Last active
March 21, 2024 13:25
-
-
Save dlangille/ce60ac76b69f267a3f1de33495a338fc to your computer and use it in GitHub Desktop.
Periodic things to turn off in FreeBSD jails
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # after reviewing /etc/defaults/periodic.conf I have decided | |
| # to disable these items in jails | |
| daily_status_disks_enable="NO" | |
| daily_status_network_enable="NO" | |
| daily_status_uptime_enable="NO" | |
| # not needed on jails | |
| daily_ntpd_leapfile_enable="NO" | |
| # let the jail host do these | |
| security_status_chksetuid_enable="NO" | |
| security_status_neggrpperm_enable="NO" | |
| security_status_chkuid0_enable="NO" | |
| # I don't run these in my jails | |
| security_status_ipfwdenied_enable="NO" | |
| security_status_ipfdenied_enable="NO" | |
| security_status_ipfdenied_enable="NO" | |
| security_status_ipfwlimit_enable="NO" | |
| security_status_ipf6denied_enable="NO" | |
| security_status_tcpwrap_enable="NO" | |
| # man pages are always good | |
| weekly_whatis_enable="NO" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # I left these on: | |
| # seems reasonable | |
| daily_status_security_enable="YES" | |
| # I still like the local locate | |
| weekly_locate_enable="YES" | |
| # security | |
| weekly_status_security_enable="YES" | |
| security_status_passwdless_enable="YES" | |
| security_status_loginfail_enable="YES" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: slocum_jails:knew_jails | |
| tasks: | |
| - name: disable periodics not useful in jails | |
| sysrc: | |
| name: "{{ item }}" | |
| value: "NO" | |
| dest: /etc/periodic.conf | |
| with_items: | |
| - daily_status_disks_enable | |
| - daily_status_network_enable | |
| - daily_status_uptime_enable | |
| - daily_ntpd_leapfile_enable | |
| - security_status_chksetuid_enable | |
| - security_status_neggrpperm_enable | |
| - security_status_chkuid0_enable | |
| - security_status_ipfwdenied_enable | |
| - security_status_ipfdenied_enable | |
| - security_status_ipfdenied_enable | |
| - security_status_ipfwlimit_enable | |
| - security_status_ipf6denied_enable | |
| - security_status_tcpwrap_enable | |
| tags: periodic,jails |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [dan@snapshots ~]$ cat /etc/periodic.conf | |
| daily_output="/var/log/daily.log" | |
| weekly_output="/var/log/weekly.log" | |
| monthly_output="/var/log/monthly.log" | |
| daily_status_security_output="/var/log/daily_status_security.log" | |
| daily_status_network_enable="NO" | |
| security_status_ipfwlimit_enable="NO" | |
| security_status_ipfwdenied_enable="NO" | |
| weekly_whatis_enable="NO" # our jails are read-only /usr | |
| weekly_locate_enable="NO" | |
| security_status_neggrpperm_enable="NO" | |
| daily_status_disks_enable="NO" | |
| daily_status_uptime_enable="NO" | |
| daily_ntpd_leapfile_enable="NO" | |
| security_status_chksetuid_enable="NO" | |
| security_status_chkuid0_enable="NO" | |
| security_status_ipfdenied_enable="NO" | |
| security_status_ipf6denied_enable="NO" | |
| security_status_tcpwrap_enable="NO" | |
| [dan@snapshots ~]$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [root@ansible:/usr/local/etc/py27-ansible] # ansible-playbook jail-periodic.yml --limit=snapshots.int.unixathome.org | |
| PLAY [slocum_jails:knew_jails] ***************************************************************************************************************************************************** | |
| TASK [disable periodics not useful in jails] *************************************************************************************************************************************** | |
| changed: [snapshots.int.unixathome.org] => (item=daily_status_disks_enable) | |
| ok: [snapshots.int.unixathome.org] => (item=daily_status_network_enable) | |
| changed: [snapshots.int.unixathome.org] => (item=daily_status_uptime_enable) | |
| changed: [snapshots.int.unixathome.org] => (item=daily_ntpd_leapfile_enable) | |
| changed: [snapshots.int.unixathome.org] => (item=security_status_chksetuid_enable) | |
| ok: [snapshots.int.unixathome.org] => (item=security_status_neggrpperm_enable) | |
| changed: [snapshots.int.unixathome.org] => (item=security_status_chkuid0_enable) | |
| ok: [snapshots.int.unixathome.org] => (item=security_status_ipfwdenied_enable) | |
| changed: [snapshots.int.unixathome.org] => (item=security_status_ipfdenied_enable) | |
| ok: [snapshots.int.unixathome.org] => (item=security_status_ipfdenied_enable) | |
| ok: [snapshots.int.unixathome.org] => (item=security_status_ipfwlimit_enable) | |
| changed: [snapshots.int.unixathome.org] => (item=security_status_ipf6denied_enable) | |
| changed: [snapshots.int.unixathome.org] => (item=security_status_tcpwrap_enable) | |
| PLAY RECAP ************************************************************************************************************************************************************************* | |
| snapshots.int.unixathome.org : ok=1 changed=1 unreachable=0 failed=0 | |
| [root@ansible:/usr/local/etc/py27-ansible] # cat jail-periodic.yml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Based on https://twitter.com/allanjude/status/1314293390419390465 I could add: