RE: security run output
> Date: Fri, 9 Oct 2009 13:31:56 +0200 > From: be...@bah.homeip.net > To: freebsd-questions@freebsd.org > Subject: security run output > > Hello list! > > I'm getting the messages below far one machine and I can't > remeber how managed to do that. I want that for my other machines > as well, but can not remeber how to activate it. > > > Checking for a current audit database: > > Database created: Wed Oct 7 03:55:02 CEST 2009 > > Checking for packages with security vulnerabilities: > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org that would most likely be the portaudit utility /usr/ports/ports-mgmt/portaudit ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Security Run Output Setuid Differences
On Tue, Jun 05, 2007 at 04:11:24PM -0700, Peter Pluta wrote: > mail.***.net setuid diffs: > --- /var/log/setuid.today Mon May 21 03:02:30 2007 > +++ /tmp/security.wq6BsVcrSun Jun 3 03:01:48 2007 > @@ -20,7 +20,7 @@ > 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 > /usr/bin/yppasswd > 71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 > /usr/local/bin/screen > 70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 > /usr/local/sbin/lsof > -73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 > /usr/local/sbin/postdrop > -73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 > /usr/local/sbin/postqueue > +71432 -rwxr-sr-x 1 root maildrop 142559 Jun 2 15:47:54 2007 > /usr/local/sbin/postdrop > +71433 -rwxr-sr-x 1 root maildrop 152477 Jun 2 15:47:54 2007 > /usr/local/sbin/postqueue > 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 > /usr/sbin/mailwrapper > 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 > /usr/sbin/sliplogin > > I have some more, I'm starting to understand it a bit better. Basically the > user:group id number has changed and the security run is letting me know. > Good deal, but im still confused as to what the @@ -20,7 + 20,7 @@ and + - > mean. Can anyone explain those? I'm curious, also why would yppasswd change > to userid 2? I changed roots name yesterday, could that be the cause of it? Those are a normal part of the output of the diff(1) program that generates this. Basically, the script /etc/periodic/security/100.chksetuid makes a list of all setiud or setgid binaries. This list is compared with the previous list by the diff(1) program, which shows the differences. If you have a text file lying around, make a copy of it and change a couple of lines in the copy. Then do 'diff -u originalfile newfile' and you'll see how it works. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpaXqXRVHsG6.pgp Description: PGP signature
Re: Security Run Output Setuid Differences
Roland Smith wrote: > > On Mon, May 21, 2007 at 11:59:33AM -0700, PeterPluta wrote: > >> > Looks like you were portupgrading around with postfix, screen and >> xterm. >> > >> > The output is diff(1). See the man page for details, but it's >> basically >> > showing you the difference between last night's directory listing, and >> > that >> > of the previous day. >> > >> > For more gory details, see the scripts in /etc/periodic/security, which >> > are >> > run every night from cron. Some of the ports you changed resulted in >> > changes to setuid/setgid programs installed on the system. As a >> security- >> > concious administrator, you should be interested in the programs on >> your >> > system that have elevated privilidges, so this script is provided to >> give >> > you a daily report on that. >> >> I see, so basically after reinstalling the default uid/gid of some >> programs >> changed? Is that a problem or anything? > > It's not a problem. It's just something that you should be aware of from > a security standpoint. > > In this case you caused it because you upgraded some ports, which is OK. > > But if the size, date, ownership or permissions of a binary change > without any apparent cause, it _could_ be the work of an intruder or > rootkit trying to backdoor your system. That's why the system checks it. > > In /etc/defaults/periodic.conf you see which settings there are > concerning security, and what the defaults are. If you want to disable > some of them, put the settings in /etc/periodic.conf with a "NO" value > instead of "YES". But I would recommend to leave them as they are. > > Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmith/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) > > > mail.