diff options
author | Brad Davis <brd@FreeBSD.org> | 2018-08-11 17:11:08 +0000 |
---|---|---|
committer | Brad Davis <brd@FreeBSD.org> | 2018-08-11 17:11:08 +0000 |
commit | 81ea85a8845662ca329a954eeeb3e6d4124282a2 (patch) | |
tree | 81facbf2cdb27b51b13a66529c126761179d0f63 /usr.sbin | |
parent | 9317ba22260d45a8bf70b0490fa0191b51d858bb (diff) | |
download | src-81ea85a8845662ca329a954eeeb3e6d4124282a2.tar.gz src-81ea85a8845662ca329a954eeeb3e6d4124282a2.zip |
Move all periodic related config and scripts to usr.sbin/periodic/
This makes pkgbase easier by tagging these as CONFS so they are properly
tagged as config files.
Approved by: will (mentor)
Sponsored by: Essen Hackathon
Differential Revision: https://reviews.freebsd.org/D16553
Notes
Notes:
svn path=/head/; revision=337648
Diffstat (limited to 'usr.sbin')
61 files changed, 3177 insertions, 0 deletions
diff --git a/usr.sbin/periodic/Makefile b/usr.sbin/periodic/Makefile index 875d078435ea..a721f9db09b4 100644 --- a/usr.sbin/periodic/Makefile +++ b/usr.sbin/periodic/Makefile @@ -1,6 +1,10 @@ # $FreeBSD$ +FILES= periodic.conf +FILESDIR= /etc/defaults SCRIPTS=periodic.sh MAN= periodic.8 +SUBDIR= etc + .include <bsd.prog.mk> diff --git a/usr.sbin/periodic/etc/Makefile b/usr.sbin/periodic/etc/Makefile new file mode 100644 index 000000000000..a2d99020fd10 --- /dev/null +++ b/usr.sbin/periodic/etc/Makefile @@ -0,0 +1,6 @@ +# $FreeBSD$ + +SUBDIR= daily security weekly monthly +SUBDIR_PARALLEL= + +.include <bsd.subdir.mk> diff --git a/usr.sbin/periodic/etc/Makefile.inc b/usr.sbin/periodic/etc/Makefile.inc new file mode 100644 index 000000000000..a1fed7ac7afb --- /dev/null +++ b/usr.sbin/periodic/etc/Makefile.inc @@ -0,0 +1,6 @@ +# $FreeBSD$ + +CONFMODE= 755 +CONFDIR= ETC_PERIODIC_${.CURDIR:T:U} +ETC_PERIODIC_${.CURDIR:T:U}= /etc/periodic/${.CURDIR:T} +NO_OBJ= diff --git a/usr.sbin/periodic/etc/daily/100.clean-disks b/usr.sbin/periodic/etc/daily/100.clean-disks new file mode 100755 index 000000000000..b4ebf3083bc5 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/100.clean-disks @@ -0,0 +1,55 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove garbage files more than $daily_clean_disks_days days old +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_disks_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_disks_days" ] + then + echo '$daily_clean_disks_enable is set but' \ + '$daily_clean_disks_days is not' + rc=2 + elif [ -z "$daily_clean_disks_files" ] + then + echo '$daily_clean_disks_enable is set but' \ + '$daily_clean_disks_files is not' + rc=2 + else + echo "" + echo "Cleaning disks:" + set -f noglob + args="-name "`echo "$daily_clean_disks_files" | + sed -e 's/^[ ]*//' \ + -e 's/[ ]*$//' \ + -e 's/[ ][ ]*/ -o -name /g'` + + case "$daily_clean_disks_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(find / \( ! -fstype local -o -fstype rdonly \) -prune -o \ + \( $args \) -atime +$daily_clean_disks_days \ + -execdir rm -df {} \; $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + set -f glob + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/110.clean-tmps b/usr.sbin/periodic/etc/daily/110.clean-tmps new file mode 100755 index 000000000000..67bcec6f00d3 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/110.clean-tmps @@ -0,0 +1,60 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Perform temporary directory cleaning so that long-lived systems +# don't end up with excessively old files there. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_tmps_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_tmps_days" ] + then + echo '$daily_clean_tmps_enable is set but' \ + '$daily_clean_tmps_days is not' + rc=2 + else + echo "" + echo "Removing old temporary files:" + + set -f noglob + args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days" + args="${args} -ctime +$daily_clean_tmps_days" + dargs="-empty -mtime +$daily_clean_tmps_days" + [ -n "$daily_clean_tmps_ignore" ] && { + args="$args "`echo " ${daily_clean_tmps_ignore% }" | + sed 's/[ ][ ]*/ ! -name /g'` + dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" | + sed 's/[ ][ ]*/ ! -name /g'` + } + case "$daily_clean_tmps_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(for dir in $daily_clean_tmps_dirs + do + [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && { + find -x -d . -type f $args -delete $print + find -x -d . ! -name . -type d $dargs -delete $print + } | sed "s,^\\., $dir," + done | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + set -f glob + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/120.clean-preserve b/usr.sbin/periodic/etc/daily/120.clean-preserve new file mode 100755 index 000000000000..d5b34a12c385 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/120.clean-preserve @@ -0,0 +1,53 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove stale files in /var/preserve +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_preserve_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_preserve_days" ] + then + echo '$daily_clean_preserve_enable is set but' \ + '$daily_clean_preserve_days is not' + rc=2 + elif [ ! -d /var/preserve ] + then + echo '$daily_clean_preserve_enable is set but /var/preserve' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Removing stale files from /var/preserve:" + + if cd /var/preserve + then + case "$daily_clean_preserve_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(find . ! -name . -mtime +$daily_clean_preserve_days \ + -delete $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/130.clean-msgs b/usr.sbin/periodic/etc/daily/130.clean-msgs new file mode 100755 index 000000000000..b7890db6d954 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/130.clean-msgs @@ -0,0 +1,35 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove system messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_msgs_enable" in + [Yy][Ee][Ss]) + if [ ! -d /var/msgs ] + then + echo '$daily_clean_msgs_enable is set but /var/msgs' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Cleaning out old system announcements:" + + [ -n "$daily_clean_msgs_days" ] && + arg=-${daily_clean_msgs_days#-} || arg= + msgs -c $arg && rc=0 || rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/140.clean-rwho b/usr.sbin/periodic/etc/daily/140.clean-rwho new file mode 100755 index 000000000000..9645d7e60bf7 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/140.clean-rwho @@ -0,0 +1,53 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove stale files in /var/rwho +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_rwho_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_rwho_days" ] + then + echo '$daily_clean_rwho_enable is enabled but' \ + '$daily_clean_rwho_days is not set' + rc=2 + elif [ ! -d /var/rwho ] + then + echo '$daily_clean_rwho_enable is enabled but /var/rwho' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Removing stale files from /var/rwho:" + + case "$daily_clean_rwho_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + if cd /var/rwho + then + rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \ + -delete $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/150.clean-hoststat b/usr.sbin/periodic/etc/daily/150.clean-hoststat new file mode 100755 index 000000000000..460d1a267908 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/150.clean-hoststat @@ -0,0 +1,29 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove stale persistent host status files +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ]; then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_hoststat_enable" in + [Yy][Ee][Ss]) + if [ -z "$(hoststat 2>&1)" ]; then + rc=2 + else + echo "" + echo "Removing stale entries from sendmail host status cache:" + rc=0 + purgestat || rc=1 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/200.backup-passwd b/usr.sbin/periodic/etc/daily/200.backup-passwd new file mode 100755 index 000000000000..638e227e3ac5 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/200.backup-passwd @@ -0,0 +1,77 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_backup_passwd_enable" in + [Yy][Ee][Ss]) + if [ ! -f /etc/master.passwd ] + then + echo '$daily_backup_passwd_enable" is set but /etc/master.passwd' \ + "doesn't exist" + rc=2 + elif [ ! -f /etc/group ] + then + echo '$daily_backup_passwd_enable" is set but /etc/group' \ + "doesn't exist" + rc=2 + else + bak=/var/backups + rc=0 + + echo "" + echo "Backup passwd and group files:" + + if [ ! -f $bak/master.passwd.bak ] + then + rc=1 + echo "no $bak/master.passwd.bak" + cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 + fi + + if ! cmp -s $bak/master.passwd.bak /etc/master.passwd + then + [ $rc -lt 1 ] && rc=1 + echo "$host passwd diffs:" + diff -uI '^#' $bak/master.passwd.bak /etc/master.passwd |\ + sed 's/^\([-+ ][^-+:]*\):[^:]*:/\1:(password):/' + mv $bak/master.passwd.bak $bak/master.passwd.bak2 + cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 + fi + + if [ ! -f $bak/group.bak ] + then + [ $rc -lt 1 ] && rc=1 + echo "no $bak/group.bak" + cp -p /etc/group $bak/group.bak || rc=3 + fi + + if ! cmp -s $bak/group.bak /etc/group + then + [ $rc -lt 1 ] && rc=1 + echo "$host group diffs:" + diff -u $bak/group.bak /etc/group + mv $bak/group.bak $bak/group.bak2 + cp -p /etc/group $bak/group.bak || rc=3 + fi + + if [ -f /etc/group ] + then + echo "" + echo "Verifying group file syntax:" + chkgrp /etc/group || rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/210.backup-aliases b/usr.sbin/periodic/etc/daily/210.backup-aliases new file mode 100755 index 000000000000..fe170389ef03 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/210.backup-aliases @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_backup_aliases_enable" in + [Yy][Ee][Ss]) + if [ ! -f /etc/mail/aliases ] + then + echo '$daily_backup_aliases_enable is enabled but' \ + "/etc/mail/aliases doesn't exist" + rc=2 + else + bak=/var/backups + rc=0 + + echo "" + echo "Backing up mail aliases:" + + if [ ! -f $bak/aliases.bak ] + then + echo "no $bak/aliases.bak" + cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 + fi + + if ! cmp -s $bak/aliases.bak /etc/mail/aliases + then + [ $rc -lt 1 ] && rc=1 + echo "$host aliases diffs:" + diff -u $bak/aliases.bak /etc/mail/aliases + mv $bak/aliases.bak $bak/aliases.bak2 + cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/300.calendar b/usr.sbin/periodic/etc/daily/300.calendar new file mode 100755 index 000000000000..cc12097162e5 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/300.calendar @@ -0,0 +1,29 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# `calendar -a' needs to die. Why? Because it's a bad idea, particular +# with networked home directories, but also in general. If you want the +# output of `calendar' mailed to you, set up a cron job to do it, +# or run it from your ~/.profile or ~/.login. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_calendar_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Running calendar:" + + calendar -a && rc=0 || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/310.accounting b/usr.sbin/periodic/etc/daily/310.accounting new file mode 100755 index 000000000000..d11745de6eab --- /dev/null +++ b/usr.sbin/periodic/etc/daily/310.accounting @@ -0,0 +1,65 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_accounting_enable" in + [Yy][Ee][Ss]) + if [ ! -f /var/account/acct ] + then + echo '$daily_accounting_enable is set but /var/account/acct' \ + "doesn't exist" + rc=2 + elif [ -z "$daily_accounting_save" ] + then + echo '$daily_accounting_enable is set but ' \ + '$daily_accounting_save is not' + rc=2 + else + echo "" + echo "Rotating accounting logs and gathering statistics:" + + cd /var/account + rc=0 + + n=$(( $daily_accounting_save - 1 )) + for f in acct.*; do + case "$f" in acct.\*) continue ;; esac # No files match + m=${f%.gz} ; m=${m#acct.} + [ $m -ge $n ] && { rm $f || rc=3; } + done + + m=$n + n=$(($n - 1)) + while [ $n -ge 0 ] + do + [ -f acct.$n.gz ] && { mv -f acct.$n.gz acct.$m.gz || rc=3; } + [ -f acct.$n ] && { mv -f acct.$n acct.$m || rc=3; } + m=$n + n=$(($n - 1)) + done + + /etc/rc.d/accounting rotate_log || rc=3 + + rm -f acct.merge && cp acct.0 acct.merge || rc=3 + sa -s $daily_accounting_flags /var/account/acct.merge || rc=3 + rm acct.merge + + case "$daily_accounting_compress" in + [Yy][Ee][Ss]) + gzip -f acct.0 || rc=3;; + esac + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/330.news b/usr.sbin/periodic/etc/daily/330.news new file mode 100755 index 000000000000..ec064376d78f --- /dev/null +++ b/usr.sbin/periodic/etc/daily/330.news @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Expire news articles +# (This is present only for backwards compatibility, usually the news +# system handles this on its own). + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_news_expire_enable" in + [Yy][Ee][Ss]) + if [ ! -f /etc/news.expire ] + then + echo '$daily_news_expire_enable is set but /etc/news.expire' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Running news.expire:" + + /etc/news.expire && rc=0 || rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/400.status-disks b/usr.sbin/periodic/etc/daily/400.status-disks new file mode 100755 index 000000000000..bab281097dbd --- /dev/null +++ b/usr.sbin/periodic/etc/daily/400.status-disks @@ -0,0 +1,40 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_disks_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Disk status:" + + if [ -n "${daily_status_disks_ignore}" ] ; then + ignore="egrep -v ${daily_status_disks_ignore}" + else + ignore="cat" + fi + (df $daily_status_disks_df_flags | ${ignore}) && rc=1 || rc=3 + + # display which filesystems need backing up + if [ -s /etc/dumpdates ]; then + if ! [ -f /etc/fstab ]; then + export PATH_FSTAB=/dev/null + fi + + echo "" + dump W || rc=3 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/401.status-graid b/usr.sbin/periodic/etc/daily/401.status-graid new file mode 100755 index 000000000000..a28fc5bbe569 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/401.status-graid @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_graid_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of graid(8) devices:' + + if graid status; then + components="$(graid status -s | fgrep -v OPTIMAL)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/404.status-zfs b/usr.sbin/periodic/etc/daily/404.status-zfs new file mode 100755 index 000000000000..df23bae7a37e --- /dev/null +++ b/usr.sbin/periodic/etc/daily/404.status-zfs @@ -0,0 +1,45 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_zfs_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of zfs pools:' + + case "$daily_status_zfs_zpool_list_enable" in + [Yy][Ee][Ss]) + lout=`zpool list` + echo "$lout" + echo + ;; + *) + ;; + esac + sout=`zpool status -x` + echo "$sout" + # zpool status -x always exits with 0, so we have to interpret its + # output to see what's going on. + if [ "$sout" = "all pools are healthy" \ + -o "$sout" = "no pools available" ]; then + rc=0 + else + rc=1 + fi + ;; + + *) + rc=0 + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/406.status-gmirror b/usr.sbin/periodic/etc/daily/406.status-gmirror new file mode 100755 index 000000000000..8fc698c804d2 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/406.status-gmirror @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gmirror_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gmirror(8) devices:' + + if gmirror status; then + components="$(gmirror status -s | fgrep -v COMPLETE)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/407.status-graid3 b/usr.sbin/periodic/etc/daily/407.status-graid3 new file mode 100755 index 000000000000..52750f7d88e5 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/407.status-graid3 @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_graid3_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of graid3(8) devices:' + + if graid3 status; then + components="$(graid3 status -s | fgrep -v COMPLETE)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/408.status-gstripe b/usr.sbin/periodic/etc/daily/408.status-gstripe new file mode 100755 index 000000000000..ff74f76e3c7c --- /dev/null +++ b/usr.sbin/periodic/etc/daily/408.status-gstripe @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gstripe_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gstripe(8) devices:' + + if gstripe status; then + components="$(gstripe status -s | fgrep -v UP)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/409.status-gconcat b/usr.sbin/periodic/etc/daily/409.status-gconcat new file mode 100755 index 000000000000..7dfa91812f68 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/409.status-gconcat @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gconcat_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gconcat(8) devices:' + + if gconcat status; then + components="$(gconcat status -s | fgrep -v UP)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/410.status-mfi b/usr.sbin/periodic/etc/daily/410.status-mfi new file mode 100644 index 000000000000..6e13fbb5a74f --- /dev/null +++ b/usr.sbin/periodic/etc/daily/410.status-mfi @@ -0,0 +1,33 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mfi_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of mfi(4) devices:' + + if mfiutil show volumes; then + if mfiutil show volumes | grep -q DEGRADED; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/420.status-network b/usr.sbin/periodic/etc/daily/420.status-network new file mode 100755 index 000000000000..03166a915a1a --- /dev/null +++ b/usr.sbin/periodic/etc/daily/420.status-network @@ -0,0 +1,31 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_network_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Network interface status:" + + flags="${daily_status_network_netstat_flags}" + case "$daily_status_network_usedns" in + [Yy][Ee][Ss]) + ;; + *) + flags="${flags} -n";; + esac + netstat -i ${flags} && rc=0 || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/430.status-uptime b/usr.sbin/periodic/etc/daily/430.status-uptime new file mode 100755 index 000000000000..0c8c591a5973 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/430.status-uptime @@ -0,0 +1,38 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_uptime_enable" in + [Yy][Ee][Ss]) + rwho=$(echo /var/rwho/*) + if [ -f "${rwho%% *}" ] + then + echo "" + echo "Local network system status:" + prog=ruptime + else + echo "" + echo "Local system status:" + prog=uptime + fi + rc=$($prog | tee /dev/stderr | wc -l) + if [ $? -eq 0 ] + then + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/440.status-mailq b/usr.sbin/periodic/etc/daily/440.status-mailq new file mode 100755 index 000000000000..d17fe4edf9c2 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/440.status-mailq @@ -0,0 +1,66 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mailq_enable" in + [Yy][Ee][Ss]) + if [ ! -x /usr/bin/mailq ] + then + echo '$daily_status_mailq_enable is set but /usr/bin/mailq' \ + "isn't executable" + rc=2 + else + echo "" + echo "Mail in local queue:" + + rc=$(case "$daily_status_mailq_shorten" in + [Yy][Ee][Ss]) + mailq | + egrep -e '^[[:space:]]+[^[:space:]]+@' | + sort | + uniq -c | + sort -nr | + awk '$1 >= 1 {print $1, $2}';; + *) + mailq;; + esac | tee /dev/stderr | + egrep -v '(mqueue is empty|Total requests)' | wc -l) + [ $rc -gt 0 ] && rc=1 || rc=0 + + case "$daily_status_include_submit_mailq" in + [Yy][Ee][Ss]) + if [ -f /etc/mail/submit.cf ] + then + echo "" + echo "Mail in submit queue:" + + rc_submit=$(case "$daily_status_mailq_shorten" in + [Yy][Ee][Ss]) + mailq -Ac | + egrep -e '^[[:space:]]+[^[:space:]]+@' | + sort | + uniq -c | + sort -nr | + awk '$1 >= 1 {print $1, $2}';; + *) + mailq -Ac;; + esac | tee /dev/stderr | + egrep -v '(mqueue is empty|Total requests)' | wc -l) + [ $rc_submit -gt 0 ] && rc=1 + fi;; + esac + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/450.status-security b/usr.sbin/periodic/etc/daily/450.status-security new file mode 100755 index 000000000000..31b6d4cf524e --- /dev/null +++ b/usr.sbin/periodic/etc/daily/450.status-security @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$daily_status_security_inline" in + [Yy][Ee][Ss]) + daily_status_security_output="";; + esac + + export security_output="${daily_status_security_output}" + rc=0 + case "${daily_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/460.status-mail-rejects b/usr.sbin/periodic/etc/daily/460.status-mail-rejects new file mode 100755 index 000000000000..ce633640b6a4 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/460.status-mail-rejects @@ -0,0 +1,73 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mail_rejects_shorten" in +[Yy][Ee][Ss]) shorten='cut -d" " -f2,3';; +*) shorten=cat;; +esac + +case "$daily_status_mail_rejects_enable" in + [Yy][Ee][Ss]) + if [ ! -d /etc/mail ] + then + echo '$daily_status_mail_rejects_enable is set but /etc/mail' \ + "doesn't exist" + rc=2 + elif [ ! -f /var/log/maillog ] + then + echo '$daily_status_mail_rejects_enable is set but ' \ + "/var/log/maillog doesn't exist" + rc=2 + elif [ "$daily_status_mail_rejects_logs" -le 0 ] + then + echo '$daily_status_mail_rejects_enable is set but ' \ + '$daily_status_mail_rejects_logs is not greater than zero' + rc=2 + else + echo + echo Checking for rejected mail hosts: + + yesterday=$(date -v-1d '+%b %e') + today=$(date '+%b %e') + n=$(($daily_status_mail_rejects_logs - 2)) + rc=$({ + while [ $n -ge 0 ] + do + if [ -f /var/log/maillog.$n ] + then + cat /var/log/maillog.$n + elif [ -f /var/log/maillog.$n.gz ] + then + zcat -fc /var/log/maillog.$n.gz + elif [ -f /var/log/maillog.$n.bz2 ] + then + bzcat -fc /var/log/maillog.$n.bz2 + fi + n=$(($n - 1)) + done + cat /var/log/maillog + } | sed -Ene "/^$today/q" -e "/^$yesterday/{"' + s/.*ruleset=check_relay,.* relay=([^,]+), reject=([^ ]*).*/\2 check_relay \1/p + t end + s/.*ruleset=check_rcpt,.* arg1=<?([^>,]+).* reject=([^ ]+) .* ([^ ]+)/\2 check_rcpt \1 \3/p + t end + s/.*ruleset=check_([^,]+),.* arg1=<?([^@]+@)?([^>,]+).* reject=([^ ]+) .