovitch@ (May 11, 2013)

@maniac9978,

I've had the same issue so you are not alone here. I initially just reverted to show successes again but after seeing your post I've dug a little deeper and I believe I have come up with both a permanent fix as well as a workaround. I'm testing now and will provide my comments tomorrow.


----------



## junovitch@ (May 11, 2013)

Nevermind my prior comment. My changes have not been tested yet but I'll post up my comments now.  Please let me know if this makes sense.  @wblock@, I would appreciate your comments because if I am understanding the code in 9-STABLE properly I would expect that this still should not be working for you.

Here are the assumptions.  

/etc/periodic.conf has been configured with the following lines:

```
daily_show_success="NO"
daily_status_security_inline="YES"
```

/etc/defaults/periodic.conf contains the following defaults:

```
daily_status_security_output="root"
```

Here is the current version of /etc/periodic/daily/450.status-security

http://svnweb.freebsd.org/base/head/etc/periodic/daily/450.status-security?diff_format=h&revision=221432&view=markup

```
19		case "$daily_status_security_inline" in
20		    [Yy][Ee][Ss])
21			export security_output="";;
22		    *)
23			export security_output="${daily_status_security_output}"
24			case "${daily_status_security_output}" in
25			    "")
26				rc=3;;
27			    /*)
28				echo "    (output logged separately)"
29				rc=0;;
30			    *)
31				echo "    (output mailed separately)"
32				rc=0;;
33			esac;;
34		esac
35	
36		periodic security || rc=3;;
37	
38	    *)  rc=0;;
39	esac
40	
41	exit $rc
```

Discussion:  With inline being "YES", we hit the first case statement in line 19 and set security_output="".  We never hit the second case block starting at line 24 where the blank variable triggers rc=3 to show the output in the final version.  The result is the esac in line 34 ends the case block and we immediately execute `periodic security`.  That will exit successfully with $?=0 the final results won't show because we aren't showing successes.

Here are my untested changes:

```
19		case "$daily_status_security_inline" in
20		    [Yy][Ee][Ss])
21			export security_output="";;
22		    *)
23			export security_output="${daily_status_security_output}";;
24		esac
25	
26		case "$security_output" in
27		    "")
28			rc=3;;
29		    /*)
30			echo "    (output logged separately)"
31			rc=0;;
32		    *)
33			echo "    (output mailed separately)"
34			rc=0;;
35		esac
36
37		periodic security || rc=3;;
38
39	    *)  rc=0;;
40	esac
41
42	exit $rc
```

Discussion:  By modifying line 23 and 24 to end the first case statement early, we'll now move into the second case block properly.  Inline mode triggers security_output="".  The second case entry triggers "")  and the subsequent rc=3.  Finally `periodic security` will run and it should show the results.  When inline has not been set, the default of daily_status_security_output="root" will trigger the *) on line 32 and work as intended.

In the prior version in FreeBSD 8, the prior code from 2002 always ended with rc=3.  This is why it works in 8.2-RELEASE.  See those changes here.
http://svnweb.freebsd.org/base/stable/9/etc/periodic/daily/450.status-security?view=diff&r1=221432&r2=96804&diff_format=h


----------



## wblock@ (May 12, 2013)

Looking at the code, I see what you mean, but don't have the time to check right now.  One difference on my system was that I also had 
	
	



```
security_show_success="NO"
```
 although that may not matter.  I may also have misunderstood the original question.


----------



## junovitch@ (May 12, 2013)

My version did not work.  I missed the second case statement ignores what  the security_output variable gets set to anyway.


```
26		case "${daily_status_security_output}" in
```

I've modified to it the following so now it takes the prior statement's output and uses it accordingly. I'll let this run its course on the next run and try out a few different test cases afterward.


```
26		case "$security_output" in
```


----------



## wblock@ (May 12, 2013)

You don't have to wait for it, run it manually with `periodic daily`.


----------



## junovitch@ (May 12, 2013)

Alright. That has fixed it. I've got too much school work to submit by tonight so I'll test out the other use cases later on.


----------



## Deleted member 36389 (May 13, 2013)

Thanks for looking into this, @junovitch! Looking forward to it getting fixed.


----------



## junovitch@ (May 14, 2013)

@maniac9978,
You can fetch the fixed version by doing this.
`fetch [url]https://raw.github.com/junovitch/my-freebsd-build/master/patches/450.status-security[/url]`

PR conf/178611 has been submitted with the patch for a permanent fix.
http://www.freebsd.org/cgi/query-pr.cgi?pr=178611


All tests passed just fine.


```
daily_show_success="NO"
daily_status_security_inline="YES"
```

Passes. Security shows in daily email.


```
daily_show_success="NO"
daily_status_security_inline="NO"
```

Passes. Shows in 2 separate emails.


```
daily_show_success="NO"
daily_status_security_inline="NO"
daily_status_security_output="/var/log/daily_status_security.log"
```

Passes. Logs to file but and doesn't say anything in the daily message because of the rc=0.


```
daily_show_success="YES"
daily_status_security_inline="NO"
daily_status_security_output="/var/log/daily_status_security.log"
```

Passes. Shows "Security check: ... (output logged separately)"  and logs to file.


```
daily_show_success="NO"
daily_status_security_inline="NO"
daily_status_security_output="logcheck"
```

Passes. Delivers to "logcheck" user and doesn't mention success in the daily message.


```
daily_show_success="YES"
daily_status_security_inline="NO"
daily_status_security_output="logcheck"
```

Passes. Delivers to "logcheck" and says "Security check: ... (output mailed separately)".


----------



## Deleted member 36389 (May 21, 2013)

Been using your fixed version for a few days now and it works great. Thanks for taking your time!


----------



## junovitch@ (May 22, 2013)

Thanks! I had been wondering if you had a chance to download the fix. It's hard to believe nobody noticed it and submitted a PR since the last revision two years ago. There must be very few of us actually using it with those two particular options.


----------



## Deleted member 36389 (May 22, 2013)

Yeah, I should have let you know sooner, have just been very busy. That was really bothering me. I'm also surprised no one caught this sooner ... I noticed it as soon as I upgraded to 9.1 and having all that info in one email seems so much more efficient than getting two emails. Anyway, I really do appreciate it. Thanks!


----------

