adam12/1 - I plan to turn these off

## 1 - I plan to turn these off
# after reviewing /etc/defaults/periodic.conf I have decided
# to disable these items in jails

daily_status_disks_enable="NO"
daily_status_network_enable="NO"
daily_status_uptime_enable="NO"

# not needed on jails
daily_ntpd_leapfile_enable="NO"

# let the jail host do these
security_status_chksetuid_enable="NO"
security_status_neggrpperm_enable="NO"
security_status_chkuid0_enable="NO"

# I don't run these in my jails
security_status_ipfwdenied_enable="NO"
security_status_ipfdenied_enable="NO"
security_status_ipfdenied_enable="NO"
security_status_ipfwlimit_enable="NO"
security_status_ipf6denied_enable="NO"
security_status_tcpwrap_enable="NO"

# man pages are always good
weekly_whatis_enable="NO"

## 2 - ignored
# I left these on:

# seems reasonable
daily_status_security_enable="YES"

# I still like the local locate
weekly_locate_enable="YES"

# security
weekly_status_security_enable="YES"
security_status_passwdless_enable="YES"
security_status_loginfail_enable="YES"

## jail-periodic.yml
---
- hosts: slocum_jails:knew_jails

  tasks:
  - name: disable periodics not useful in jails
    sysrc:
      name:  "{{ item }}"
      value: "NO"
      dest:  /etc/periodic.conf
    with_items:
    - daily_status_disks_enable
    - daily_status_network_enable
    - daily_status_uptime_enable
    - daily_ntpd_leapfile_enable
    - security_status_chksetuid_enable
    - security_status_neggrpperm_enable
    - security_status_chkuid0_enable
    - security_status_ipfwdenied_enable
    - security_status_ipfdenied_enable
    - security_status_ipfdenied_enable
    - security_status_ipfwlimit_enable
    - security_status_ipf6denied_enable
    - security_status_tcpwrap_enable
    tags: periodic,jails

## results
[dan@snapshots ~]$ cat /etc/periodic.conf
daily_output="/var/log/daily.log"
weekly_output="/var/log/weekly.log"
monthly_output="/var/log/monthly.log"
daily_status_security_output="/var/log/daily_status_security.log"
daily_status_network_enable="NO"
security_status_ipfwlimit_enable="NO"
security_status_ipfwdenied_enable="NO"
weekly_whatis_enable="NO"       # our jails are read-only /usr
weekly_locate_enable="NO"
security_status_neggrpperm_enable="NO"
daily_status_disks_enable="NO"
daily_status_uptime_enable="NO"
daily_ntpd_leapfile_enable="NO"
security_status_chksetuid_enable="NO"
security_status_chkuid0_enable="NO"
security_status_ipfdenied_enable="NO"
security_status_ipf6denied_enable="NO"
security_status_tcpwrap_enable="NO"
[dan@snapshots ~]$

## running it
[root@ansible:/usr/local/etc/py27-ansible] # ansible-playbook jail-periodic.yml --limit=snapshots.int.unixathome.org

PLAY [slocum_jails:knew_jails] *****************************************************************************************************************************************************

TASK [disable periodics not useful in jails] ***************************************************************************************************************************************
changed: [snapshots.int.unixathome.org] => (item=daily_status_disks_enable)
ok: [snapshots.int.unixathome.org] => (item=daily_status_network_enable)
changed: [snapshots.int.unixathome.org] => (item=daily_status_uptime_enable)
changed: [snapshots.int.unixathome.org] => (item=daily_ntpd_leapfile_enable)
changed: [snapshots.int.unixathome.org] => (item=security_status_chksetuid_enable)
ok: [snapshots.int.unixathome.org] => (item=security_status_neggrpperm_enable)
changed: [snapshots.int.unixathome.org] => (item=security_status_chkuid0_enable)
ok: [snapshots.int.unixathome.org] => (item=security_status_ipfwdenied_enable)
changed: [snapshots.int.unixathome.org] => (item=security_status_ipfdenied_enable)
ok: [snapshots.int.unixathome.org] => (item=security_status_ipfdenied_enable)
ok: [snapshots.int.unixathome.org] => (item=security_status_ipfwlimit_enable)
changed: [snapshots.int.unixathome.org] => (item=security_status_ipf6denied_enable)
changed: [snapshots.int.unixathome.org] => (item=security_status_tcpwrap_enable)

PLAY RECAP *************************************************************************************************************************************************************************
snapshots.int.unixathome.org : ok=1    changed=1    unreachable=0    failed=0

