Fix sysctl invocation testing for missing entropy.

security(5): Check kern.entropy.needed for confident entropy.

Don't test whether a non-blocking read from /dev/random would return
data.

For the sake of availability, /dev/random will unblock based on sources
like timer interrupts, which we can't confidently assert anything about
the actual unpredictability of.

Here, the goal is to highlight systems that have neither obtained
entropy from an HWRNG with a confident entropy assessment, nor been
seeded from a source the operator knows about.

XXX pullup-10

Recognize argon2 passwords as valid in daily security reports.

from RVP in misc/56486

Various entropy integration improvements.

- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:

. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy

. set `entropy=wait' to make multiuser boot wait until enough entropy

Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.

- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.

- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.

This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.

I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.

Update default pkgsrc database location from /var/db/pkg to /usr/pkg/pkgdb.

Save the entropy seed daily in /etc/security.

Use $file instead of $(echo $file). I don't think the extra round of
word expansions was really intended here.

Fix an obvious botch in the previous rev, found by martin@

Convert uses of test (aka '[') to use only posix specified forms,
mostly just on general principle... this resulted in one or two minor
code reformattings to keep 80 char limits - a few needless uses of
quotes ("no" ??) were also removed (sh is not C. strings are strings
without quotes around them...)

branches: 1.122.2; 1.122.4;
Use sysctl to retrieve iostat names instead of parsing possibly
truncated iostat output.

Check dkctl listwedges output with grep.

Fixes PR 59205.

Record current raid configurations too in /etc/security.

Set the redirection correctly, so that stderr gets duped to the
already redirected stdout, rather than duping stdout to stderr!

Without this fix, the disklabel output is included in the log file
rather than being discarded as intended. (The purpose of running
disklabel this first time is only to check for success.)

Avoid nfs devices correctly.

Indent and space fixes.

- generate the list of disks only once and select from them later
- don't generate empty/useless files when disklabel or dkctl don't have data

Split some long lines.

Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.

It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.

Fixes the second half of PR misc/36063

having more than one line with the same group name and gid is not only
allowed, it's even recommended for groups with lots of members, so
do not warn about duplicate group name lines if the gid is the same

Add defaults for pkg_info and pkg_admin variables in case pkgpath.conf
is not installed.

Fix for problematic paths in /etc/daily and /etc/security reported in
PR/47645.

Add a separate file which contains the paths for the pkg_admin and
pkg_info utilities. This is called /etc/pkgpath.conf (to distinguish it
from pkg.conf).

Thanks also to Edgar Fuss for the sanity check.

branches: 1.111.2;
change security so that there is a configuration value for the list of
users who will not be considered for duplicate uid check.
Seed it with 'toor' in defaults/security.conf.

branches: 1.110.4;
too much quoting. pointed by anon ymous

branches: 1.109.2;
`` -> $()

Deprecate the pkgdb_dir settings from daily.conf and security.conf in
favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose
of this is to only have to define the location of the packages database
in a single place and have all other system components pick it up.

pkgdb_dir is still honored if defined and the scripts will spit out a
warning in that case, asking the administrator to migrate to the
PKG_DBDIR setting. We can't remove this compatibility workaround until,
at least, after NetBSD 6 is released.

Add the fetch_pkg_vulnerabilities option to the daily script to keep the
packages vulnerability database up to date. This will only fetch the
file from the server if it has changed since the last run.

Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.

All of these options are enabled by default but they will only run if
there is, at least, one installed package.

Add support for lvm to security script. Backup lvm configuration to /var/backup/lvm with other system backups. Disable lvm check until MKLVM is enabled by default. no objections on tech-userlevel@.

branches: 1.105.4;
Handle non-trivial NIS compat entries (like +joe:::::::::) in the password
file. Fixes (my own) PR bin/33138.

reviewed: christos

The location of the pkg_info binary can now be specified in /etc/security.conf.
The default remains as /usr/sbin/pkg_info. This should fix PR# 36746.

branches: 1.103.2;
Add code to monitor the disk wedges (see dk(4)) configured on the
system. Based on a patch contributed by Andreas Wrede in PR misc/36747.

Use "mktemp -d -t xxx" to create the temporary directories. This will use
TMPDIR environment variable if set, otherwise use /tmp. (misc/35544)

PR/36058 -- fix check for group/other writable home directories from
Jukka Salmi

branches: 1.100.2;
Improve security check for "/etc/exports":
1.) Properly handle line continuation and network exports.
2.) Make the report more compact.

Patch contributed by Jukka Salmi in PR bin/24583.

PR #26490: /etc/security is not aware of sha1 passwords

Implement check_devices_ignore_paths, which is a list of paths to
avoid traversing during check_devices.

Don't try to backup a 'nfs' disklabel, which will happen because of the
recent iostat changes.
Patch supplied in pr# 33274 by Geoff C. Wing.

PR 32666: /etc/security may cause tapes to rewind. By Duncan McEwan.

Allow an underscore as first character and embedded underscores & dots
for login and group names.

Fixes PR misc/29913 from Arto Selonen.

branches: 1.94.2;
add a check_passwd_permin_nonalpha option, which changes the passwd
test to permit non-alphanumeric characters in login names

When checking /etc/exports, account for "-network=XXX" as restricting
the mount (i.e. it is not considered globally exported).

Fixes PR: 26890

PR misc/7716: add configuration options find_core_ignore_fstypes and
check_devices_ignore_fstypes to allow the filesystem types that are
ignored during the daily and security runs to be adjusted.

Merge /etc/mtree/special & /etc/mtree/special.local using "mtree -M".
This allows users to override mtree/special entries in mtree/special.local,
which is useful if you've replaced a directory with a symlink (for example).
This effectively makes $check_mtree_follow_symlinks=YES pointless, but
I'm retaining that for compatibility reasons.

Fix bug in generation of $MPBYUID (used "/^+/" instead of "/^\+/" as a regex),
which has existed for a long time but only failed with our awk; GNU awk seems
to have permitted this. (This meant that the duplicate UID check was broken
when using our awk.)

Rename some temp files to more accurately reflect their purpose, to
aid debugging.

Catch STDERR from /etc/security.local (not just STDOUT).

Introduce and use the rcvar_manpage variable, which contains the manual page
name where the user should look at for documentation about rcvar. It defaults
to 'rc.subr(5)', as rc.subr is mainly used by rc.d scripts.

This variable is useful to let the daily, weekly, monthly and security scripts
tune the warning message shown when any of the variables they handle is not
properly set.

Closes PR misc/23908.

branches: 1.88.2; 1.88.4; 1.88.6;
add missing && in the home directory group writability condition;
gawk somehow coped even without (defaults to && ?), but nawk printed
bogus warnings (defaults to || ?)

Provide a workaround for PR bin/12900.
When /dev is an fdesc, and /dev/tty is stat()ed without a controlling tty,
a "Device not configured" error is returned.

Filter mtree's stderr to ignore this error.

If fdesc is fixed to not behave in this fashion, this workaround can
be removed; bin/12900 should remain open until that time.

In check_varmail (mailbox ownership/permissions check):
Make ls -A explicit, to help n debugging when not run as root
(-A is implied when ls is run as root)
Ignore dotfiles, as they are not mailboxes (e.g. .jhawk.pop)

XXX: note pairwise cascaded test inversion in permit_star.

Add checkyesno check_homes_permit_usergroups to allow group writability
when the groupname matches the username. Defaults to off.

Suppress output when running security.local if it produces no output.
/etc/security should produce no output (and thus suppress the report)
when nothing is wrong.

While we're here, use printf instead of two echos, like the rest of
the script.

Use $diff_options when running diff in /etc/security.
Default diff_options to -u, for unified-format context diffs,
because context is essential to a useful evaluation of differences.
This represents a behavior change.

Implements change-request PR security/17247 from
Takahiro Kambe <taca@sky.yamashina.kyoto.jp>.

Under check_mtree, invoke mtree with -L if check_mtree_follow_symlinks is set.
Apparently mtree -L is imperfect, but it is far better than the lack thereof
if symlinks are involved reaching files mtree verifies.

Add some flexibility to /etc/security, by way of security.conf options:
check_passwd_nowarn_shells Don't warn about these non-/etc/shells shells
check_passwd_nowarn_users Don't warn about these users
check_passwd_permit_star Don't warn about "*" in the $2 field
Behavior change: check_passwd_nowarn_shells defaults to /sbin/nologin and
/usr/libexec/uucp/uucico, so that it will not warn about the default
master.passwd.
The rationale here is that an administrator who chooses to permit these
warnable conditions should not be warned about them day after day, yet
should not be forced to disable check_passwd entirely.
check_passwd_permit_star is primarily of interest to sites who use *'d
entries for Kerberos or ssh logins, despite the fact that we permit
"*ssh" (etc.) for this purpose (legacy).

writable, not writeable.

