how do I see security logs without turning on sendmail?

Lane lane at joeandlane.com
Wed Dec 13 20:49:08 PST 2006


Tuareg,

I can't find the name of the quy who straightened me out on the fuction of 
squid, but kudo's to him.  

Clearly squid is not the culprit.

But I've done some eyeballing on /usr/sbin/periodic, and I think maybe it is 
the culprit.

First lets have a look at your /etc/crontab file.  Specifically we are 
interested in the lines which contain the term "periodic"

If these lines include parameters, which are passed to /usr/sbin/periodic, 
then they may be the reason for your periodic emails being sent WITHOUT 
sendmail being enabled by the normal boot process.

Take a look at /usr/sbin/periodic.  Note that it uses values 
in /etc/defaults/periodic.conf as well as any override variables 
in /etc/rc.conf.  It could also be overridden in other ways such as by 
defining the value "source_periodic_confs_defined" and "periodic_conf_files" 
but this should have already showed up in /etc/rc.conf.

While you are examining /usr/sbin/periodic, look for the term "output"

In my copy of that script there is a comment that looks like:

#Where's our output going?

Then there is a "case" block:

    case "$output" in
    /*) pipe="cat >>$output";;
    "") pipe=cat;;
    *)  pipe="mail -s '$host ${arg##*/} run output' $output";;
    esac


If your predecessor had modified this script or, perhaps overridden it 
using /etc/defaults/periodic.conf, then he may have either changed the *) 
default case, or supplied parameters from /etc/crontab 
(or /etc/defaults/periodic.conf) which could invoke sendmail directly.  If he 
used override variables, then he would probably also have added a case for ) 
pipe="sendmail -<arg1> <arg2> <argn>"

This would account for sendmail being completely disabled in /etc/rc.conf AND 
for the messages being sent out via sendmail.  However, as I read it, the 
behaviour you have reported would only occur if /usr/sbin/periodic was 
actually modified, as the use of the "$output" variables does NOT seem to 
allow for invocation of sendmail directly.  And I don't believe that "mail" 
can force invocation of sendmail (although I may be wrong, as the man page 
does imply that mail will use any means available to get the message out).

If this is the case (i.e. if "mail" is invoking sendmail directly) you could 
check it by trying to send mail from the command line on one of the servers 
that actually does what you want it to do.  If it works, and if there are NO 
modifications to /usr/sbin/periodic or override defaults 
in /etc/defaults/periodic.conf, then it will be safe to assume that 
this "feature" has been properly quashed in 6.x.  You would then need to 
follow the procedures for setting up sendmail for outgoing-only, as many have 
already recommended.

In any case, the behaviour you desire would only work properly by making the 
appropriate changes to /etc/mail/<hostname|freebsd>.mc, (i.e. SMART_HOST 
and/or HUB settings), and then running "make install" in /etc/mail. (And this 
is always going to be the case where sendmail is concerned)

I hope this information leads you to a resolution, as it has been a great 
learning experience for me ... but my brain hurts :)

lane


More information about the freebsd-questions mailing list