netbsd-users: RFC: securing output of /etc/security

Subject: RFC: securing output of /etc/security
To: None <netbsd-users@netbsd.org>
From: Jason White <jdwhite@menelos.com>
List: netbsd-users
Date: 05/10/2006 06:00:57
On several occasions I've found that the output of /etc/security contains 
information that I do not wish to have mailed cleartext.  I've modified 
/etc/daily to implement a scheme for PGP encrypting the daily insecurity 
output.  Two new options in /etc/daily.conf enable this functionality:

  encrypt_security=YES
  SECURE_RECIPIENTS="jdwhite@menelos.com other@address.org"

SECURE_RECIPIENTS is a space separated list of PGP/GPG recipient IDs.  GPG is 
required for this to work.  The root account's keyring must contain the keys 
defined by SECURE_RECIPIENTS.  In addition, a program called 'mpack' 
(from converters/mpack) creates a MIME encoded message with the PGP encoded 
output as an attachment of type application/pgp and sends the message.

I believe the reliance on mpack could be eliminated and replaced with a 
series of echo commands to a temp file with the appropriate MIME headers and 
boundary strings -- the whole thing eventually piped to 'sendmail -t', but 
it's less elegant then the mpack one-liner.

I plan to file a PR eventually, but would appreciate feedback on this idea 
and/or its implementation.

Thanks,
-Jason

The following is against /etc/daily:
#       $NetBSD: daily,v 1.64 2005/01/09 13:07:14 sketch Exp $

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

--- /tmp/daily  2006-05-09 20:39:46.000000000 -0500
+++ /etc/daily  2006-05-10 00:47:20.000000000 -0500
@@ -4,7 +4,7 @@
 #      @(#)daily       8.2 (Berkeley) 1/25/94
 #

-export PATH=/bin:/usr/bin:/sbin:/usr/sbin
+export PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/pkg/bin
 umask 077

 if [ -s /etc/daily.conf ]; then
@@ -272,8 +272,17 @@
                fi
        fi
        if [ -s "$SECOUT" ]; then
-               mail -s "$host daily insecurity output for $date" \
-                   "$MAILTO" < "$SECOUT"
+               if checkyesno encrypt_security; then
+                       for recipient in $SECURE_RECIPIENTS; do
+                           recipients="$recipients -r $recipient"
+                       done
+                       gpg -q --batch --yes -ea $recipients $SECOUT
+                       mpack -s "$host daily insecurity output for $date" \
+                           -c application/pgp "${SECOUT}.asc" "$MAILTO"
+               else
+                       mail -s "$host daily insecurity output for $date" \
+                           "$MAILTO" < "$SECOUT"
+               fi
        fi
 fi

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

-- 
Jason White <jdwhite@menelos.com>       Jabber: jdwhite(jabber.org)
http://www.menelos.com/~jdwhite                 jason.d.white(gmail.com)
PGP KeyID: 0x5290E477