***.net setuid diffs: --- /var/log/setuid.today Mon May 21 03:02:30 2007 +++ /tmp/security.wq6BsVcr Sun Jun 3 03:01:48 2007 @@ -20,7 +20,7 @@ 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 /usr/bin/yppasswd 71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 /usr/local/bin/screen 70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 /usr/local/sbin/lsof -73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 /usr/local/sbin/postdrop -73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 /usr/local/sbin/postqueue +71432 -rwxr-sr-x 1 root maildrop 142559 Jun 2 15:47:54 2007 /usr/local/sbin/postdrop +71433 -rwxr-sr-x 1 root maildrop 152477 Jun 2 15:47:54 2007 /usr/local/sbin/postqueue 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 /usr/sbin/mailwrapper 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 /usr/sbin/sliplogin I have some more, I'm starting to understand it a bit better. Basically the user:group id number has changed and the security run is letting me know. Good deal, but im still confused as to what the @@ -20,7 + 20,7 @@ and + - mean. Can anyone explain those? I'm curious, also why would yppasswd change to userid 2? I changed roots name yesterday, could that be the cause of it? -- View this message in context: http://www.nabble.com/Security-Run-Output-Setuid-Differences-tf3792025.html#a10979516 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Run Output Questions
Roland Smith wrote: On Wed, May 23, 2007 at 12:40:19PM -0700, PeterPluta wrote: I see this quite regularly. What exactly is the http process doing? I'm guessing this is the master process stopping and restarting when I rotate logs or something. Can anyone confirm? There is usally more processes, 10-15 or more. kernel log messages: +++ /tmp/security.ioLB2PiJ Wed May 23 03:01:42 2007 +pid 30865 (httpd), uid 80: exited on signal 4 According to signal(3), signal 4 is SIGILL; illegal instruction. Not sure what triggers that. Maybe a stack overflow bug that writes a bogus value to a return address? Roland Are you running CURRENT and did you update to GCC 4.2 and install httpd lately? If so, you need to read a few threads on the current@ list pertaining to GCC 4.2 written in the past 1-2 weeks. -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Run Output Questions
Dan Nelson wrote: > > In the last episode (May 23), PeterPluta said: >> I see this quite regularly. What exactly is the http process doing? >> I'm guessing this is the master process stopping and restarting when >> I rotate logs or something. Can anyone confirm? There is usally more >> processes, 10-15 or more. >> >> kernel log messages: >> +++ /tmp/security.ioLB2PiJ Wed May 23 03:01:42 2007 >> +pid 30865 (httpd), uid 80: exited on signal 4 > > It's crashing :) > > 4 SIGILL create core imageillegal instruction > > -- > Dan Nelson > [EMAIL PROTECTED] > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > Ahh I see, so this isn't a good thing. I'm running Apahe with mod_php. I don't see why it would be crashing, unless one of the web apps is buggy. -- View this message in context: http://www.nabble.com/Security-Run-Output-Questions-tf3806074.html#a10772295 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Run Output Questions
On Wed, May 23, 2007 at 12:40:19PM -0700, PeterPluta wrote: > > I see this quite regularly. What exactly is the http process doing? I'm > guessing this is the master process stopping and restarting when I rotate > logs or something. Can anyone confirm? There is usally more processes, 10-15 > or more. > > kernel log messages: > +++ /tmp/security.ioLB2PiJWed May 23 03:01:42 2007 > +pid 30865 (httpd), uid 80: exited on signal 4 According to signal(3), signal 4 is SIGILL; illegal instruction. Not sure what triggers that. Maybe a stack overflow bug that writes a bogus value to a return address? Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpkhw8noG6Vu.pgp Description: PGP signature
Re: Security Run Output Questions
In the last episode (May 23), PeterPluta said: > I see this quite regularly. What exactly is the http process doing? > I'm guessing this is the master process stopping and restarting when > I rotate logs or something. Can anyone confirm? There is usally more > processes, 10-15 or more. > > kernel log messages: > +++ /tmp/security.ioLB2PiJWed May 23 03:01:42 2007 > +pid 30865 (httpd), uid 80: exited on signal 4 It's crashing :) 4 SIGILL create core imageillegal instruction -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Run Output Setuid Differences
On Mon, May 21, 2007 at 11:59:33AM -0700, PeterPluta wrote: > > Looks like you were portupgrading around with postfix, screen and xterm. > > > > The output is diff(1). See the man page for details, but it's basically > > showing you the difference between last night's directory listing, and > > that > > of the previous day. > > > > For more gory details, see the scripts in /etc/periodic/security, which > > are > > run every night from cron. Some of the ports you changed resulted in > > changes to setuid/setgid programs installed on the system. As a security- > > concious administrator, you should be interested in the programs on your > > system that have elevated privilidges, so this script is provided to give > > you a daily report on that. > > I see, so basically after reinstalling the default uid/gid of some programs > changed? Is that a problem or anything? It's not a problem. It's just something that you should be aware of from a security standpoint. In this case you caused it because you upgraded some ports, which is OK. But if the size, date, ownership or permissions of a binary change without any apparent cause, it _could_ be the work of an intruder or rootkit trying to backdoor your system. That's why the system checks it. In /etc/defaults/periodic.conf you see which settings there are concerning security, and what the defaults are. If you want to disable some of them, put the settings in /etc/periodic.conf with a "NO" value instead of "YES". But I would recommend to leave them as they are. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgp97mviUg63t.pgp Description: PGP signature
Re: Security Run Output Setuid Differences
Bill Moran wrote: > > On Mon, 21 May 2007 11:34:25 -0700 (PDT) > PeterPluta <[EMAIL PROTECTED]> wrote: > >> >> I did a lot of port hacking yesterday. By that I mean screwing up and >> redoing >> lots of things. Anyway, I woke up today to find this email in my inbox. >> >> Checking setuid files and devices: >> >> mail.placidpublishing.net setuid diffs: >> --- /var/log/setuid.todayFri May 18 03:02:47 2007 >> +++ /tmp/security.207RUJmY Mon May 21 03:02:30 2007 >> @@ -3,7 +3,6 @@ >> 70745 -r-sr-xr-x 1 root wheel 21792 Jul 30 16:19:55 2006 >> /sbin/ping >> 70746 -r-sr-xr-x 1 root wheel 28660 Jul 30 16:19:55 2006 >> /sbin/ping6 >> 70721 -r-sr-x--- 1 root operator 10148 Jul 30 16:19:56 2006 >> /sbin/shutdown >> -165583 -rws--x--x 1 root wheel 268432 Apr 14 14:05:10 2007 >> /usr/X11R6/bin/xterm >> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 >> /usr/bin/chfn >> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 >> /usr/bin/chpass >> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 >> /usr/bin/chsh >> @@ -19,9 +18,9 @@ >> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 >> /usr/bin/ypchpass >> 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 >> /usr/bin/ypchsh >> 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 >> /usr/bin/yppasswd >> -72750 -rwsr-xr-x 1 root wheel 285580 Nov 2 01:21:29 2006 >> /usr/local/bin/screen >> -71569 -rwxr-sr-x 1 root kmem 112708 Feb 3 17:17:26 2007 >> /usr/local/sbin/lsof >> -71923 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 >> /usr/local/sbin/postdrop >> -71924 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 >> /usr/local/sbin/postqueue >> +71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 >> /usr/local/bin/screen >> +70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 >> /usr/local/sbin/lsof >> +73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 >> /usr/local/sbin/postdrop >> +73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 >> /usr/local/sbin/postqueue >> 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 >> /usr/sbin/mailwrapper >> 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 >> /usr/sbin/sliplogin >> >> >> What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ >> stuff. >> Also, why did this all of a sudden appear? > > Looks like you were portupgrading around with postfix, screen and xterm. > > The output is diff(1). See the man page for details, but it's basically > showing you the difference between last night's directory listing, and > that > of the previous day. > > For more gory details, see the scripts in /etc/periodic/security, which > are > run every night from cron. Some of the ports you changed resulted in > changes to setuid/setgid programs installed on the system. As a security- > concious administrator, you should be interested in the programs on your > system that have elevated privilidges, so this script is provided to give > you a daily report on that. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > I see, so basically after reinstalling the default uid/gid of some programs changed? Is that a problem or anything? -- View this message in context: http://www.nabble.com/Security-Run-Output-Setuid-Differences-tf3792025.html#a10724835 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Run Output Setuid Differences