Added .k5login to the list of files that are checked in each user's
home directory.

Addresses PR: security/18000

md5/bcrypt password starts with $[12], so use ^ in regex

recognize md5/bcrypt password. noted by: Eric Jacoboni <jaco@teaser.fr>

The check_rootdotfiles section mucks with the PATH setting, but
never puts it back properly. As such, jobs run later that expect
there to be a path will lose badly (eg, run lintpkgsrc -i from
security.local). Let's just re-export the PATH.

branches: 1.75.2;
Support shell metacharacters (`*', '?', '[') in /etc/changelist lines,
including checks for "backups that exist when actual file is deleted", a la
the existing mechanism used for "/etc/ifconfig.*" ... "/etc/rc.d/*" checks.
This resolves [security/15798] from Bob Kemp <bob@allegory.demon.co.uk>.

Add nullfs to the list of file system types to skip during the "big finds".
Fix from Alan Barrett in [misc/14957].

remove blank lines from the lists of files to backup_and_diff

add -dgq to check_pkgs ls(1). suggested by @@@

Add -T option to ls(1) when -l option is specified.
This fixes none-changed files under ${backup_dir}/pkgs as bellow:

======
/var/backups/pkgs diffs (OLD < > NEW)
======
159c159
< -rw-r--r-- 1 root wheel 528 Apr 19 01:11 ja-less-332/+CONTENTS
---
> -rw-r--r-- 1 root wheel 528 Apr 19 2001 ja-less-332/+CONTENTS

Use "nodiff" instead of "nomail" for the tag which is used to exclude
files from having the changes diff generated. Suggested by Michael Graff.

minor optimisation suggested by christos

A few more changes, from more discussions with Andrew Brown.
- Resurrect /etc/changelist, even if it's an "empty" file by default,
because it's easier to use than /etc/mtree/special.local for adding
a couple of simple files. Back by popular demand (hi @@@! :-)
- Add /etc/rc.d/* to the list of "dynamic" files; this notices changes
in user-added scripts
- Only calculate the mtree -I nomail list once, and re-use
- Use "cat foo | while read file" instead of "for file in `cat foo`" ;
handles whitespace better...

Major overhaul, with help from Andrew Brown <atatat@netbsd.org>.

Features:
- Add a bunch of stuff to /etc/mtree/special to enable removal of
/etc/changelist:
- files which we want to monitor for changes but don't want to
see the diffs of (master.passwd, ssh_host_key, ...) are
tagged with "nomail"
- files which we don't want to monitor are tagged with "exclude"
(such as netgroup.db, kvm.db, ...)
- monitor /etc/mtree/special.local, /root/.ssh/*
- remove /etc/changelist, and a bunch of XXX comments
- use mtree(8)'s -D, -I, and -E to generate lists of files to
actually do the changelist stuff on.
- support /etc/mtree/special.local as an optional user-provided
version of /etc/mtree/special (effectively, an enhanced
/etc/changelist)
- Add code to monitor: /etc/ifconfig.* /etc/raid*.conf /etc/rc.conf.d/*
including support for these files being added and removed at will.
- If /sbin/fdisk exists, backup the output of "fdisk $disk" for all
the active disk drives as part of $check_disklabels
- Check permissions on: ~/.ssh/* ~/.shosts

Details:
- Reorder initialisation of defaults
- Remove special case for /etc/master.passwd "monitor but don't email diffs"
with general case for other similar files.
- Keep all `autogenerated' files (such as disklabel.*, setuid.current, ...)
in "$backup_dir/work", to minimise name clashes.
- Add migrate_file(old, new) to do the hard work of migrating files
from the old `top level' /var/backups mechanism to the `full path'
mechanism recently added. Use this appropriately.
- Add backup_and_diff(file, printdiffs), to the hard work of backing-up
and diff-ing files.
- Cleanup use of shell redirects
- /bin/sh supports ~root globbing, so use it.
- Improve umask checking; use awk regex rather than awk math

minor whitespace fix

replace "pkg_dbdir" with "pkgdb_dir", to be consistent with "backup_dir"

Since we store the output of ls for use later, make sure that we have TZ=UTC.
(Otherwise time zone changes cause us to believe that files have changed
when they have not.)

- clean up a couple of comments
- reformat some awk blocks
- replace "sed 1d | awk '...'" with "awk 'NR==1 {next;} ...'"

Add a chunk of code to check the installed pkgs list by making a list
of all installed pkgs and their +CONTENTS and +REQUIRED_BY files (if
they have one) and handling this file along with all the other
CHANGELIST stuff.

Greg Woods gets points for coming up with the idea.

Luke Mewburn asked me to do it, and provided lots of criticism along
the way.

remove acd (non existant), add ld (for hw raid logical drives)

add raid, remove cd drives and floppy drives from the nightly disk
permissions checks.

note: This whole thing needs to be rototilled. And yes, I'm
volunteering to do it.

Update the password sanity checking thusly:
1) If a password entry is of the form \*[A-z-]+, do not complain that
the account is off but has a valid password. Thus you can do
passwords like *ssh to indicate ssh only logins.
We should come up with a standard scheme for what various *keywords mean.
Note that if the field length is 13, 20 or 34 you'll still get
bitched at.
This code should be cleaned up. (So should the password scheme.)
2) If the entry is for "toor", don't complain that the account is off
but has a valid shell. We ship with toor:*:, there is no point in
complaining about it.

Part of the campaign against spurious security warning output.

run mtree on the special file using the new -l option, so it will not
complain about things like files set 444 instead of 644.

part of the campaign against spurious output in the nightly security run.

Remove rz/tz support for pmax, switch to MI SCSI.

use mktemp(1) to create temporary directories, and ensure that cleanup traps
are setup asap.

use symbolic signal names instead of numbers

When backing files listed in /etc/changelist, instead of truncating
to the basename of the file, use the whole path with $backup_dir
prepended, in effect mirrorring the directory tree. This eliminates
the possibility of a name collision.

Closes pr bin/12727.

Allow embedded hyphens in user names (and group names), just not as the
first or last character.

Provide the capability of storing backups via RCS instead of just a
"current" and a "last" (which is useless if you wanna know what you
changed last week). Set the default to on.

Run skeyaudit (only) from /etc/daily instead of /etc/security, else there's
some risk that the users don't get warned if an admin turns off running
/etc/security (by putting run_security=no into daily.conf).

Fixes PR 12267.

Allow md5 passwords of length 34 as passwords

Introduce max_grouplen - this determines the maximum permitted length
of group names, similarily to max_loginlen

Add a new variable 'backup_dir', which can be used to change the backup
directory from /var/backup (useful for those of us who have a separate /var
and would like to have our backup disklabels on the root filesystem).
Default behaviour unchanged. backup_dir being unset is taken as /var/backup.

use ${foo##*/} instead of `basename $foo`. as suggested (with minor variation)
by Toru Nishimura <nisimura@itc.aist-nara.ac.jp>

PR/10982: kilbi@rad.rwth-aachen.de: Don't confuse printf with usernames
that start with -.

Fix pr9320: improve umask checking for root's dotfiles.
Now even notices bogus umasks like 044

branches: 1.44.4;
We may as well allow local additions to /etc/security, since it gets done
for the other periodic checks.

check /etc/mail/aliases on check_aliases.
/etc/aliases will be checked as well, if exists (for backward compatibility).

Add skeyaudit to /etc/security (with a variable to disable) per PR 5871

Use cat -f to avoid denial of service attacks by people who make .rhosts
files fifos.

We already had logic not to try to grab the disklabels of md's and
fd's -- add cd's to the list.

Use standard variable "$0" for the whole line instead of the non-standard,
undocumented "$LINE".

Submitted in PR 7041 by Greg A. Woods <woods@weird.com>

Get rid of old-style chown operands.

branches: 1.37.2;
Add a commented-out duplicate id checker which doesn't exclude toor, and
add a comment saying how to switch it on.

Modify duplicate user id check to exclude "toor". Any other uid 0
accounts will generate a message with that (those) account names, root, and
toor present in the list.