[root@ansible:/usr/local/etc/py27-ansible] # cat jail-periodic.yml
	# after reviewing /etc/defaults/periodic.conf I have decided
	# to disable these items in jails

	daily_status_disks_enable="NO"
	daily_status_network_enable="NO"
	daily_status_uptime_enable="NO"

	# not needed on jails
	daily_ntpd_leapfile_enable="NO"

	# let the jail host do these
	security_status_chksetuid_enable="NO"
	security_status_neggrpperm_enable="NO"
	security_status_chkuid0_enable="NO"

	# I don't run these in my jails
	security_status_ipfwdenied_enable="NO"
	security_status_ipfdenied_enable="NO"
	security_status_ipfdenied_enable="NO"
	security_status_ipfwlimit_enable="NO"
	security_status_ipf6denied_enable="NO"
	security_status_tcpwrap_enable="NO"

	# man pages are always good
	weekly_whatis_enable="NO"
	# I left these on:

	# seems reasonable
	daily_status_security_enable="YES"

	# I still like the local locate
	weekly_locate_enable="YES"

	# security
	weekly_status_security_enable="YES"
	security_status_passwdless_enable="YES"
	security_status_loginfail_enable="YES"
	---
	- hosts: slocum_jails:knew_jails

	tasks:
	- name: disable periodics not useful in jails
	sysrc:
	name: "{{ item }}"
	value: "NO"
	dest: /etc/periodic.conf
	with_items:
	- daily_status_disks_enable
	- daily_status_network_enable
	- daily_status_uptime_enable
	- daily_ntpd_leapfile_enable
	- security_status_chksetuid_enable
	- security_status_neggrpperm_enable
	- security_status_chkuid0_enable
	- security_status_ipfwdenied_enable
	- security_status_ipfdenied_enable
	- security_status_ipfdenied_enable
	- security_status_ipfwlimit_enable
	- security_status_ipf6denied_enable
	- security_status_tcpwrap_enable
	tags: periodic,jails
	[dan@snapshots ~]$ cat /etc/periodic.conf
	daily_output="/var/log/daily.log"
	weekly_output="/var/log/weekly.log"
	monthly_output="/var/log/monthly.log"
	daily_status_security_output="/var/log/daily_status_security.log"
	daily_status_network_enable="NO"
	security_status_ipfwlimit_enable="NO"
	security_status_ipfwdenied_enable="NO"
	weekly_whatis_enable="NO" # our jails are read-only /usr
	weekly_locate_enable="NO"
	security_status_neggrpperm_enable="NO"
	daily_status_disks_enable="NO"
	daily_status_uptime_enable="NO"
	daily_ntpd_leapfile_enable="NO"
	security_status_chksetuid_enable="NO"
	security_status_chkuid0_enable="NO"
	security_status_ipfdenied_enable="NO"
	security_status_ipf6denied_enable="NO"
	security_status_tcpwrap_enable="NO"
	[dan@snapshots ~]$
	[root@ansible:/usr/local/etc/py27-ansible] # ansible-playbook jail-periodic.yml --limit=snapshots.int.unixathome.org

	PLAY [slocum_jails:knew_jails] *****************************************************************************************************************************************************

	TASK [disable periodics not useful in jails] ***************************************************************************************************************************************
	changed: [snapshots.int.unixathome.org] => (item=daily_status_disks_enable)
	ok: [snapshots.int.unixathome.org] => (item=daily_status_network_enable)
	changed: [snapshots.int.unixathome.org] => (item=daily_status_uptime_enable)
	changed: [snapshots.int.unixathome.org] => (item=daily_ntpd_leapfile_enable)
	changed: [snapshots.int.unixathome.org] => (item=security_status_chksetuid_enable)
	ok: [snapshots.int.unixathome.org] => (item=security_status_neggrpperm_enable)
	changed: [snapshots.int.unixathome.org] => (item=security_status_chkuid0_enable)
	ok: [snapshots.int.unixathome.org] => (item=security_status_ipfwdenied_enable)
	changed: [snapshots.int.unixathome.org] => (item=security_status_ipfdenied_enable)
	ok: [snapshots.int.unixathome.org] => (item=security_status_ipfdenied_enable)
	ok: [snapshots.int.unixathome.org] => (item=security_status_ipfwlimit_enable)
	changed: [snapshots.int.unixathome.org] => (item=security_status_ipf6denied_enable)
	changed: [snapshots.int.unixathome.org] => (item=security_status_tcpwrap_enable)

	PLAY RECAP *************************************************************************************************************************************************************************
	snapshots.int.unixathome.org : ok=1 changed=1 unreachable=0 failed=0

	[root@ansible:/usr/local/etc/py27-ansible] # cat jail-periodic.yml