On Mon, 21 May 2007 11:34:25 -0700 (PDT) PeterPluta <[EMAIL PROTECTED]> wrote: > > I did a lot of port hacking yesterday. By that I mean screwing up and redoing > lots of things. Anyway, I woke up today to find this email in my inbox. > > Checking setuid files and devices: > > mail.placidpublishing.net setuid diffs: > --- /var/log/setuid.today Fri May 18 03:02:47 2007 > +++ /tmp/security.207RUJmYMon May 21 03:02:30 2007 > @@ -3,7 +3,6 @@ > 70745 -r-sr-xr-x 1 root wheel 21792 Jul 30 16:19:55 2006 /sbin/ping > 70746 -r-sr-xr-x 1 root wheel 28660 Jul 30 16:19:55 2006 /sbin/ping6 > 70721 -r-sr-x--- 1 root operator 10148 Jul 30 16:19:56 2006 > /sbin/shutdown > -165583 -rws--x--x 1 root wheel 268432 Apr 14 14:05:10 2007 > /usr/X11R6/bin/xterm > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/chfn > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/chpass > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/chsh > @@ -19,9 +18,9 @@ > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/ypchpass > 377219 -r-sr-xr-x 6 root wheel 17532 Jul 30 16:19:56 2006 > /usr/bin/ypchsh > 377398 -r-sr-xr-x 2 root wheel 5828 Jul 30 16:19:57 2006 > /usr/bin/yppasswd > -72750 -rwsr-xr-x 1 root wheel 285580 Nov 2 01:21:29 2006 > /usr/local/bin/screen > -71569 -rwxr-sr-x 1 root kmem 112708 Feb 3 17:17:26 2007 > /usr/local/sbin/lsof > -71923 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 > /usr/local/sbin/postdrop > -71924 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 > /usr/local/sbin/postqueue > +71112 -rwsr-xr-x 1 root wheel 285580 May 20 18:23:48 2007 > /usr/local/bin/screen > +70971 -rwxr-sr-x 1 root kmem 112708 May 20 18:23:03 2007 > /usr/local/sbin/lsof > +73170 -rwxr-sr-x 1 root maildrop 142559 May 17 14:41:47 2007 > /usr/local/sbin/postdrop > +73204 -rwxr-sr-x 1 root maildrop 152477 May 17 14:41:47 2007 > /usr/local/sbin/postqueue > 923168 -rwxr-sr-x 1 root smmsp 5236 Jul 30 16:20:07 2006 > /usr/sbin/mailwrapper > 923264 -r-sr-x--- 1 root network11636 Jul 30 16:20:07 2006 > /usr/sbin/sliplogin > > > What exactly does this all mean? Specifically the @@ -19,9 +18,9 @@ stuff. > Also, why did this all of a sudden appear? Looks like you were portupgrading around with postfix, screen and xterm. The output is diff(1). See the man page for details, but it's basically showing you the difference between last night's directory listing, and that of the previous day. For more gory details, see the scripts in /etc/periodic/security, which are run every night from cron. Some of the ports you changed resulted in changes to setuid/setgid programs installed on the system. As a security- concious administrator, you should be interested in the programs on your system that have elevated privilidges, so this script is provided to give you a daily report on that. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Run Output E-mail
On 7/20/06, PATRICK CARTER <[EMAIL PROTECTED]> wrote: I'm relatively ne to FreeBSD (~6 months of usage) and I have been administering my own system for approximately the last 2 months. Recently my system has received many ssh login attempts on standard user accounts as someone has been attempting to break into my system. I usually read the Security Run Output e-mails to see if the attacker(s) had made any headway, and took necessary precautions (limiting ssh logins etc). However, last week (after it seemed that the attacks had let up somewhat) I stopped receiving the e-mails (as well as the daily run output e-mails). I still read the auth.log file to see login information and it did not appear as though anyone had successfully managed to break into the system. Today the both sets of e-mails started again and I received the e-mails for today and yesterday (I am still missing 5 days worth and one weekly run output). I was wondering if anyone might know how to ensure that I continue to receive these e-mails without interrupti on. If it matters (and I suspect it does) I have all my root e-mails aliased to a locked, nologin dummy account that forwards e-mail to my account, my boss' account, and retains a copy in the dummy account (.forward was not working to forward root's mail). Root's mail client is set to read the dummy account inbox as well as anything that somehow winds up in the regular root mailbox. This setup worked fine until the e-mails stopped last week (none of the listed accounts received the e-mail). Any advice would be greatly appreciated. those script kiddies do let up sometimes you know :D , using brute force i guess, as long as your user's passwords aren't dictionary words then you have nothing to worry. and also set the Allowusers directive allowing only admins. HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Security Run Output
The daily security email to root all ways lists a count of blocked packets if you have one of the three firewall activated. So what you are seeing is informational and nothing to be concerned about unless you did not active the ipfilter firewall. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bryan Curl Sent: Tuesday, April 25, 2006 6:18 PM To: freebsd-questions Subject: Security Run Output I get this or similar message in my Security Run Output every day. Is it something to be concerned with? lnut.bc.net ipf denied packets: +++ /tmp/security.FsPOiq0v Fri Apr 21 03:03:51 2006 +1 @4 block out log first quick on dc0 all +47571 @14 block in log first quick on dc0 all -- -- Bryan bc3910 'at' gmail 'dot' com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: security run output
On Sat, Aug 14, 2004 at 07:57:58AM -0500, Chris wrote: > *This message was transferred with a trial version of CommuniGate(tm) Pro* > > > > First time I've ever seen this: > > > server.tcslea.org kernel log messages: > > ff > > (one long line - sorry for the wrapping) > > It appears to be CPU related, but in what context? Is it something I need to > investigate, and if so, how? No -- that's entirely harmless. If you look at /var/run/dmesg.boot, you see that it's just part of the normal kernel output during boot. Specifically it's a list of the capabilities of your CPU. What's happened is that the message buffer has somehow got truncated at the beginning, and you're seeing just the end of that particular line. For some reason, the daily security script thinks it's significant kernel output, but it isn't really. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgphM77iTjKFM.pgp Description: PGP signature
Re: security run output
Chris wrote: When I get my nightly email from the "security run output" it normally has about the last 20 lines or less from the /var/log/messages. Is there a way to increase that to about the last 50 lines? Thanks, Chris Hmm, I don't think that it's necessarily true that /etc/periodic is sending you the last 20 or so lines ... it's only sending "kernel" notifications, which in the case of most setups of syslog.conf, are *also* logged to /var/log/messages, hence some confusion here. So, one good question in return would be, "are you sure that you're not seeing all you want in your periodic output?" You can take a look at the manpages and source for periodic(8) and friends to learn a little more... I'm in no way an expert --- it could be possible that an expert could modify the periodic.sh script to do what you want; but in your case, I'd think that you could create a small script to do what you want and run it nightly from your personal crontab. Something like what's below. HTH, Kevin Kinsey --- #/bin/sh # mailmessages.sh --- mail yesterday's /var/log/messages output to root... yday=`date -v -1d "+%b %d"` grep "$yday" /var/log/messages | mail -s "Contents of /var/log/messages" root ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Security Run Output E-Mails
On 6/9/2003 12:50 AM, Jasvinder S. Bahra wrote: > Hey folks, > > I'm wondering if you can help me. I have a basic knowledge on UNIX and freebsd, and > together with the advice of some friends, resources on the internet and an > absolutely ridiculous amount of toil and sweat, i've managed to put together a > somewhat secure firewall/gateway machine. I'm wondering you never read the handbook as it's recommented by your login message motd(5). > Now, at regular intervals, e-mails are sent to me by the machine... > > HOST.DOMAIN.TLD security run output > HOST.DOMAIN.TLD daily run output > HOST.DOMAIN.TLD weekly run output > HOST.DOMAIN.TLD monthly run output > > Now, I receive these e-mail regularly at differing times each day (as appropriate). > For example, the security and the daily ones are sent a couple of minutes after > 03:00am in the morning. The weekly one is sent a couple of minutes after 04:00am. > The monthly one... 05:00am. > > What i want to know is *where* are these script execution times defined? If I want > to change the monthly run output script to run at 05:30am (for example), where would > I go? See crontab(5), crontab(1) and cron(8) > Thanks for your time. Jens ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"