Fix PR 5068 - scanning ~user/.rhosts files on NFS mounted home
directories with -maproot=nobody on the server. The argument to be
made is that if NetBSD's root can't read these files, it shouldn't
try to check them.

Handle + in master.passwd (From PR#4802).
Also, handle + in group and allow max_loginlen to be configurable.

Nix "Login %s is off but still has a valid shell" warning for 20-character
encrypted passwords generated by the NEWSALT option to passwd(1).

* if $check_disklabels=YES, backup and compare of disklabels of current disks.
should detect added or removed disks as well. backup labels go in
/var/backups/disklabel.XXX (XXX = disk name, e.g., sd0), and the
changelist style backups have .current or .backup suffixes
* minor whitespace, formatting, and comment cleanup

include rc.subr and use appropriately

Deal with files in the changelist that are added or removed.
* When a file is removed, move its .current file to .backup.
* When a file is added, create its .current file.
* In either case, send a diff against /dev/null.
Mostly from Jim Bernard in PR 4183, with the removal case fixed.

- use 'ftpd -C user' to check the format of /etc/ftpusers.
closes [security/4061]
- rename $MPPATH to $MPBYPATH, to clarify its use

- don't print "Checking setuid files and devices:" if no problems
found (solves [security/4047])
- minor cleanup (rename a couple of variables, etc)

- correct use of generated temporary files.
- clean up comments and generated output.
- clean up $SECUREDIR if SIGINT or SIGQUIT received.
- .rhosts may have to be world readable in NFS environments, so allow it to be.
- update list of disks to check for reasonable permissions
- don't show differences in /etc/master.passwd, as the encrypted strings may
be sent. From reading comments earlier in the script, this was the intention
anyway. Fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3994].
- when checking /etc/ftpusers, skip comment lines and only match full
usernames.
XXX: this should be enhanced to check lines of the enhanced ftpusers format.

* ensure that check for '.' in root's $PATH doesn't yield a false positive.
fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3995]
* detect empty :: elements as '.' in a sh(1) path (leading :, trailing :,
or ::)

* when checking /etc/master.passwd, read in /etc/shells for a list of
valid shells and then check each active account against that
* remove unnecessary ()s in a few printf's.

* take advantage of xargs -0 when finding devices and set?id files
* use 'ls -q' in the above, so that characters that may cause problems
in the output are replaced with '?'

Also check /etc/profile for setting of umask.
From Chris Jones <cjones@rupert.oscs.montana.edu> in [misc/3763]

Ignore blank lines and comments in /etc/exports
From Jaromir Dolecek <dolecek@moria.ics.muni.cz> in [misc/3691]

Don't list directories with the setuid bit set or FIFOs.

Minor cleanup.

When doing security checks in user home directory, sort by home directory, to
optimize lookups a little.
Also, add some more files to the naughty lists.

make /etc/aliases check a bit more discriminating: the line must be
uncommented, and it must contain a '|' character (forwarding to program).

Minor cleanup.

Don't leave logs in /etc/mtree; from Andrew Wheadon in PR misc/3106.
Also fixed some comments.

add configuration file for security, as security.conf.
the file allows each action taken by security to be
turned on or off.

ignore setgid on dirs.

Several fixes from Arne H. Juul (PR#1814).

New-style RCS ids.

Change .emacsrc to .emacs in list of files to be checked.
From Mike Long, in PR #768.

Fix the fstype-based pruning algorithms. Partly suggested by John Kohl.

branches: 1.9.2;
update to new security script

people importing trees from SunOS should be shot; add -d to ls.

Find only set[gu]id files and devices, like old ncheck(1).

use of xargs wasn't strictly a security hole, but could lead to fouled-
up results. xargs should really have an option to automatically
'quote' input.

Use xargs(1) to avoid overflowing the argument list to ls(1).

from FreeBSD: check for set*id devices in a way closer to the original.
note that you can still overflow the args buffer for the ls (and it does
that on lamp), but it's better than before.

Rewrite set[gu]id find command to avoid walking non-local file systems.

updated to reflect the fact that we don't have an ncheck

branches: 1.1.1;
Initial revision

security(5): Check kern.entropy.needed for confident entropy.

Don't test whether a non-blocking read from /dev/random would return
data.

For the sake of availability, /dev/random will unblock based on sources
like timer interrupts, which we can't confidently assert anything about
the actual unpredictability of.

Here, the goal is to highlight systems that have neither obtained
entropy from an HWRNG with a confident entropy assessment, nor been
seeded from a source the operator knows about.

XXX pullup-10

Recognize argon2 passwords as valid in daily security reports.

from RVP in misc/56486

Various entropy integration improvements.

- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:

. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy

. set `entropy=wait' to make multiuser boot wait until enough entropy

Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.

- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.

- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.

This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.

I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.

Update default pkgsrc database location from /var/db/pkg to /usr/pkg/pkgdb.

Save the entropy seed daily in /etc/security.

Use $file instead of $(echo $file). I don't think the extra round of
word expansions was really intended here.

Fix an obvious botch in the previous rev, found by martin@

Convert uses of test (aka '[') to use only posix specified forms,
mostly just on general principle... this resulted in one or two minor
code reformattings to keep 80 char limits - a few needless uses of
quotes ("no" ??) were also removed (sh is not C. strings are strings
without quotes around them...)

branches: 1.122.2; 1.122.4;
Use sysctl to retrieve iostat names instead of parsing possibly
truncated iostat output.

Check dkctl listwedges output with grep.

Fixes PR 59205.

Record current raid configurations too in /etc/security.

Set the redirection correctly, so that stderr gets duped to the
already redirected stdout, rather than duping stdout to stderr!

Without this fix, the disklabel output is included in the log file
rather than being discarded as intended. (The purpose of running
disklabel this first time is only to check for success.)

Avoid nfs devices correctly.

Indent and space fixes.

- generate the list of disks only once and select from them later
- don't generate empty/useless files when disklabel or dkctl don't have data

Split some long lines.

Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.

It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.

Fixes the second half of PR misc/36063

having more than one line with the same group name and gid is not only
allowed, it's even recommended for groups with lots of members, so
do not warn about duplicate group name lines if the gid is the same

Add defaults for pkg_info and pkg_admin variables in case pkgpath.conf
is not installed.

Fix for problematic paths in /etc/daily and /etc/security reported in
PR/47645.

Add a separate file which contains the paths for the pkg_admin and
pkg_info utilities. This is called /etc/pkgpath.conf (to distinguish it
from pkg.conf).

Thanks also to Edgar Fuss for the sanity check.

branches: 1.111.2;
change security so that there is a configuration value for the list of
users who will not be considered for duplicate uid check.
Seed it with 'toor' in defaults/security.conf.

branches: 1.110.4;
too much quoting. pointed by anon ymous

branches: 1.109.2;
`` -> $()

Deprecate the pkgdb_dir settings from daily.conf and security.conf in
favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose
of this is to only have to define the location of the packages database
in a single place and have all other system components pick it up.

pkgdb_dir is still honored if defined and the scripts will spit out a
warning in that case, asking the administrator to migrate to the
PKG_DBDIR setting. We can't remove this compatibility workaround until,
at least, after NetBSD 6 is released.

Add the fetch_pkg_vulnerabilities option to the daily script to keep the
packages vulnerability database up to date. This will only fetch the
file from the server if it has changed since the last run.

Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.

All of these options are enabled by default but they will only run if
there is, at least, one installed package.

Add support for lvm to security script. Backup lvm configuration to /var/backup/lvm with other system backups. Disable lvm check until MKLVM is enabled by default. no objections on tech-userlevel@.

branches: 1.105.4;
Handle non-trivial NIS compat entries (like +joe:::::::::) in the password
file. Fixes (my own) PR bin/33138.

reviewed: christos

The location of the pkg_info binary can now be specified in /etc/security.conf.
The default remains as /usr/sbin/pkg_info. This should fix PR# 36746.

branches: 1.103.2;
Add code to monitor the disk wedges (see dk(4)) configured on the
system. Based on a patch contributed by Andreas Wrede in PR misc/36747.

Use "mktemp -d -t xxx" to create the temporary directories. This will use
TMPDIR environment variable if set, otherwise use /tmp. (misc/35544)

PR/36058 -- fix check for group/other writable home directories from
Jukka Salmi

branches: 1.100.2;
Improve security check for "/etc/exports":
1.) Properly handle line continuation and network exports.
2.) Make the report more compact.

Patch contributed by Jukka Salmi in PR bin/24583.

