misc/142114: security report from 'periodic daily' doesn't respect the "daily_show_*" configurables

Eric Lakin elakin at infohell.net
Tue Dec 29 06:00:10 UTC 2009 

>Number:         142114
>Category:       misc
>Synopsis:       security report from 'periodic daily' doesn't respect the "daily_show_*" configurables
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 29 06:00:09 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eric Lakin
>Release:        8.0-STABLE
>Organization:
>Environment:
FreeBSD osiris.priv.infohell.net 8.0-STABLE FreeBSD 8.0-STABLE #0: Sun Dec 20 00:44:01 PST 2009     root at osiris.infohell.net:/usr/obj/usr/src/sys/OSIRIS  i386


>Description:
the daily system report that gets run ("periodic daily") from cron has a couple varibles that can be used in /etc/periodic.conf to fine-tune what output is seen -- in particular:

% grep daily_show /etc/defaults/periodic.conf
daily_show_success="YES"				# scripts returning 0
daily_show_info="YES"					# scripts returning 1
daily_show_badconfig="NO"				# scripts returning 2

One would expect that the security portion of the daily report would obey these settings -- but it doesn't. The security report gets implemented by running "periodic security" which has the effect that it's controlled by security_show_success, security_show_info, and security_show_badconfig.

These aren't documented in /etc/defaults/periodic.conf.


>How-To-Repeat:
# echo 'daily_show_success="NO"' >> /etc/periodic.conf
# periodic daily

the security report will include things that it shouldn't by the above setting.
>Fix:
I would suggest modifying /etc/periodic/450.status-security to include:

        export security_show_success=${daily_show_success}
        export security_show_info=${daily_show_info}
        export security_show_badconfig=${daily_show_badconfig}

just prior to the execution of "periodic security". This will cause the security output to inherit the daily output's settings, but if somebody REALLY wants different settings for the security output, putting security_show_* in /etc/periodic.conf will override.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list