* ([^ ]+)/\4 check_\1 \3 \5/p + :end + }' | eval $shorten | sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l) + [ $rc -gt 0 ] && rc=1 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/480.leapfile-ntpd b/usr.sbin/periodic/etc/daily/480.leapfile-ntpd new file mode 100755 index 000000000000..a693986e0dd1 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/480.leapfile-ntpd @@ -0,0 +1,23 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_ntpd_leapfile_enable" in + [Yy][Ee][Ss]) + if service ntpd oneneedfetch; then + anticongestion + service ntpd onefetch + fi + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/480.status-ntpd b/usr.sbin/periodic/etc/daily/480.status-ntpd new file mode 100755 index 000000000000..1ff5cc516f5a --- /dev/null +++ b/usr.sbin/periodic/etc/daily/480.status-ntpd @@ -0,0 +1,28 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 + +case "$daily_status_ntpd_enable" in + [Yy][Ee][Ss]) + echo "" + echo "NTP status:" + + synchronized=$(ntpq -pn | tee /dev/stderr | grep '^\*') + if [ -z "$synchronized" ]; then + rc=1 + fi + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/500.queuerun b/usr.sbin/periodic/etc/daily/500.queuerun new file mode 100755 index 000000000000..f46c24614b2c --- /dev/null +++ b/usr.sbin/periodic/etc/daily/500.queuerun @@ -0,0 +1,36 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_queuerun_enable" in + [Yy][Ee][Ss]) + if [ ! -x /usr/sbin/sendmail ] + then + echo '$daily_queuerun_enable is set but /usr/sbin/sendmail' \ + "isn't executable" + rc=2 + else + /usr/sbin/sendmail -q >/dev/null 2>&1 & + case "$daily_submit_queuerun" in + [Yy][Ee][Ss]) + if [ -f /etc/mail/submit.cf ] + then + /usr/sbin/sendmail -q -Ac >/dev/null 2>&1 & + fi;; + esac + rc=0 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/510.status-world-kernel b/usr.sbin/periodic/etc/daily/510.status-world-kernel new file mode 100755 index 000000000000..4e08a04d2a25 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/510.status-world-kernel @@ -0,0 +1,36 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Check that the running userland and kernel versions are in sync. + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_world_kernel" in + [Yy][Ee][Ss]) + rc=0 + _U=$(/usr/bin/uname -U 2>/dev/null) + _K=$(/usr/bin/uname -K 2>/dev/null) + [ -z "${_U}" -o -z "${_K}" ] && exit 0 + echo "" + echo "Checking userland and kernel versions:" + if [ "${_U}" != "${_K}" ]; then + echo "Userland and kernel are not in sync" + echo "Userland version: ${_U}" + echo "Kernel version: ${_K}" + rc=1 + else + echo "Userland and kernel are in sync." + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/800.scrub-zfs b/usr.sbin/periodic/etc/daily/800.scrub-zfs new file mode 100755 index 000000000000..8cca1ea4d949 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/800.scrub-zfs @@ -0,0 +1,110 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# + +newline=" +" # A single newline + +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +: ${daily_scrub_zfs_default_threshold=35} + +case "$daily_scrub_zfs_enable" in + [Yy][Ee][Ss]) + echo + echo 'Scrubbing of zfs pools:' + + if [ -z "${daily_scrub_zfs_pools}" ]; then + daily_scrub_zfs_pools="$(zpool list -H -o name)" + fi + + rc=0 + for pool in ${daily_scrub_zfs_pools}; do + # sanity check + _status=$(zpool list "${pool}" 2> /dev/null) + if [ $? -ne 0 ]; then + rc=2 + echo " WARNING: pool '${pool}' specified in" + echo " '/etc/periodic.conf:daily_scrub_zfs_pools'" + echo " does not exist" + continue + fi + _status=${_status##*$newline} + case ${_status} in + *FAULTED*) + rc=3 + echo "Skipping faulted pool: ${pool}" + continue ;; + *UNAVAIL*) + rc=4 + echo "Skipping unavailable pool: ${pool}" + continue ;; + esac + + # determine how many days shall be between scrubs + eval _pool_threshold=\${daily_scrub_zfs_$(echo "${pool}"|tr ".:-" "_")_threshold} + if [ -z "${_pool_threshold}" ];then + _pool_threshold=${daily_scrub_zfs_default_threshold} + fi + + _last_scrub=$(zpool history ${pool} | \ + egrep "^[0-9\.\:\-]{19} zpool scrub ${pool}\$" | tail -1 |\ + cut -d ' ' -f 1) + if [ -z "${_last_scrub}" ]; then + # creation time of the pool if no scrub was done + _last_scrub=$(zpool history ${pool} | \ + sed -ne '2s/ .*$//p') + fi + if [ -z "${_last_scrub}" ]; then + echo " skipping scrubbing of pool '${pool}':" + echo " can't get last scrubbing date" + continue + fi + + # Now minus last scrub (both in seconds) converted to days. + _scrub_diff=$(expr -e \( $(date +%s) - \ + $(date -j -v -70M -f %F.%T ${_last_scrub} +%s) \) / 60 / 60 / 24) + if [ ${_scrub_diff} -lt ${_pool_threshold} ]; then + echo " skipping scrubbing of pool '${pool}':" + echo " last scrubbing is ${_scrub_diff} days ago, threshold is set to ${_pool_threshold} days" + continue + fi + + _status="$(zpool status ${pool} | grep scan:)" + case "${_status}" in + *"scrub in progress"*) + echo " scrubbing of pool '${pool}' already in progress, skipping:" + ;; + *"resilver in progress"*) + echo " resilvering of pool '${pool}' is in progress, skipping:" + ;; + *"none requested"*) + echo " starting first scrub (since reboot) of pool '${pool}':" + zpool scrub ${pool} + [ $rc -eq 0 ] && rc=1 + ;; + *) + echo " starting scrub of pool '${pool}':" + zpool scrub ${pool} + [ $rc -eq 0 ] && rc=1 + ;; + esac + + echo " consult 'zpool status ${pool}' for the result" + done + ;; + + *) + rc=0 + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/999.local b/usr.sbin/periodic/etc/daily/999.local new file mode 100755 index 000000000000..eca04e5771b8 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/999.local @@ -0,0 +1,43 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Run the old /etc/daily.local script. This is really for backwards +# compatibility more than anything else. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $daily_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/Makefile b/usr.sbin/periodic/etc/daily/Makefile new file mode 100644 index 000000000000..b65bc1310cb4 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/Makefile @@ -0,0 +1,61 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +CONFGROUPS= CONFS + +CONFS= 100.clean-disks \ + 110.clean-tmps \ + 120.clean-preserve \ + 140.clean-rwho \ + 200.backup-passwd \ + 210.backup-aliases \ + 330.news \ + 400.status-disks \ + 401.status-graid \ + 406.status-gmirror \ + 407.status-graid3 \ + 408.status-gstripe \ + 409.status-gconcat \ + 410.status-mfi \ + 420.status-network \ + 430.status-uptime \ + 450.status-security \ + 510.status-world-kernel \ + 999.local + +# NB: keep these sorted by MK_* knobs + +.if ${MK_ACCT} != "no" +CONFGROUPS+= ACCT +ACCT+= 310.accounting +ACCTMODE= ${BINMODE} +ACCTPACKAGE= acct +.endif + +.if ${MK_CALENDAR} != "no" +CONFS+= 300.calendar +.endif + +.if ${MK_MAIL} != "no" +CONFS+= 130.clean-msgs +.endif + +.if ${MK_NTP} != "no" +CONFS+= 480.status-ntpd \ + 480.leapfile-ntpd +.endif + +.if ${MK_SENDMAIL} != "no" +CONFS+= 150.clean-hoststat \ + 440.status-mailq \ + 460.status-mail-rejects \ + 500.queuerun +.endif + +.if ${MK_ZFS} != "no" +CONFS+= 404.status-zfs \ + 800.scrub-zfs +.endif + +.include <bsd.prog.mk> diff --git a/usr.sbin/periodic/etc/monthly/200.accounting b/usr.sbin/periodic/etc/monthly/200.accounting new file mode 100755 index 000000000000..46f153de535a --- /dev/null +++ b/usr.sbin/periodic/etc/monthly/200.accounting @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +oldmask=$(umask) +umask 066 +case "$monthly_accounting_enable" in + [Yy][Ee][Ss]) + W=/var/log/utx.log + rc=0 + remove=NO + if [ ! -f $W.0 ] + then + if [ -f $W.0.gz ] + then + remove=YES + zcat $W.0.gz > $W.0 || rc=1 + elif [ -f $W.0.bz2 ] + then + remove=YES + bzcat $W.0.bz2 > $W.0 || rc=1 + else + echo '$monthly_accounting_enable is set but' \ + "$W.0 doesn't exist" + rc=2 + fi + fi + if [ $rc -eq 0 ] + then + echo "" + echo "Doing login accounting:" + + rc=$(ac -p -w $W.0 | sort -nr -k 2 | tee /dev/stderr | wc -l) + [ $rc -gt 0 ] && rc=1 + fi + [ $remove = YES ] && rm -f $W.0;; + + *) rc=0;; +esac + +umask $oldmask +exit $rc diff --git a/usr.sbin/periodic/etc/monthly/450.status-security b/usr.sbin/periodic/etc/monthly/450.status-security new file mode 100755 index 000000000000..61e6b92387bd --- /dev/null +++ b/usr.sbin/periodic/etc/monthly/450.status-security @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$monthly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$monthly_status_security_inline" in + [Yy][Ee][Ss]) + monthly_status_security_output="";; + esac + + export security_output="${monthly_status_security_output}" + rc=0 + case "${monthly_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/monthly/999.local b/usr.sbin/periodic/etc/monthly/999.local new file mode 100755 index 000000000000..a017a69540e5 --- /dev/null +++ b/usr.sbin/periodic/etc/monthly/999.local @@ -0,0 +1,40 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $monthly_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc diff --git a/usr.sbin/periodic/etc/monthly/Makefile b/usr.sbin/periodic/etc/monthly/Makefile new file mode 100644 index 000000000000..ddcc9d9372c1 --- /dev/null +++ b/usr.sbin/periodic/etc/monthly/Makefile @@ -0,0 +1,20 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +CONFGROUPS= CONFS + +CONFS= 450.status-security \ + 999.local + +# NB: keep these sorted by MK_* knobs + +.if ${MK_UTMPX} != "no" +CONFGROUPS+= ACCT +ACCT+= 200.accounting +ACCTDIR= /etc/periodic/monthly +ACCTMODE= ${BINMODE} +ACCTPACKAGE= acct +.endif + +.include <bsd.prog.mk> diff --git a/usr.sbin/periodic/etc/security/100.chksetuid b/usr.sbin/periodic/etc/security/100.chksetuid new file mode 100755 index 000000000000..670ae9792021 --- /dev/null +++ b/usr.sbin/periodic/etc/security/100.chksetuid @@ -0,0 +1,62 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_chksetuid_enable + +rc=0 + +if check_yesno_period security_status_chksetuid_enable +then + echo "" + echo 'Checking setuid files and devices:' + IFS=$'\n' # Don't split mount points with spaces or tabs + MP=`mount -t ufs,zfs | awk ' + $0 !~ /no(suid|exec)/ { + sub(/^.* on \//, "/"); + sub(/ \(.*\)/, ""); + print $0 + }'` + find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ + \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ + \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | + check_diff setuid - "${host} setuid diffs:" + rc=$? +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/110.neggrpperm b/usr.sbin/periodic/etc/security/110.neggrpperm new file mode 100755 index 000000000000..55974eae6345 --- /dev/null +++ b/usr.sbin/periodic/etc/security/110.neggrpperm @@ -0,0 +1,61 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_neggrpperm_enable + +rc=0 + +if check_yesno_period security_status_neggrpperm_enable +then + echo "" + echo 'Checking negative group permissions:' + IFS=$'\n' # Don't split mount points with spaces or tabs + MP=`mount -t ufs,zfs | awk ' + $0 !~ /no(suid|exec)/ { + sub(/^.* on \//, "/"); + sub(/ \(.*\)/, ""); + print $0 + }'` + n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ + \( \( ! -perm +010 -and -perm +001 \) -or \ + \( ! -perm +020 -and -perm +002 \) -or \ + \( ! -perm +040 -and -perm +004 \) \) \ + -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/200.chkmounts b/usr.sbin/periodic/etc/security/200.chkmounts new file mode 100755 index 000000000000..7b14866869bb --- /dev/null +++ b/usr.sbin/periodic/etc/security/200.chkmounts @@ -0,0 +1,65 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show changes in the way filesystems are mounted +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_chkmounts_enable +security_daily_compat_var security_status_chkmounts_ignore +security_daily_compat_var security_status_noamd + +ignore="${security_status_chkmounts_ignore}" +rc=0 + +if check_yesno_period security_status_chkmounts_enable +then + case "$security_status_noamd" in + [Yy][Ee][Ss]) + ignore="${ignore}|^amd:" + esac + [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat + if ! [ -f /etc/fstab ]; then + export PATH_FSTAB=/dev/null + fi + mount -p | sort | ${cmd} | + check_diff mount - "${host} changes in mounted filesystems:" + rc=$? +fi + +exit "$rc" diff --git a/usr.sbin/periodic/etc/security/300.chkuid0 b/usr.sbin/periodic/etc/security/300.chkuid0 new file mode 100755 index 000000000000..73578e241553 --- /dev/null +++ b/usr.sbin/periodic/etc/security/300.chkuid0 @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_chkuid0_enable + +rc=0 + +if check_yesno_period security_status_chkuid0_enable +then + echo "" + echo 'Checking for uids of 0:' + n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | + tee /dev/stderr | + sed -e '/^root 0$/d' -e '/^toor 0$/d' | + wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" diff --git a/usr.sbin/periodic/etc/security/400.passwdless b/usr.sbin/periodic/etc/security/400.passwdless new file mode 100755 index 000000000000..5e851ac847c7 --- /dev/null +++ b/usr.sbin/periodic/etc/security/400.passwdless @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_passwdless_enable + +rc=0 + +if check_yesno_period security_status_passwdless_enable +then + echo "" + echo 'Checking for passwordless accounts:' + n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" diff --git a/usr.sbin/periodic/etc/security/410.logincheck b/usr.sbin/periodic/etc/security/410.logincheck new file mode 100755 index 000000000000..41e7f65ebf1b --- /dev/null +++ b/usr.sbin/periodic/etc/security/410.logincheck @@ -0,0 +1,55 @@ +#!/bin/sh - +# +# Copyright (c) 2006 Tom Rhodes +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_logincheck_enable + +rc=0 + +if check_yesno_period security_status_logincheck_enable +then + echo "" + echo 'Checking login.conf permissions:' + if [ -G /etc/login.conf -a -O /etc/login.conf ]; then + n=0 + else + echo "Bad ownership of /etc/login.conf" + n=1 + fi + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" diff --git a/usr.sbin/periodic/etc/security/500.ipfwdenied b/usr.sbin/periodic/etc/security/500.ipfwdenied new file mode 100755 index 000000000000..f39ca0ed9531 --- /dev/null +++ b/usr.sbin/periodic/etc/security/500.ipfwdenied @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_ipfwdenied_enable + +rc=0 + +if check_yesno_period security_status_ipfwdenied_enable +then + TMP=`mktemp -t security` + if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then + check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/510.ipfdenied b/usr.sbin/periodic/etc/security/510.ipfdenied new file mode 100755 index 000000000000..bed75e645c2a --- /dev/null +++ b/usr.sbin/periodic/etc/security/510.ipfdenied @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_ipfdenied_enable + +rc=0 + +if check_yesno_period security_status_ipfdenied_enable +then + TMP=`mktemp -t security` + if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then + check_diff new_only ipf ${TMP} "${host} ipf denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied new file mode 100755 index 000000000000..e3021ce857c9 --- /dev/null +++ b/usr.sbin/periodic/etc/security/520.pfdenied @@ -0,0 +1,59 @@ +#!