PR #26490: /etc/security is not aware of sha1 passwords

Implement check_devices_ignore_paths, which is a list of paths to
avoid traversing during check_devices.

Don't try to backup a 'nfs' disklabel, which will happen because of the
recent iostat changes.
Patch supplied in pr# 33274 by Geoff C. Wing.

PR 32666: /etc/security may cause tapes to rewind. By Duncan McEwan.

Allow an underscore as first character and embedded underscores & dots
for login and group names.

Fixes PR misc/29913 from Arto Selonen.

branches: 1.94.2;
add a check_passwd_permin_nonalpha option, which changes the passwd
test to permit non-alphanumeric characters in login names

When checking /etc/exports, account for "-network=XXX" as restricting
the mount (i.e. it is not considered globally exported).

Fixes PR: 26890

PR misc/7716: add configuration options find_core_ignore_fstypes and
check_devices_ignore_fstypes to allow the filesystem types that are
ignored during the daily and security runs to be adjusted.

Merge /etc/mtree/special & /etc/mtree/special.local using "mtree -M".
This allows users to override mtree/special entries in mtree/special.local,
which is useful if you've replaced a directory with a symlink (for example).
This effectively makes $check_mtree_follow_symlinks=YES pointless, but
I'm retaining that for compatibility reasons.

Fix bug in generation of $MPBYUID (used "/^+/" instead of "/^\+/" as a regex),
which has existed for a long time but only failed with our awk; GNU awk seems
to have permitted this. (This meant that the duplicate UID check was broken
when using our awk.)

Rename some temp files to more accurately reflect their purpose, to
aid debugging.

Catch STDERR from /etc/security.local (not just STDOUT).

Introduce and use the rcvar_manpage variable, which contains the manual page
name where the user should look at for documentation about rcvar. It defaults
to 'rc.subr(5)', as rc.subr is mainly used by rc.d scripts.

This variable is useful to let the daily, weekly, monthly and security scripts
tune the warning message shown when any of the variables they handle is not
properly set.

Closes PR misc/23908.

branches: 1.88.2; 1.88.4; 1.88.6;
add missing && in the home directory group writability condition;
gawk somehow coped even without (defaults to && ?), but nawk printed
bogus warnings (defaults to || ?)

Provide a workaround for PR bin/12900.
When /dev is an fdesc, and /dev/tty is stat()ed without a controlling tty,
a "Device not configured" error is returned.

Filter mtree's stderr to ignore this error.

If fdesc is fixed to not behave in this fashion, this workaround can
be removed; bin/12900 should remain open until that time.

In check_varmail (mailbox ownership/permissions check):
Make ls -A explicit, to help n debugging when not run as root
(-A is implied when ls is run as root)
Ignore dotfiles, as they are not mailboxes (e.g. .jhawk.pop)

XXX: note pairwise cascaded test inversion in permit_star.

Add checkyesno check_homes_permit_usergroups to allow group writability
when the groupname matches the username. Defaults to off.

Suppress output when running security.local if it produces no output.
/etc/security should produce no output (and thus suppress the report)
when nothing is wrong.

While we're here, use printf instead of two echos, like the rest of
the script.

Use $diff_options when running diff in /etc/security.
Default diff_options to -u, for unified-format context diffs,
because context is essential to a useful evaluation of differences.
This represents a behavior change.

Implements change-request PR security/17247 from
Takahiro Kambe <taca@sky.yamashina.kyoto.jp>.

Under check_mtree, invoke mtree with -L if check_mtree_follow_symlinks is set.
Apparently mtree -L is imperfect, but it is far better than the lack thereof
if symlinks are involved reaching files mtree verifies.

Add some flexibility to /etc/security, by way of security.conf options:
check_passwd_nowarn_shells Don't warn about these non-/etc/shells shells
check_passwd_nowarn_users Don't warn about these users
check_passwd_permit_star Don't warn about "*" in the $2 field
Behavior change: check_passwd_nowarn_shells defaults to /sbin/nologin and
/usr/libexec/uucp/uucico, so that it will not warn about the default
master.passwd.
The rationale here is that an administrator who chooses to permit these
warnable conditions should not be warned about them day after day, yet
should not be forced to disable check_passwd entirely.
check_passwd_permit_star is primarily of interest to sites who use *'d
entries for Kerberos or ssh logins, despite the fact that we permit
"*ssh" (etc.) for this purpose (legacy).

writable, not writeable.

Added .k5login to the list of files that are checked in each user's
home directory.

Addresses PR: security/18000

md5/bcrypt password starts with $[12], so use ^ in regex

recognize md5/bcrypt password. noted by: Eric Jacoboni <jaco@teaser.fr>

The check_rootdotfiles section mucks with the PATH setting, but
never puts it back properly. As such, jobs run later that expect
there to be a path will lose badly (eg, run lintpkgsrc -i from
security.local). Let's just re-export the PATH.

branches: 1.75.2;
Support shell metacharacters (`*', '?', '[') in /etc/changelist lines,
including checks for "backups that exist when actual file is deleted", a la
the existing mechanism used for "/etc/ifconfig.*" ... "/etc/rc.d/*" checks.
This resolves [security/15798] from Bob Kemp <bob@allegory.demon.co.uk>.

Add nullfs to the list of file system types to skip during the "big finds".
Fix from Alan Barrett in [misc/14957].

remove blank lines from the lists of files to backup_and_diff

add -dgq to check_pkgs ls(1). suggested by @@@

Add -T option to ls(1) when -l option is specified.
This fixes none-changed files under ${backup_dir}/pkgs as bellow:

======
/var/backups/pkgs diffs (OLD < > NEW)
======
159c159
< -rw-r--r-- 1 root wheel 528 Apr 19 01:11 ja-less-332/+CONTENTS
---
> -rw-r--r-- 1 root wheel 528 Apr 19 2001 ja-less-332/+CONTENTS

Use "nodiff" instead of "nomail" for the tag which is used to exclude
files from having the changes diff generated. Suggested by Michael Graff.

minor optimisation suggested by christos

A few more changes, from more discussions with Andrew Brown.
- Resurrect /etc/changelist, even if it's an "empty" file by default,
because it's easier to use than /etc/mtree/special.local for adding
a couple of simple files. Back by popular demand (hi @@@! :-)
- Add /etc/rc.d/* to the list of "dynamic" files; this notices changes
in user-added scripts
- Only calculate the mtree -I nomail list once, and re-use
- Use "cat foo | while read file" instead of "for file in `cat foo`" ;
handles whitespace better...

Major overhaul, with help from Andrew Brown <atatat@netbsd.org>.

Features:
- Add a bunch of stuff to /etc/mtree/special to enable removal of
/etc/changelist:
- files which we want to monitor for changes but don't want to
see the diffs of (master.passwd, ssh_host_key, ...) are
tagged with "nomail"
- files which we don't want to monitor are tagged with "exclude"
(such as netgroup.db, kvm.db, ...)
- monitor /etc/mtree/special.local, /root/.ssh/*
- remove /etc/changelist, and a bunch of XXX comments
- use mtree(8)'s -D, -I, and -E to generate lists of files to
actually do the changelist stuff on.
- support /etc/mtree/special.local as an optional user-provided
version of /etc/mtree/special (effectively, an enhanced
/etc/changelist)
- Add code to monitor: /etc/ifconfig.* /etc/raid*.conf /etc/rc.conf.d/*
including support for these files being added and removed at will.
- If /sbin/fdisk exists, backup the output of "fdisk $disk" for all
the active disk drives as part of $check_disklabels
- Check permissions on: ~/.ssh/* ~/.shosts

Details:
- Reorder initialisation of defaults
- Remove special case for /etc/master.passwd "monitor but don't email diffs"
with general case for other similar files.
- Keep all `autogenerated' files (such as disklabel.*, setuid.current, ...)
in "$backup_dir/work", to minimise name clashes.
- Add migrate_file(old, new) to do the hard work of migrating files
from the old `top level' /var/backups mechanism to the `full path'
mechanism recently added. Use this appropriately.
- Add backup_and_diff(file, printdiffs), to the hard work of backing-up
and diff-ing files.
- Cleanup use of shell redirects
- /bin/sh supports ~root globbing, so use it.
- Improve umask checking; use awk regex rather than awk math

minor whitespace fix

replace "pkg_dbdir" with "pkgdb_dir", to be consistent with "backup_dir"

Since we store the output of ls for use later, make sure that we have TZ=UTC.
(Otherwise time zone changes cause us to believe that files have changed
when they have not.)

- clean up a couple of comments
- reformat some awk blocks
- replace "sed 1d | awk '...'" with "awk 'NR==1 {next;} ...'"

Add a chunk of code to check the installed pkgs list by making a list
of all installed pkgs and their +CONTENTS and +REQUIRED_BY files (if
they have one) and handling this file along with all the other
CHANGELIST stuff.

Greg Woods gets points for coming up with the idea.

Luke Mewburn asked me to do it, and provided lots of criticism along
the way.

remove acd (non existant), add ld (for hw raid logical drives)

add raid, remove cd drives and floppy drives from the nightly disk
permissions checks.

note: This whole thing needs to be rototilled. And yes, I'm
volunteering to do it.

Update the password sanity checking thusly:
1) If a password entry is of the form \*[A-z-]+, do not complain that
the account is off but has a valid password. Thus you can do
passwords like *ssh to indicate ssh only logins.
We should come up with a standard scheme for what various *keywords mean.
Note that if the field length is 13, 20 or 34 you'll still get
bitched at.
This code should be cleaned up. (So should the password scheme.)
2) If the entry is for "toor", don't complain that the account is off
but has a valid shell. We ship with toor:*:, there is no point in
complaining about it.

Part of the campaign against spurious security warning output.

run mtree on the special file using the new -l option, so it will not
complain about things like files set 444 instead of 644.

part of the campaign against spurious output in the nightly security run.

Remove rz/tz support for pmax, switch to MI SCSI.

use mktemp(1) to create temporary directories, and ensure that cleanup traps
are setup asap.

use symbolic signal names instead of numbers

When backing files listed in /etc/changelist, instead of truncating
to the basename of the file, use the whole path with $backup_dir
prepended, in effect mirrorring the directory tree. This eliminates
the possibility of a name collision.

Closes pr bin/12727.

Allow embedded hyphens in user names (and group names), just not as the
first or last character.

Provide the capability of storing backups via RCS instead of just a
"current" and a "last" (which is useless if you wanna know what you
changed last week). Set the default to on.

Run skeyaudit (only) from /etc/daily instead of /etc/security, else there's
some risk that the users don't get warned if an admin turns off running
/etc/security (by putting run_security=no into daily.conf).

Fixes PR 12267.

Allow md5 passwords of length 34 as passwords

Introduce max_grouplen - this determines the maximum permitted length
of group names, similarily to max_loginlen

Add a new variable 'backup_dir', which can be used to change the backup
directory from /var/backup (useful for those of us who have a separate /var
and would like to have our backup disklabels on the root filesystem).
Default behaviour unchanged. backup_dir being unset is taken as /var/backup.

use ${foo##*/} instead of `basename $foo`. as suggested (with minor variation)
by Toru Nishimura <nisimura@itc.aist-nara.ac.jp>

PR/10982: kilbi@rad.rwth-aachen.de: Don't confuse printf with usernames
that start with -.

Fix pr9320: improve umask checking for root's dotfiles.
Now even notices bogus umasks like 044

branches: 1.44.4;
We may as well allow local additions to /etc/security, since it gets done
for the other periodic checks.

check /etc/mail/aliases on check_aliases.
/etc/aliases will be checked as well, if exists (for backward compatibility).

Add skeyaudit to /etc/security (with a variable to disable) per PR 5871

Use cat -f to avoid denial of service attacks by people who make .rhosts
files fifos.

We already had logic not to try to grab the disklabels of md's and
fd's -- add cd's to the list.

Use standard variable "$0" for the whole line instead of the non-standard,
undocumented "$LINE".

Submitted in PR 7041 by Greg A. Woods <woods@weird.com>

Get rid of old-style chown operands.

branches: 1.37.2;
Add a commented-out duplicate id checker which doesn't exclude toor, and
add a comment saying how to switch it on.

Modify duplicate user id check to exclude "toor". Any other uid 0
accounts will generate a message with that (those) account names, root, and
toor present in the list.

Fix PR 5068 - scanning ~user/.rhosts files on NFS mounted home
directories with -maproot=nobody on the server. The argument to be
made is that if NetBSD's root can't read these files, it shouldn't
try to check them.

Handle + in master.passwd (From PR#4802).
Also, handle + in group and allow max_loginlen to be configurable.

Nix "Login %s is off but still has a valid shell" warning for 20-character
encrypted passwords generated by the NEWSALT option to passwd(1).

* if $check_disklabels=YES, backup and compare of disklabels of current disks.
should detect added or removed disks as well. backup labels go in
/var/backups/disklabel.XXX (XXX = disk name, e.g., sd0), and the
changelist style backups have .current or .backup suffixes
* minor whitespace, formatting, and comment cleanup

include rc.subr and use appropriately

Deal with files in the changelist that are added or removed.
* When a file is removed, move its .current file to .backup.
* When a file is added, create its .current file.
* In either case, send a diff against /dev/null.
Mostly from Jim Bernard in PR 4183, with the removal case fixed.

- use 'ftpd -C user' to check the format of /etc/ftpusers.
closes [security/4061]
- rename $MPPATH to $MPBYPATH, to clarify its use

- don't print "Checking setuid files and devices:" if no problems
found (solves [security/4047])
- minor cleanup (rename a couple of variables, etc)

- correct use of generated temporary files.
- clean up comments and generated output.
- clean up $SECUREDIR if SIGINT or SIGQUIT received.
- .rhosts may have to be world readable in NFS environments, so allow it to be.
- update list of disks to check for reasonable permissions
- don't show differences in /etc/master.passwd, as the encrypted strings may
be sent. From reading comments earlier in the script, this was the intention
anyway. Fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3994].
- when checking /etc/ftpusers, skip comment lines and only match full
usernames.
XXX: this should be enhanced to check lines of the enhanced ftpusers format.

* ensure that check for '.' in root's $PATH doesn't yield a false positive.
fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3995]
* detect empty :: elements as '.' in a sh(1) path (leading :, trailing :,
or ::)

* when checking /etc/master.passwd, read in /etc/shells for a list of
valid shells and then check each active account against that
* remove unnecessary ()s in a few printf's.

* take advantage of xargs -0 when finding devices and set?id files
* use 'ls -q' in the above, so that characters that may cause problems
in the output are replaced with '?'

Also check /etc/profile for setting of umask.
From Chris Jones <cjones@rupert.oscs.montana.edu> in [misc/3763]

Ignore blank lines and comments in /etc/exports
From Jaromir Dolecek <dolecek@moria.ics.muni.cz> in [misc/3691]

Don't list directories with the setuid bit set or FIFOs.

Minor cleanup.

When doing security checks in user home directory, sort by home directory, to
optimize lookups a little.
Also, add some more files to the naughty lists.

make /etc/aliases check a bit more discriminating: the line must be
uncommented, and it must contain a '|' character (forwarding to program).

Minor cleanup.

Don't leave logs in /etc/mtree; from Andrew Wheadon in PR misc/3106.
Also fixed some comments.

add configuration file for security, as security.conf.
the file allows each action taken by security to be
turned on or off.

ignore setgid on dirs.

Several fixes from Arne H. Juul (PR#1814).

New-style RCS ids.

Change .emacsrc to .emacs in list of files to be checked.
From Mike Long, in PR #768.

Fix the fstype-based pruning algorithms. Partly suggested by John Kohl.

branches: 1.9.2;
update to new security script

people importing trees from SunOS should be shot; add -d to ls.

Find only set[gu]id files and devices, like old ncheck(1).

use of xargs wasn't strictly a security hole, but could lead to fouled-
up results. xargs should really have an option to automatically
'quote' input.

Use xargs(1) to avoid overflowing the argument list to ls(1).

from FreeBSD: check for set*id devices in a way closer to the original.
note that you can still overflow the args buffer for the ls (and it does
that on lamp), but it's better than before.

Rewrite set[gu]id find command to avoid walking non-local file systems.

updated to reflect the fact that we don't have an ncheck

branches: 1.1.1;
Initial revision

Recognize argon2 passwords as valid in daily security reports.

from RVP in misc/56486

Various entropy integration improvements.

- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:

. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy

. set `entropy=wait' to make multiuser boot wait until enough entropy

Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.

- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.

- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.

This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.

I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.

Update default pkgsrc database location from /var/db/pkg to /usr/pkg/pkgdb.

Save the entropy seed daily in /etc/security.

Use $file instead of $(echo $file). I don't think the extra round of
word expansions was really intended here.

