From nobody@FreeBSD.org  Fri Jun 27 09:16:25 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BF3B4106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 27 Jun 2008 09:16:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id B8BD78FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 27 Jun 2008 09:16:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m5R9GPx9045490
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 27 Jun 2008 09:16:25 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m5R9GOD0045489;
	Fri, 27 Jun 2008 09:16:24 GMT
	(envelope-from nobody)
Message-Id: <200806270916.m5R9GOD0045489@www.freebsd.org>
Date: Fri, 27 Jun 2008 09:16:24 GMT
From: "Alexander Kubrack <a@tim.ua>" <a@tim.ua>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] New file: /etc/periodic/security/810.loginok
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         125041
>Category:       conf
>Synopsis:       [patch] periodic(8) new file: /etc/periodic/security/810.loginok
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 27 09:20:05 UTC 2008
>Closed-Date:    
>Last-Modified:  Sat Aug 21 10:59:22 UTC 2010
>Originator:     Alexander Kubrack <a@tim.ua>
>Release:        FreeBSD 7.0-STABLE
>Organization:
>Environment:
FreeBSD aw 7.0-STABLE FreeBSD 7.0-STABLE #0: Thu Apr 10 15:38:31 EEST 2008     root@aw:/usr/obj/usr/src/sys/AW  i386

>Description:
For hosts with high security level and which not have very many users, such routers, DB servers etc there is sense to daily check sucsessful logins, like login failures checked now by /etc/periodic/security/800.loginfail.
Suggest to create periodic script /etc/periodic/security/810.loginok (attached) and new variable daily_status_security_loginok_enable in periodic.conf.
>How-To-Repeat:

>Fix:
Save the attached script as /etc/periodic/security/810.loginok
and add this line to /etc/periodic.conf:
daily_status_security_loginok_enable="YES"

Suggested default entry for /etc/defaults/periodic.conf:
# 810.loginok
daily_status_security_loginok_enable="NO"


Patch attached with submission follows:

#!/bin/sh -
#

#
# Show succesful logins
#

# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

LOG="${daily_status_security_logdir}"

yesterday=`date -v-1d "+%b %e "`

catmsgs() {
	find ${LOG} -name 'auth.log.*' -mtime -2 |
	    sort -t. -r -n -k 2,2 |
	    while read f
	    do
		case $f in
		    *.gz)	zcat -f $f;;
		    *.bz2)	bzcat -f $f;;
		esac
	    done
	[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
}

case "$daily_status_security_loginok_enable" in
    [Yy][Ee][Ss])
        echo ""
        echo "${host} succesful logins:"
        n=$(catmsgs | grep -ia "^$yesterday.*[Aa]ccept" |
            tee /dev/stderr | wc -l)
        [ $n -gt 0 ] && rc=1 || rc=0;;
    *)  rc=0;;
esac

exit $rc


>Release-Note:
>Audit-Trail:
>Unformatted:
