jails How do you deal with periodic summaries in jails?

[DaLynX]

Hello,

I am running two freebsd servers. One shared with friends, one personal. On each I have half a dozen of jails running for different services.

Until now, I never paid attention to periodic scripts and their emails. (I am still new and discovering freebsd.) I have set aliases on my most critical jail and see the daily emails. That's ok. But definitely not scalable. Setting the aliases and mail configs correctly everywhere would flood me with 20-30 emails per day...

How do you deal with this kind of numerical explosion of summary / periodic emails when using jails?

 

[Alain De Vos]

Edit /etc/periodic.conf & put in the right stuff.
I don't do security so i have in this file:

daily_queuerun_enable="NO"                # Run mail queue
daily_status_include_submit_mailq="NO"            # Also submit queue
daily_status_security_enable="NO"            # Security check
daily_submit_queuerun="NO"                # Also submit queue
monthly_status_security_enable="NO"            # Security check
security_status_logincheck_enable="NO"
weekly_status_security_enable="NO"            # Security check

 

[DtxdF]

In my case, since I use AppJail, the following Makejail is used with other Makejails that I use to deploy applications:

* http://github.com/DtxdF/efficient-makejail

 

[DaLynX]

In my case, since I use AppJail, the following Makejail is used with other Makejails that I use to deploy applications:

* http://github.com/DtxdF/efficient-makejail

Sorry but I don't see how that applies to my question.
Also, aren't those sendmail lines already in defaults nowadays?

 

[Emrion]

I have disabled periodic scripts in /etc/crontab for all my jails.

 

[DaLynX]

Edit /etc/periodic.conf & put in the right stuff.
I don't do security so i have in this file:

daily_queuerun_enable="NO"                # Run mail queue
daily_status_include_submit_mailq="NO"            # Also submit queue
daily_status_security_enable="NO"            # Security check
daily_submit_queuerun="NO"                # Also submit queue
monthly_status_security_enable="NO"            # Security check
security_status_logincheck_enable="NO"
weekly_status_security_enable="NO"            # Security check

I will check what I feel like I can remove to make it lighter. Thank you. Maybe I don't need a daily security email anyway. Monthly is likely enough.

I have disabled periodic scripts in /etc/crontab for all my jails.

That's quite extreme but sure.

Isn't there a way to make the host report on its jails, on an aggregated way? Having one message telling me package X on jail A and package Y on jail B are vulnerable would be more practical that having to go through every jail's report to check if something's wrong.

 

[Emrion]

Isn't there a way to make the host report on its jails, on an aggregated way? Having one message telling me package X on jail A and package Y on jail B are vulnerable would be more practical that having to go through every jail's report to check if something's wrong.

The host reports in its security daily periodic mail if one or more packages in all running jails have a security problem. I don't know if the jails userlands are checked.

 

[DaLynX]

Thanks I actually realized I only have jail emails set up. I just set them up on the host and will look at the output tomorrow to see if it's redundant and I can disable the jail ones.

 

[DtxdF]

Sorry but I don't see how that applies to my question.
Also, aren't those sendmail lines already in defaults nowadays?

No, because many FreeBSD users treat their jails like a pet instead of cattle, so it is not desirable. In any case, it is not difficult to customize those things as I do with my jails.

 

[SirDice]

If you can't (or won't) use mail, you can have periodic(8) write to log files instead.

daily_output="/var/log/daily.log"
weekly_output="/var/log/weekly.log"
monthly_output="/var/log/monthly.log"

# These options are used by periodic(8) itself to determine what to do
# with the output of the sub-programs that are run, and where to send
# that output.  $daily_output might be set to /var/log/daily.log if you
# wish to log the daily output and have the files rotated by newsyslog(8)

 

[DtxdF]

You can do what SirDice describes in his comment and combine it with nullfs(5). At least you will be able to centralize periodic(8) logs without sacrificing the task it should perform.

 

[DaLynX]

Thanks I actually realized I only have jail emails set up. I just set them up on the host and will look at the output tomorrow to see if it's redundant and I can disable the jail ones.

Ok so I looked at the reports from the host. Unfortunately it does not "recurse into" the jails. So I guess it's either the 30 daily e-mails, or having them write to files, or just disabling them.

Thanks for the idea of writing to files and centralising them on the host with nullfs. Maybe I could just make a script that then merges these files into a single e-mail.

 

[adorno]

Maybe security/logcheck would be a reasonable starting point.

 

[Emrion]

Ok so I looked at the reports from the host. Unfortunately it does not "recurse into" the jails. So I guess it's either the 30 daily e-mails, or having them write to files, or just disabling them.

Strange. I took a long time to find where and how my jails are audited. I recall this appears after an update or an upgrade, but can't tell which, maybe in the 13.x era of my server.

The scripts are located in /usr/local/etc/periodic/security:
- 405.pkg-base-audit

: ${security_status_baseaudit_enable:=YES}
: ${security_status_baseaudit_period:=daily}
: ${security_status_baseaudit_quiet:=NO}
: ${security_status_baseaudit_chroots=$pkg_chroots}
: ${security_status_baseaudit_jails=$pkg_jails}
: ${security_status_baseaudit_jails_ignore+=""}
: ${security_status_baseaudit_expiry:=2}

- 410.pkg-audit

: ${security_status_pkgaudit_enable:=YES}
: ${security_status_pkgaudit_period:=daily}
: ${security_status_pkgaudit_quiet:=YES}
: ${security_status_pkgaudit_chroots=$pkg_chroots}
: ${security_status_pkgaudit_jails=$pkg_jails}
: ${security_status_pkgaudit_jails_ignore+=""}
: ${security_status_pkgaudit_expiry:=2}
: ${security_status_pkgaudit_expiration:=YES}
: ${security_status_pkgaudit_deprecation:=YES}

- 460.pkg-checksum

: ${security_status_pkg_checksum_enable:=YES}
: ${security_status_pkg_checksum_period:=daily}
: ${security_status_pkg_checksum_chroots=$pkg_chroots}
: ${security_status_pkg_checksum_jails=$pkg_jails}

Maybe some of these vars are defined to NO on your machine, check it. Or $pkg_jails is empty for some reasons...

 

[DaLynX]

Looks the same. But I don't see where $pkg_jails is (or should be) set.

 

[DaLynX]

Seems I need to create a /etc/periodic.conf and put it there. But that's just a guess reading this blog post: https://dan.langille.org/2019/03/22/getting-freebsd-10-2-is-vulnerable-messages-on-a-12-0-host/. I can't find any documentation about that.

 

[Emrion]

Oh yes, it was also in my periodic.conf. I put so many things inside that it escaped me:

security_status_pkgaudit_enable="YES"
security_status_pkgaudit_jails="*"

So, it's probably not an update, but I who put, at some point, these lines.

 

[DaLynX]

Okay thanks for the confirmation.

I created the file and put pkg_jails="*" inside.

I'll see what that brings tomorrow morning!

Thanks a lot!