Fix an obvious botch in the previous rev, found by martin@

Convert uses of test (aka '[') to use only posix specified forms,
mostly just on general principle... this resulted in one or two minor
code reformattings to keep 80 char limits - a few needless uses of
quotes ("no" ??) were also removed (sh is not C. strings are strings
without quotes around them...)

branches: 1.122.2; 1.122.4;
Use sysctl to retrieve iostat names instead of parsing possibly
truncated iostat output.

Check dkctl listwedges output with grep.

Fixes PR 59205.

Record current raid configurations too in /etc/security.

Set the redirection correctly, so that stderr gets duped to the
already redirected stdout, rather than duping stdout to stderr!

Without this fix, the disklabel output is included in the log file
rather than being discarded as intended. (The purpose of running
disklabel this first time is only to check for success.)

Avoid nfs devices correctly.

Indent and space fixes.

- generate the list of disks only once and select from them later
- don't generate empty/useless files when disklabel or dkctl don't have data

Split some long lines.

Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.

It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.

Fixes the second half of PR misc/36063

having more than one line with the same group name and gid is not only
allowed, it's even recommended for groups with lots of members, so
do not warn about duplicate group name lines if the gid is the same

Add defaults for pkg_info and pkg_admin variables in case pkgpath.conf
is not installed.

Fix for problematic paths in /etc/daily and /etc/security reported in
PR/47645.

Add a separate file which contains the paths for the pkg_admin and
pkg_info utilities. This is called /etc/pkgpath.conf (to distinguish it
from pkg.conf).

Thanks also to Edgar Fuss for the sanity check.

branches: 1.111.2;
change security so that there is a configuration value for the list of
users who will not be considered for duplicate uid check.
Seed it with 'toor' in defaults/security.conf.

branches: 1.110.4;
too much quoting. pointed by anon ymous

branches: 1.109.2;
`` -> $()

Deprecate the pkgdb_dir settings from daily.conf and security.conf in
favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose
of this is to only have to define the location of the packages database
in a single place and have all other system components pick it up.

pkgdb_dir is still honored if defined and the scripts will spit out a
warning in that case, asking the administrator to migrate to the
PKG_DBDIR setting. We can't remove this compatibility workaround until,
at least, after NetBSD 6 is released.

Add the fetch_pkg_vulnerabilities option to the daily script to keep the
packages vulnerability database up to date. This will only fetch the
file from the server if it has changed since the last run.

Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.

All of these options are enabled by default but they will only run if
there is, at least, one installed package.

Add support for lvm to security script. Backup lvm configuration to /var/backup/lvm with other system backups. Disable lvm check until MKLVM is enabled by default. no objections on tech-userlevel@.

branches: 1.105.4;
Handle non-trivial NIS compat entries (like +joe:::::::::) in the password
file. Fixes (my own) PR bin/33138.

reviewed: christos

The location of the pkg_info binary can now be specified in /etc/security.conf.
The default remains as /usr/sbin/pkg_info. This should fix PR# 36746.

branches: 1.103.2;
Add code to monitor the disk wedges (see dk(4)) configured on the
system. Based on a patch contributed by Andreas Wrede in PR misc/36747.

Use "mktemp -d -t xxx" to create the temporary directories. This will use
TMPDIR environment variable if set, otherwise use /tmp. (misc/35544)

PR/36058 -- fix check for group/other writable home directories from
Jukka Salmi

branches: 1.100.2;
Improve security check for "/etc/exports":
1.) Properly handle line continuation and network exports.
2.) Make the report more compact.

Patch contributed by Jukka Salmi in PR bin/24583.

PR #26490: /etc/security is not aware of sha1 passwords

Implement check_devices_ignore_paths, which is a list of paths to
avoid traversing during check_devices.

Don't try to backup a 'nfs' disklabel, which will happen because of the
recent iostat changes.
Patch supplied in pr# 33274 by Geoff C. Wing.

PR 32666: /etc/security may cause tapes to rewind. By Duncan McEwan.

Allow an underscore as first character and embedded underscores & dots
for login and group names.

Fixes PR misc/29913 from Arto Selonen.

branches: 1.94.2;
add a check_passwd_permin_nonalpha option, which changes the passwd
test to permit non-alphanumeric characters in login names

When checking /etc/exports, account for "-network=XXX" as restricting
the mount (i.e. it is not considered globally exported).

Fixes PR: 26890

PR misc/7716: add configuration options find_core_ignore_fstypes and
check_devices_ignore_fstypes to allow the filesystem types that are
ignored during the daily and security runs to be adjusted.

Merge /etc/mtree/special & /etc/mtree/special.local using "mtree -M".
This allows users to override mtree/special entries in mtree/special.local,
which is useful if you've replaced a directory with a symlink (for example).
This effectively makes $check_mtree_follow_symlinks=YES pointless, but
I'm retaining that for compatibility reasons.

Fix bug in generation of $MPBYUID (used "/^+/" instead of "/^\+/" as a regex),
which has existed for a long time but only failed with our awk; GNU awk seems
to have permitted this. (This meant that the duplicate UID check was broken
when using our awk.)

Rename some temp files to more accurately reflect their purpose, to
aid debugging.

Catch STDERR from /etc/security.local (not just STDOUT).

Introduce and use the rcvar_manpage variable, which contains the manual page
name where the user should look at for documentation about rcvar. It defaults
to 'rc.subr(5)', as rc.subr is mainly used by rc.d scripts.

This variable is useful to let the daily, weekly, monthly and security scripts
tune the warning message shown when any of the variables they handle is not
properly set.

Closes PR misc/23908.

branches: 1.88.2; 1.88.4; 1.88.6;
add missing && in the home directory group writability condition;
gawk somehow coped even without (defaults to && ?), but nawk printed
bogus warnings (defaults to || ?)

Provide a workaround for PR bin/12900.
When /dev is an fdesc, and /dev/tty is stat()ed without a controlling tty,
a "Device not configured" error is returned.

Filter mtree's stderr to ignore this error.

If fdesc is fixed to not behave in this fashion, this workaround can
be removed; bin/12900 should remain open until that time.

In check_varmail (mailbox ownership/permissions check):
Make ls -A explicit, to help n debugging when not run as root
(-A is implied when ls is run as root)
Ignore dotfiles, as they are not mailboxes (e.g. .jhawk.pop)

XXX: note pairwise cascaded test inversion in permit_star.

Add checkyesno check_homes_permit_usergroups to allow group writability
when the groupname matches the username. Defaults to off.

Suppress output when running security.local if it produces no output.
/etc/security should produce no output (and thus suppress the report)
when nothing is wrong.

While we're here, use printf instead of two echos, like the rest of
the script.

Use $diff_options when running diff in /etc/security.
Default diff_options to -u, for unified-format context diffs,
because context is essential to a useful evaluation of differences.
This represents a behavior change.

Implements change-request PR security/17247 from
Takahiro Kambe <taca@sky.yamashina.kyoto.jp>.

Under check_mtree, invoke mtree with -L if check_mtree_follow_symlinks is set.
Apparently mtree -L is imperfect, but it is far better than the lack thereof
if symlinks are involved reaching files mtree verifies.

Add some flexibility to /etc/security, by way of security.conf options:
check_passwd_nowarn_shells Don't warn about these non-/etc/shells shells
check_passwd_nowarn_users Don't warn about these users
check_passwd_permit_star Don't warn about "*" in the $2 field
Behavior change: check_passwd_nowarn_shells defaults to /sbin/nologin and
/usr/libexec/uucp/uucico, so that it will not warn about the default
master.passwd.
The rationale here is that an administrator who chooses to permit these
warnable conditions should not be warned about them day after day, yet
should not be forced to disable check_passwd entirely.
check_passwd_permit_star is primarily of interest to sites who use *'d
entries for Kerberos or ssh logins, despite the fact that we permit
"*ssh" (etc.) for this purpose (legacy).

writable, not writeable.

Added .k5login to the list of files that are checked in each user's
home directory.

Addresses PR: security/18000

md5/bcrypt password starts with $[12], so use ^ in regex

recognize md5/bcrypt password. noted by: Eric Jacoboni <jaco@teaser.fr>

The check_rootdotfiles section mucks with the PATH setting, but
never puts it back properly. As such, jobs run later that expect
there to be a path will lose badly (eg, run lintpkgsrc -i from
security.local). Let's just re-export the PATH.

branches: 1.75.2;
Support shell metacharacters (`*', '?', '[') in /etc/changelist lines,
including checks for "backups that exist when actual file is deleted", a la
the existing mechanism used for "/etc/ifconfig.*" ... "/etc/rc.d/*" checks.
This resolves [security/15798] from Bob Kemp <bob@allegory.demon.co.uk>.