/bin/sh - +# +# Copyright (c) 2004 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_pfdenied_enable + +rc=0 + +if check_yesno_period security_status_pfdenied_enable +then + TMP=`mktemp -t security` + for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) + do + pfctl -a ${_a} -sr -v -z 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} + done + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/550.ipfwlimit b/usr.sbin/periodic/etc/security/550.ipfwlimit new file mode 100755 index 000000000000..86932c676c7a --- /dev/null +++ b/usr.sbin/periodic/etc/security/550.ipfwlimit @@ -0,0 +1,69 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show ipfw rules which have reached the log limit +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_ipfwlimit_enable + +rc=0 + +if check_yesno_period security_status_ipfwlimit_enable +then + IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` + if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then + exit 0 + fi + TMP=`mktemp -t security` + ipfw -a list | grep " log " | \ + grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ + awk \ + '{if ($6 == "logamount") { + if ($2 > $7) + {print $0}} + }' > ${TMP} + + if [ -s "${TMP}" ]; then + rc=1 + echo "" + echo 'ipfw log limit reached:' + cat ${TMP} + fi + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/610.ipf6denied b/usr.sbin/periodic/etc/security/610.ipf6denied new file mode 100755 index 000000000000..7e02cfc583f3 --- /dev/null +++ b/usr.sbin/periodic/etc/security/610.ipf6denied @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_ipf6denied_enable + +rc=0 + +if check_yesno_period security_status_ipf6denied_enable +then + TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` + if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then + check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/700.kernelmsg b/usr.sbin/periodic/etc/security/700.kernelmsg new file mode 100755 index 000000000000..8bf6491901ed --- /dev/null +++ b/usr.sbin/periodic/etc/security/700.kernelmsg @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show kernel log messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_kernelmsg_enable + +rc=0 + +if check_yesno_period security_status_kernelmsg_enable +then + dmesg 2>/dev/null | + check_diff new_only dmesg - "${host} kernel log messages:" + rc=$? +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/800.loginfail b/usr.sbin/periodic/etc/security/800.loginfail new file mode 100755 index 000000000000..4c78f441639a --- /dev/null +++ b/usr.sbin/periodic/etc/security/800.loginfail @@ -0,0 +1,72 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show login failures +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_loginfail_enable + +LOG="${security_status_logdir}" + +yesterday=`date -v-1d "+%b %e "` + +catmsgs() { + find ${LOG} -name 'auth.log.*' -mtime -2 | + sort -t. -r -n -k 2,2 | + while read f + do + case $f in + *.gz) zcat -f $f;; + *.bz2) bzcat -f $f;; + esac + done + [ -f ${LOG}/auth.log ] && cat $LOG/auth.log +} + +rc=0 + +if check_yesno_period security_status_loginfail_enable +then + echo "" + echo "${host} login failures:" + n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/900.tcpwrap b/usr.sbin/periodic/etc/security/900.tcpwrap new file mode 100755 index 000000000000..10b02e9e2bb6 --- /dev/null +++ b/usr.sbin/periodic/etc/security/900.tcpwrap @@ -0,0 +1,72 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show tcp_wrapper warning messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_tcpwrap_enable + +LOG="${security_status_logdir}" + +yesterday=`date -v-1d "+%b %e "` + +catmsgs() { + find ${LOG} -name 'messages.*' -mtime -2 | + sort -t. -r -n -k 2,2 | + while read f + do + case $f in + *.gz) zcat -f $f;; + *.bz2) bzcat -f $f;; + esac + done + [ -f ${LOG}/messages ] && cat $LOG/messages +} + +rc=0 + +if check_yesno_period security_status_tcpwrap_enable +then + echo "" + echo "${host} refused connections:" + n=$(catmsgs | grep -i "^$yesterday.*refused connect" | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/Makefile b/usr.sbin/periodic/etc/security/Makefile new file mode 100644 index 000000000000..ce9e5f7ba5c5 --- /dev/null +++ b/usr.sbin/periodic/etc/security/Makefile @@ -0,0 +1,38 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +CONFGROUPS= CONFS DATA + +CONFS= 100.chksetuid \ + 110.neggrpperm \ + 200.chkmounts \ + 300.chkuid0 \ + 400.passwdless \ + 410.logincheck \ + 700.kernelmsg \ + 800.loginfail +DATA= security.functions +DATAMODE= 444 + +# NB: keep these sorted by MK_* knobs + +.if ${MK_IPFILTER} != "no" +CONFS+= 510.ipfdenied +CONFS+= 610.ipf6denied +.endif + +.if ${MK_IPFW} != "no" +CONFS+= 500.ipfwdenied \ + 550.ipfwlimit +.endif + +.if ${MK_PF} != "no" +CONFS+= 520.pfdenied +.endif + +.if ${MK_INETD} != "no" && ${MK_TCP_WRAPPERS} != "no" +CONFS+= 900.tcpwrap +.endif + +.include <bsd.prog.mk> diff --git a/usr.sbin/periodic/etc/security/security.functions b/usr.sbin/periodic/etc/security/security.functions new file mode 100644 index 000000000000..00a89075dbfd --- /dev/null +++ b/usr.sbin/periodic/etc/security/security.functions @@ -0,0 +1,87 @@ +#!/bin/sh +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a library file, so we only try to do something when sourced. +case "$0" in +*/security.functions) exit 0 ;; +esac + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_diff_flags + +# +# Show differences in the output of an audit command +# + +LOG="${security_status_logdir}" +rc=0 + +# Usage: COMMAND | check_diff [new_only] LABEL - MSG +# COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG +# if $1 is new_only, show only the 'new' part of the diff. +# LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files. + +check_diff() { + unset IFS + rc=0 + if [ "$1" = "new_only" ]; then + shift + filter="grep '^[>+][^+]'" + else + filter="cat" + fi + label="$1"; shift + tmpf="$1"; shift + msg="$1"; shift + + if [ "${tmpf}" = "-" ]; then + tmpf=`mktemp -t security` + cat > ${tmpf} + fi + + if [ ! -f ${LOG}/${label}.today ]; then + rc=1 + echo "" + echo "No ${LOG}/${label}.today" + cp ${tmpf} ${LOG}/${label}.today || rc=3 + fi + + if ! cmp -s ${LOG}/${label}.today ${tmpf} >/dev/null; then + [ $rc -lt 1 ] && rc=1 + echo "" + echo "${msg}" + diff ${security_status_diff_flags} ${LOG}/${label}.today \ + ${tmpf} | eval "${filter}" + mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 + mv ${tmpf} ${LOG}/${label}.today || rc=3 + fi + + rm -f ${tmpf} + exit ${rc} +} diff --git a/usr.sbin/periodic/etc/weekly/310.locate b/usr.sbin/periodic/etc/weekly/310.locate new file mode 100755 index 000000000000..4079f5e8287e --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/310.locate @@ -0,0 +1,32 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_locate_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Rebuilding locate database:" + + locdb=/var/db/locate.database + + touch $locdb && rc=0 || rc=3 + chown nobody $locdb || rc=3 + chmod 644 $locdb || rc=3 + + cd / + echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 + chmod 444 $locdb || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/320.whatis b/usr.sbin/periodic/etc/weekly/320.whatis new file mode 100755 index 000000000000..dfc218ae008c --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/320.whatis @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_whatis_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Rebuilding whatis database:" + + MANPATH=`/usr/bin/manpath -q` + if [ $? = 0 ] + then + if [ -z "${MANPATH}" ] + then + echo "manpath failed to find any manpage directories" + rc=3 + else + man_locales=`/usr/bin/manpath -qL` + rc=0 + + # Build whatis(1) database(s) for original, non-localized + # manpages. + /usr/libexec/makewhatis.local "${MANPATH}" || rc=3 + + # Build whatis(1) database(s) for localized manpages. + if [ X"${man_locales}" != X ] + then + for i in ${man_locales} + do + LC_ALL=$i /usr/libexec/makewhatis.local -a \ + -L "${MANPATH}" || rc=3 + done + fi + fi + else + rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/340.noid b/usr.sbin/periodic/etc/weekly/340.noid new file mode 100755 index 000000000000..11a5f53ea25d --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/340.noid @@ -0,0 +1,29 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_noid_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Check for files with an unknown user or group:" + + rc=$(find -H ${weekly_noid_dirs:-/} \ + \( ! -fstype local -prune -or -name \* \) -and \ + \( -nogroup -o -nouser \) -print | sed 's/^/ /' | + tee /dev/stderr | wc -l) + [ $rc -gt 1 ] && rc=1 + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/450.status-security b/usr.sbin/periodic/etc/weekly/450.status-security new file mode 100755 index 000000000000..d224e44a58a1 --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/450.status-security @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$weekly_status_security_inline" in + [Yy][Ee][Ss]) + weekly_status_security_output="";; + esac + + export security_output="${weekly_status_security_output}" + rc=0 + case "${weekly_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/999.local b/usr.sbin/periodic/etc/weekly/999.local new file mode 100755 index 000000000000..cc40c07c8840 --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/999.local @@ -0,0 +1,40 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $weekly_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/Makefile b/usr.sbin/periodic/etc/weekly/Makefile new file mode 100644 index 000000000000..9c54eaa6483f --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/Makefile @@ -0,0 +1,19 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +CONFS= 340.noid \ + 450.status-security \ + 999.local + +# NB: keep these sorted by MK_* knobs + +.if ${MK_LOCATE} != "no" +CONFS+= 310.locate +.endif + +.if ${MK_MAN_UTILS} != "no" +CONFS+= 320.whatis +.endif + +.include <bsd.prog.mk> diff --git a/usr.sbin/periodic/periodic.conf b/usr.sbin/periodic/periodic.conf new file mode 100644 index 000000000000..801733301318 --- /dev/null +++ b/usr.sbin/periodic/periodic.conf @@ -0,0 +1,407 @@ +#!/bin/sh +# +# This is defaults/periodic.conf - a file full of useful variables that +# you can set to change the default behaviour of periodic jobs on your +# system. You should not edit this file! Put any overrides into one of the +# $periodic_conf_files instead and you will be able to update these defaults +# later without spamming your local configuration information. +# +# The $periodic_conf_files files should only contain values which override +# values set in this file. This eases the upgrade path when defaults +# are changed and new features are added. +# +# For a more detailed explanation of all the periodic.conf variables, please +# refer to the periodic.conf(5) manual page. +# +# $FreeBSD$ +# + +# What files override these defaults ? +periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local" + +# periodic script dirs +local_periodic="/usr/local/etc/periodic" + +# Max time to sleep to avoid causing congestion on download servers +anticongestion_sleeptime=3600 + +# Daily options + +# These options are used by periodic(8) itself to determine what to do +# with the output of the sub-programs that are run, and where to send +# that output. $daily_output might be set to /var/log/daily.log if you +# wish to log the daily output and have the files rotated by newsyslog(8) +# +daily_output="root" # user or /file +daily_show_success="YES" # scripts returning 0 +daily_show_info="YES" # scripts returning 1 +daily_show_badconfig="NO" # scripts returning 2 + +# 100.clean-disks +daily_clean_disks_enable="NO" # Delete files daily +daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*" +daily_clean_disks_days=3 # If older than this +daily_clean_disks_verbose="YES" # Mention files deleted + +# 110.clean-tmps +daily_clean_tmps_enable="NO" # Delete stuff daily +daily_clean_tmps_dirs="/tmp" # Delete under here +daily_clean_tmps_days="3" # If not accessed for +daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix" +daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap" +daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal" + # Don't delete these +daily_clean_tmps_verbose="YES" # Mention files deleted + +# 120.clean-preserve +daily_clean_preserve_enable="YES" # Delete files daily +daily_clean_preserve_days=7 # If not modified for +daily_clean_preserve_verbose="YES" # Mention files deleted + +# 130.clean-msgs +daily_clean_msgs_enable="YES" # Delete msgs daily +daily_clean_msgs_days= # If not modified for + +# 140.clean-rwho +daily_clean_rwho_enable="YES" # Delete rwho daily +daily_clean_rwho_days=7 # If not modified for +daily_clean_rwho_verbose="YES" # Mention files deleted + +# 150.clean-hoststat +daily_clean_hoststat_enable="YES" # Purge sendmail host + # status cache daily + +# 200.backup-passwd +daily_backup_passwd_enable="YES" # Backup passwd & group + +# 210.backup-aliases +daily_backup_aliases_enable="YES" # Backup mail aliases + +# 300.calendar +daily_calendar_enable="NO" # Run calendar -a + +# 310.accounting +daily_accounting_enable="YES" # Rotate acct files +daily_accounting_compress="NO" # Gzip rotated files +daily_accounting_flags=-q # Flags to /usr/sbin/sa +daily_accounting_save=3 # How many files to save + +# 330.news +daily_news_expire_enable="YES" # Run news.expire + +# 400.status-disks +daily_status_disks_enable="YES" # Check disk status +daily_status_disks_df_flags="-l -h" # df(1) flags for check + +# 401.status-graid +daily_status_graid_enable="NO" # Check graid(8) + +# 404.status-zfs +daily_status_zfs_enable="NO" # Check ZFS +daily_status_zfs_zpool_list_enable="YES" # List ZFS pools + +# 406.status-gmirror +daily_status_gmirror_enable="NO" # Check gmirror(8) + +# 407.status-graid3 +daily_status_graid3_enable="NO" # Check graid3(8) + +# 408.status-gstripe +daily_status_gstripe_enable="NO" # Check gstripe(8) + +# 409.status-gconcat +daily_status_gconcat_enable="NO" # Check gconcat(8) + +# 410.status-mfi +daily_status_mfi_enable="NO" # Check mfiutil(8) + +# 420.status-network +daily_status_network_enable="YES" # Check network status +daily_status_network_usedns="YES" # DNS lookups are ok +daily_status_network_netstat_flags="-d" # netstat(1) flags + +# 430.status-uptime +daily_status_uptime_enable="YES" # Check system uptime + +# 440.status-mailq +daily_status_mailq_enable="YES" # Check mail status +daily_status_mailq_shorten="NO" # Shorten output +daily_status_include_submit_mailq="YES" # Also submit queue + +# 450.status-security +daily_status_security_enable="YES" # Security check +# See also "Security options" below for more options +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file + +# 460.status-mail-rejects +daily_status_mail_rejects_enable="YES" # Check mail rejects +daily_status_mail_rejects_logs=3 # How many logs to check +daily_status_mail_rejects_shorten="NO" # Shorten output + +# 480.leapfile-ntpd +daily_ntpd_leapfile_enable="YES" # Fetch NTP leapfile + +# 480.status-ntpd +daily_status_ntpd_enable="NO" # Check NTP status + +# 500.queuerun +daily_queuerun_enable="YES" # Run mail queue +daily_submit_queuerun="YES" # Also submit queue + +# 510.status-world-kernel +daily_status_world_kernel="YES" # Check the running + # userland/kernel version + +# 800.scrub-zfs +daily_scrub_zfs_enable="NO" +daily_scrub_zfs_pools="" # empty string selects all pools +daily_scrub_zfs_default_threshold="35" # days between scrubs +#daily_scrub_zfs_${poolname}_threshold="35" # pool specific threshold + +# 999.local +daily_local="/etc/daily.local" # Local scripts + + +# Weekly options + +# These options are used by periodic(8) itself to determine what to do +# with the output of the sub-programs that are run, and where to send +# that output. $weekly_output might be set to /var/log/weekly.log if you +# wish to log the weekly output and have the files rotated by newsyslog(8) +# +weekly_output="root" # user or /file +weekly_show_success="YES" # scripts returning 0 +weekly_show_info="YES" # scripts returning 1 +weekly_show_badconfig="NO" # scripts returning 2 + +# 310.locate +weekly_locate_enable="YES" # Update locate weekly + +# 320.whatis +weekly_whatis_enable="YES" # Update whatis weekly + +# 340.noid +weekly_noid_enable="NO" # Find unowned files +weekly_noid_dirs="/" # Look here + +# 450.status-security +weekly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +weekly_status_security_inline="NO" # Run inline ? +weekly_status_security_output="root" # user or /file + +# 999.local +weekly_local="/etc/weekly.local" # Local scripts + + +# Monthly options + +# These options are used by periodic(8) itself to determine what to do +# with the output of the sub-programs that are run, and where to send +# that output. $monthly_output might be set to /var/log/monthly.log if you +# wish to log the monthly output and have the files rotated by newsyslog(8) +# +monthly_output="root" # user or /file +monthly_show_success="YES" # scripts returning 0 +monthly_show_info="YES" # scripts returning 1 +monthly_show_badconfig="NO" # scripts returning 2 + +# 200.accounting +monthly_accounting_enable="YES" # Login accounting + +# 450.status-security +monthly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +monthly_status_security_inline="NO" # Run inline ? +monthly_status_security_output="root" # user or /file + +# 999.local +monthly_local="/etc/monthly.local" # Local scripts + + +# Security options + +security_show_success="YES" # scripts returning 0 +security_show_info="YES" # scripts returning 1 +security_show_badconfig="NO" # scripts returning 2 + +# These options are used by the security periodic(8) scripts spawned in +# daily and weekly 450.status-security. +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output + +# Each of the security_status_*_period options below can have one of the +# following values: +# - NO: do not run at all +# - daily: only run during the daily security status +# - weekly: only run during the weekly security status +# - monthly: only run during the monthly security status +# Note that if periodic security scripts are run from crontab(5) directly, +# they will be run unless _enable or _period is set to "NO". + +# 100.chksetuid +security_status_chksetuid_enable="YES" +security_status_chksetuid_period="daily" + +# 110.neggrpperm +security_status_neggrpperm_enable="YES" +security_status_neggrpperm_period="daily" + +# 200.chkmounts +security_status_chkmounts_enable="YES" +security_status_chkmounts_period="daily" +#security_status_chkmounts_ignore="^amd:" # Don't check matching + # FS types +security_status_noamd="NO" # Don't check amd mounts + +# 300.chkuid0 +security_status_chkuid0_enable="YES" +security_status_chkuid0_period="daily" + +# 400.passwdless +security_status_passwdless_enable="YES" +security_status_passwdless_period="daily" + +# 410.logincheck +security_status_logincheck_enable="YES" +security_status_logincheck_period="daily" + +# 500.ipfwdenied +security_status_ipfwdenied_enable="YES" +security_status_ipfwdenied_period="daily" + +# 510.ipfdenied +security_status_ipfdenied_enable="YES" +security_status_ipfdenied_period="daily" + +# 520.pfdenied +security_status_pfdenied_enable="YES" +security_status_pfdenied_period="daily" + +# 550.ipfwlimit +security_status_ipfwlimit_enable="YES" +security_status_ipfwlimit_period="daily" + +# 610.ipf6denied +security_status_ipf6denied_enable="YES" +security_status_ipf6denied_period="daily" + +# 700.kernelmsg +security_status_kernelmsg_enable="YES" +security_status_kernelmsg_period="daily" + +# 800.loginfail +security_status_loginfail_enable="YES" +security_status_loginfail_period="daily" + +# 900.tcpwrap +security_status_tcpwrap_enable="YES" +security_status_tcpwrap_period="daily" + + + +# Define source_periodic_confs, the mechanism used by /etc/periodic/*/* +# scripts to source defaults/periodic.conf overrides safely. + +if [ -z "${source_periodic_confs_defined}" ]; then + source_periodic_confs_defined=yes + + # Sleep for a random amount of time in order to mitigate the thundering + # herd problem of multiple hosts running periodic simultaneously. + # Will not sleep when used interactively. + # Will sleep at most once per invocation of periodic + anticongestion() { + [ -n "$PERIODIC_IS_INTERACTIVE" ] && return + if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then + rm -f $PERIODIC_ANTICONGESTION_FILE + sleep `jot -r 1 0 ${anticongestion_sleeptime}` + fi + } + + # Compatibility with old daily variable names. + # They can be removed in stable/11. + security_daily_compat_var() { + local var=$1 dailyvar value + + dailyvar=daily_status_security${var#security_status} + periodvar=${var%enable}period + eval value=\"\$$dailyvar\" + [ -z "$value" ] && return + echo "Warning: Variable \$$dailyvar is deprecated," \ + "use \$$var instead." >&2 + case "$value" in + [Yy][Ee][Ss]) + eval $var=YES + eval $periodvar=daily + ;; + *) + eval $var=\"$value\" + ;; + esac + } + + check_yesno_period() { + local var="$1" periodvar value period + + eval value=\"\$$var\" + case "$value" in + [Yy][Ee][Ss]) ;; + *) return 1 ;; + esac + + periodvar=${var%enable}period + eval period=\"\$$periodvar\" + case "$PERIODIC" in + "security daily") + case "$period" in + [Dd][Aa][Ii][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security weekly") + case "$period" in + [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security monthly") + case "$period" in + [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + security) + # Run directly from crontab(5). + case "$period" in + [Nn][Oo]) return 1 ;; + *) return 0 ;; + esac + ;; + '') + # Script run manually. + return 0 + ;; + *) + echo "ASSERTION FAILED: Unexpected value for" \ + "\$PERIODIC: '$PERIODIC'" >&2 + exit 127 + ;; + esac + } + + source_periodic_confs() { + local i sourced_files + + for i in ${periodic_conf_files}; do + case ${sourced_files} in + *:$i:*) + ;; + *) + sourced_files="${sourced_files}:$i:" + [ -r $i ] && . $i + ;; + esac + done + } +fi |