how do I see security logs without turning on sendmail?

Tuareg tuaregmex at gmail.com
Fri Dec 15 11:14:48 PST 2006 

On 12/13/06, Lane <lane at joeandlane.com> wrote:
>
> Tuareg,
>
> I can't find the name of the quy who straightened me out on the fuction of
> squid, but kudo's to him.
>
> Clearly squid is not the culprit.
>
> But I've done some eyeballing on /usr/sbin/periodic, and I think maybe it
> is
> the culprit.
>
> First lets have a look at your /etc/crontab file.  Specifically we are
> interested in the lines which contain the term "periodic"


cat /etc/crontab | grep periodic
#1      3       *       *       *       root    periodic daily
#15     4       *       *       6       root    periodic weekly
#30     5       1       *       *       root    periodic monthly

All the lines are commented.

If these lines include parameters, which are passed to /usr/sbin/periodic,
> then they may be the reason for your periodic emails being sent WITHOUT
> sendmail being enabled by the normal boot process.
>
> Take a look at /usr/sbin/periodic.  Note that it uses values
> in /etc/defaults/periodic.conf as well as any override variables
> in /etc/rc.conf.  It could also be overridden in other ways such as by
> defining the value "source_periodic_confs_defined" and
> "periodic_conf_files"
> but this should have already showed up in /etc/rc.conf.
>
> While you are examining /usr/sbin/periodic, look for the term "output"
>
In my copy of that script there is a comment that looks like:
>
> #Where's our output going?
>
> Then there is a "case" block:
>
>     case "$output" in
>     /*) pipe="cat >>$output";;
>     "") pipe=cat;;
>     *)  pipe="mail -s '$host ${arg##*/} run output' $output";;
>     esac
>
> If your predecessor had modified this script or, perhaps overridden it
> using /etc/defaults/periodic.conf, then he may have either changed the *)
> default case, or supplied parameters from /etc/crontab
> (or /etc/defaults/periodic.conf) which could invoke sendmail directly.  If
> he
> used override variables, then he would probably also have added a case for
> )
> pipe="sendmail -<arg1> <arg2> <argn>"
>
> This would account for sendmail being completely disabled in /etc/rc.conf
> AND
> for the messages being sent out via sendmail.  However, as I read it, the
> behaviour you have reported would only occur if /usr/sbin/periodic was
> actually modified, as the use of the "$output" variables does NOT seem to
> allow for invocation of sendmail directly.  And I don't believe that
> "mail"
> can force invocation of sendmail (although I may be wrong, as the man page
> does imply that mail will use any means available to get the message out).
>
> If this is the case (i.e. if "mail" is invoking sendmail directly) you
> could
> check it by trying to send mail from the command line on one of the
> servers
> that actually does what you want it to do.  If it works, and if there are
> NO
> modifications to /usr/sbin/periodic or override defaults
> in /etc/defaults/periodic.conf, then it will be safe to assume that
> this "feature" has been properly quashed in 6.x.  You would then need to
> follow the procedures for setting up sendmail for outgoing-only, as many
> have
> already recommended.


Well this is the output of:

cat /usr/sbin/periodic | grep output
tmp_output=`mktemp ${TMPDIR:-/tmp}/periodic.XXXXXXXXXX`
    # Where's our output going ?
    eval output=\$${arg##*/}_output
    case "$output" in
    /*) pipe="cat >>$output";;
    *)  pipe="mail -s '$host ${arg##*/} run output' $output";;
                    output=TRUE
                    $file </dev/null >$tmp_output 2>&1
                    if [ -s $tmp_output ]
                      0)  [ $success = NO ] && output=FALSE;;
                      1)  [ $info = NO ] && output=FALSE;;
                      2)  [ $badconfig = NO ] && output=FALSE;;
                      [ $output = TRUE ] && { cat $tmp_output; empty=FALSE;
}
                    cp /dev/null $tmp_output
          echo "No output from the $processed file$plural processed"
          echo "-- End of $arg output --"
rm -f $tmp_output

 But, /etc/defaults/periodic.conf don't appear to be modified, but can't be
sure 100% because we don't have other server with a fresh install of FreeBSD
4.6-RELEASE to compare.

Yes, we are able to send mails from the command line, so.. it could be that
this feature was disable for 6.x

In any case, the behaviour you desire would only work properly by making the
> appropriate changes to /etc/mail/<hostname|freebsd>.mc, (i.e. SMART_HOST
> and/or HUB settings), and then running "make install" in /etc/mail. (And
> this
> is always going to be the case where sendmail is concerned)
>
> I hope this information leads you to a resolution, as it has been a great
> learning experience for me ... but my brain hurts :)
>
> lane
>

We wanted to ask and check with others before trying with modifications in
the files, so I guess that we'll finish
doing what the documentation recomends.

Thank you for your help, we learned a lot too.

More information about the freebsd-questions mailing list