Add nullfs to the list of file system types to skip during the "big finds".
Fix from Alan Barrett in [misc/14957].

remove blank lines from the lists of files to backup_and_diff

add -dgq to check_pkgs ls(1). suggested by @@@

Add -T option to ls(1) when -l option is specified.
This fixes none-changed files under ${backup_dir}/pkgs as bellow:

======
/var/backups/pkgs diffs (OLD < > NEW)
======
159c159
< -rw-r--r-- 1 root wheel 528 Apr 19 01:11 ja-less-332/+CONTENTS
---
> -rw-r--r-- 1 root wheel 528 Apr 19 2001 ja-less-332/+CONTENTS

Use "nodiff" instead of "nomail" for the tag which is used to exclude
files from having the changes diff generated. Suggested by Michael Graff.

minor optimisation suggested by christos

A few more changes, from more discussions with Andrew Brown.
- Resurrect /etc/changelist, even if it's an "empty" file by default,
because it's easier to use than /etc/mtree/special.local for adding
a couple of simple files. Back by popular demand (hi @@@! :-)
- Add /etc/rc.d/* to the list of "dynamic" files; this notices changes
in user-added scripts
- Only calculate the mtree -I nomail list once, and re-use
- Use "cat foo | while read file" instead of "for file in `cat foo`" ;
handles whitespace better...

Major overhaul, with help from Andrew Brown <atatat@netbsd.org>.

Features:
- Add a bunch of stuff to /etc/mtree/special to enable removal of
/etc/changelist:
- files which we want to monitor for changes but don't want to
see the diffs of (master.passwd, ssh_host_key, ...) are
tagged with "nomail"
- files which we don't want to monitor are tagged with "exclude"
(such as netgroup.db, kvm.db, ...)
- monitor /etc/mtree/special.local, /root/.ssh/*
- remove /etc/changelist, and a bunch of XXX comments
- use mtree(8)'s -D, -I, and -E to generate lists of files to
actually do the changelist stuff on.
- support /etc/mtree/special.local as an optional user-provided
version of /etc/mtree/special (effectively, an enhanced
/etc/changelist)
- Add code to monitor: /etc/ifconfig.* /etc/raid*.conf /etc/rc.conf.d/*
including support for these files being added and removed at will.
- If /sbin/fdisk exists, backup the output of "fdisk $disk" for all
the active disk drives as part of $check_disklabels
- Check permissions on: ~/.ssh/* ~/.shosts

Details:
- Reorder initialisation of defaults
- Remove special case for /etc/master.passwd "monitor but don't email diffs"
with general case for other similar files.
- Keep all `autogenerated' files (such as disklabel.*, setuid.current, ...)
in "$backup_dir/work", to minimise name clashes.
- Add migrate_file(old, new) to do the hard work of migrating files
from the old `top level' /var/backups mechanism to the `full path'
mechanism recently added. Use this appropriately.
- Add backup_and_diff(file, printdiffs), to the hard work of backing-up
and diff-ing files.
- Cleanup use of shell redirects
- /bin/sh supports ~root globbing, so use it.
- Improve umask checking; use awk regex rather than awk math

minor whitespace fix

replace "pkg_dbdir" with "pkgdb_dir", to be consistent with "backup_dir"

Since we store the output of ls for use later, make sure that we have TZ=UTC.
(Otherwise time zone changes cause us to believe that files have changed
when they have not.)

- clean up a couple of comments
- reformat some awk blocks
- replace "sed 1d | awk '...'" with "awk 'NR==1 {next;} ...'"

Add a chunk of code to check the installed pkgs list by making a list
of all installed pkgs and their +CONTENTS and +REQUIRED_BY files (if
they have one) and handling this file along with all the other
CHANGELIST stuff.

Greg Woods gets points for coming up with the idea.

Luke Mewburn asked me to do it, and provided lots of criticism along
the way.

remove acd (non existant), add ld (for hw raid logical drives)

add raid, remove cd drives and floppy drives from the nightly disk
permissions checks.

note: This whole thing needs to be rototilled. And yes, I'm
volunteering to do it.

Update the password sanity checking thusly:
1) If a password entry is of the form \*[A-z-]+, do not complain that
the account is off but has a valid password. Thus you can do
passwords like *ssh to indicate ssh only logins.
We should come up with a standard scheme for what various *keywords mean.
Note that if the field length is 13, 20 or 34 you'll still get
bitched at.
This code should be cleaned up. (So should the password scheme.)
2) If the entry is for "toor", don't complain that the account is off
but has a valid shell. We ship with toor:*:, there is no point in
complaining about it.

Part of the campaign against spurious security warning output.

run mtree on the special file using the new -l option, so it will not
complain about things like files set 444 instead of 644.

part of the campaign against spurious output in the nightly security run.

Remove rz/tz support for pmax, switch to MI SCSI.

use mktemp(1) to create temporary directories, and ensure that cleanup traps
are setup asap.

use symbolic signal names instead of numbers

When backing files listed in /etc/changelist, instead of truncating
to the basename of the file, use the whole path with $backup_dir
prepended, in effect mirrorring the directory tree. This eliminates
the possibility of a name collision.

Closes pr bin/12727.

Allow embedded hyphens in user names (and group names), just not as the
first or last character.

Provide the capability of storing backups via RCS instead of just a
"current" and a "last" (which is useless if you wanna know what you
changed last week). Set the default to on.

Run skeyaudit (only) from /etc/daily instead of /etc/security, else there's
some risk that the users don't get warned if an admin turns off running
/etc/security (by putting run_security=no into daily.conf).

Fixes PR 12267.

Allow md5 passwords of length 34 as passwords

Introduce max_grouplen - this determines the maximum permitted length
of group names, similarily to max_loginlen

Add a new variable 'backup_dir', which can be used to change the backup
directory from /var/backup (useful for those of us who have a separate /var
and would like to have our backup disklabels on the root filesystem).
Default behaviour unchanged. backup_dir being unset is taken as /var/backup.

use ${foo##*/} instead of `basename $foo`. as suggested (with minor variation)
by Toru Nishimura <nisimura@itc.aist-nara.ac.jp>

PR/10982: kilbi@rad.rwth-aachen.de: Don't confuse printf with usernames
that start with -.

Fix pr9320: improve umask checking for root's dotfiles.
Now even notices bogus umasks like 044

branches: 1.44.4;
We may as well allow local additions to /etc/security, since it gets done
for the other periodic checks.

check /etc/mail/aliases on check_aliases.
/etc/aliases will be checked as well, if exists (for backward compatibility).

Add skeyaudit to /etc/security (with a variable to disable) per PR 5871

Use cat -f to avoid denial of service attacks by people who make .rhosts
files fifos.

We already had logic not to try to grab the disklabels of md's and
fd's -- add cd's to the list.

Use standard variable "$0" for the whole line instead of the non-standard,
undocumented "$LINE".

Submitted in PR 7041 by Greg A. Woods <woods@weird.com>

Get rid of old-style chown operands.

branches: 1.37.2;
Add a commented-out duplicate id checker which doesn't exclude toor, and
add a comment saying how to switch it on.

Modify duplicate user id check to exclude "toor". Any other uid 0
accounts will generate a message with that (those) account names, root, and
toor present in the list.

Fix PR 5068 - scanning ~user/.rhosts files on NFS mounted home
directories with -maproot=nobody on the server. The argument to be
made is that if NetBSD's root can't read these files, it shouldn't
try to check them.

Handle + in master.passwd (From PR#4802).
Also, handle + in group and allow max_loginlen to be configurable.

Nix "Login %s is off but still has a valid shell" warning for 20-character
encrypted passwords generated by the NEWSALT option to passwd(1).

* if $check_disklabels=YES, backup and compare of disklabels of current disks.
should detect added or removed disks as well. backup labels go in
/var/backups/disklabel.XXX (XXX = disk name, e.g., sd0), and the
changelist style backups have .current or .backup suffixes
* minor whitespace, formatting, and comment cleanup

include rc.subr and use appropriately

Deal with files in the changelist that are added or removed.
* When a file is removed, move its .current file to .backup.
* When a file is added, create its .current file.
* In either case, send a diff against /dev/null.
Mostly from Jim Bernard in PR 4183, with the removal case fixed.

- use 'ftpd -C user' to check the format of /etc/ftpusers.
closes [security/4061]
- rename $MPPATH to $MPBYPATH, to clarify its use

- don't print "Checking setuid files and devices:" if no problems
found (solves [security/4047])
- minor cleanup (rename a couple of variables, etc)

- correct use of generated temporary files.
- clean up comments and generated output.
- clean up $SECUREDIR if SIGINT or SIGQUIT received.
- .rhosts may have to be world readable in NFS environments, so allow it to be.
- update list of disks to check for reasonable permissions
- don't show differences in /etc/master.passwd, as the encrypted strings may
be sent. From reading comments earlier in the script, this was the intention
anyway. Fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3994].
- when checking /etc/ftpusers, skip comment lines and only match full
usernames.
XXX: this should be enhanced to check lines of the enhanced ftpusers format.

* ensure that check for '.' in root's $PATH doesn't yield a false positive.
fix from Jim Bernard <jbernard@tater.mines.edu> in [security/3995]
* detect empty :: elements as '.' in a sh(1) path (leading :, trailing :,
or ::)

* when checking /etc/master.passwd, read in /etc/shells for a list of
valid shells and then check each active account against that
* remove unnecessary ()s in a few printf's.

* take advantage of xargs -0 when finding devices and set?id files
* use 'ls -q' in the above, so that characters that may cause problems
in the output are replaced with '?'

Also check /etc/profile for setting of umask.
From Chris Jones <cjones@rupert.oscs.montana.edu> in [misc/3763]

Ignore blank lines and comments in /etc/exports
From Jaromir Dolecek <dolecek@moria.ics.muni.cz> in [misc/3691]

Don't list directories with the setuid bit set or FIFOs.

Minor cleanup.

When doing security checks in user home directory, sort by home directory, to
optimize lookups a little.
Also, add some more files to the naughty lists.

make /etc/aliases check a bit more discriminating: the line must be
uncommented, and it must contain a '|' character (forwarding to program).

Minor cleanup.

Don't leave logs in /etc/mtree; from Andrew Wheadon in PR misc/3106.
Also fixed some comments.

add configuration file for security, as security.conf.
the file allows each action taken by security to be
turned on or off.

ignore setgid on dirs.

Several fixes from Arne H. Juul (PR#1814).

New-style RCS ids.

Change .emacsrc to .emacs in list of files to be checked.
From Mike Long, in PR #768.

Fix the fstype-based pruning algorithms. Partly suggested by John Kohl.

branches: 1.9.2;
update to new security script

people importing trees from SunOS should be shot; add -d to ls.

Find only set[gu]id files and devices, like old ncheck(1).

use of xargs wasn't strictly a security hole, but could lead to fouled-
up results. xargs should really have an option to automatically
'quote' input.

Use xargs(1) to avoid overflowing the argument list to ls(1).

from FreeBSD: check for set*id devices in a way closer to the original.
note that you can still overflow the args buffer for the ls (and it does
that on lamp), but it's better than before.

Rewrite set[gu]id find command to avoid walking non-local file systems.

updated to reflect the fact that we don't have an ncheck

branches: 1.1.1;
Initial revision

Various entropy integration improvements.

- New /etc/security check for entropy in daily security report.

- New /etc/rc.d/entropy script runs (after random_seed and rndctl) to
check for entropy at boot -- in rc.conf, you can:

. set `entropy=check' to halt multiuser boot and enter single-user
mode if not enough entropy

. set `entropy=wait' to make multiuser boot wait until enough entropy

Default is to always boot without waiting -- and rely on other
channels like security report to alert the operator if there's a
problem.

- New man page entropy(7) discussing the higher-level concepts and
system integration with cross-references.

- New paragraph in afterboot(8) about entropy citing entropy(7) for
more details.

This change addresses many of the issues discussed in security/55659.
This is a first draft; happy to take improvements to the man pages and
scripted messages to improve clarity.

I considered changing motd to include an entropy warning with a
reference to the entropy(7) man page, but it's a little trickier:
- Not sure it's appropriate for all users to see at login rather than
users who have power to affect the entropy estimate (maybe it is,
just haven't decided).
- We only have a mechanism for changing once at boot; the message would
remain until next boot even if an operator adds enough entropy.
- The mechanism isn't really conducive to making a message appear
conditionally from boot to boot.

Update default pkgsrc database location from /var/db/pkg to /usr/pkg/pkgdb.

Save the entropy seed daily in /etc/security.

Use $file instead of $(echo $file). I don't think the extra round of
word expansions was really intended here.

Fix an obvious botch in the previous rev, found by martin@

Convert uses of test (aka '[') to use only posix specified forms,
mostly just on general principle... this resulted in one or two minor
code reformattings to keep 80 char limits - a few needless uses of
quotes ("no" ??) were also removed (sh is not C. strings are strings
without quotes around them...)

branches: 1.122.2; 1.122.4;
Use sysctl to retrieve iostat names instead of parsing possibly
truncated iostat output.

Check dkctl listwedges output with grep.

Fixes PR 59205.

Record current raid configurations too in /etc/security.

Set the redirection correctly, so that stderr gets duped to the
already redirected stdout, rather than duping stdout to stderr!

Without this fix, the disklabel output is included in the log file
rather than being discarded as intended. (The purpose of running
disklabel this first time is only to check for success.)

Avoid nfs devices correctly.

Indent and space fixes.

- generate the list of disks only once and select from them later
- don't generate empty/useless files when disklabel or dkctl don't have data

Split some long lines.

Introduce a variable for security.conf, default empty, to list users
whose home is (allowed to be) owned by another user.

It's a separate variable and not just check_passwd_permit_dups so I can
make security shut up about my uucp users.

Fixes the second half of PR misc/36063

having more than one line with the same group name and gid is not only
allowed, it's even recommended for groups with lots of members, so
do not warn about duplicate group name lines if the gid is the same

Add defaults for pkg_info and pkg_admin variables in case pkgpath.conf
is not installed.

Fix for problematic paths in /etc/daily and /etc/security reported in
PR/47645.

Add a separate file which contains the paths for the pkg_admin and
pkg_info utilities. This is called /etc/pkgpath.conf (to distinguish it
from pkg.conf).

Thanks also to Edgar Fuss for the sanity check.

branches: 1.111.2;
change security so that there is a configuration value for the list of
users who will not be considered for duplicate uid check.
Seed it with 'toor' in defaults/security.conf.

branches: 1.110.4;
too much quoting. pointed by anon ymous

branches: 1.109.2;
`` -> $()

Deprecate the pkgdb_dir settings from daily.conf and security.conf in
favor of the PKG_DBDIR variable in /etc/pkg_install.conf. The purpose
of this is to only have to define the location of the packages database
in a single place and have all other system components pick it up.

pkgdb_dir is still honored if defined and the scripts will spit out a
warning in that case, asking the administrator to migrate to the
PKG_DBDIR setting. We can't remove this compatibility workaround until,
at least, after NetBSD 6 is released.

Add the fetch_pkg_vulnerabilities option to the daily script to keep the
packages vulnerability database up to date. This will only fetch the
file from the server if it has changed since the last run.

Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.

All of these options are enabled by default but they will only run if
there is, at least, one installed package.

Add support for lvm to security script. Backup lvm configuration to /var/backup/lvm with other system backups. Disable lvm check until MKLVM is enabled by default. no objections on tech-userlevel@.

branches: 1.105.4;
Handle non-trivial NIS compat entries (like +joe:::::::::) in the password
file. Fixes (my own) PR bin/33138.

reviewed: christos

The location of the pkg_info binary can now be specified in /etc/security.conf.
The default remains as /usr/sbin/pkg_info. This should fix PR# 36746.

branches: 1.103.2;
Add code to monitor the disk wedges (see dk(4)) configured on the
system. Based on a patch contributed by Andreas Wrede in PR misc/36747.

Use "mktemp -d -t xxx" to create the temporary directories. This will use
TMPDIR environment variable if set, otherwise use /tmp. (misc/35544)

PR/36058 -- fix check for group/other writable home directories from
Jukka Salmi

branches: 1.100.2;
Improve security check for "/etc/exports":
1.) Properly handle line continuation and network exports.
2.) Make the report more compact.

Patch contributed by Jukka Salmi in PR bin/24583.

PR #26490: /etc/security is not aware of sha1 passwords

Implement check_devices_ignore_paths, which is a list of paths to
avoid traversing during check_devices.

Don't try to backup a 'nfs' disklabel, which will happen because of the
recent iostat changes.
Patch supplied in pr# 33274 by Geoff C. Wing.