version 1.57, 2009/05/03 17:16:12 |
version 1.58, 2009/05/09 17:15:49 |
|
|
|
|
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin |
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin |
|
|
|
PARTOUT=/var/log/daily.part |
|
MAINOUT=/var/log/daily.out |
|
install -o 0 -g 0 -m 600 /dev/null $PARTOUT |
|
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT |
|
|
|
exec > $MAINOUT 2>&1 |
sysctl -n kern.version |
sysctl -n kern.version |
uptime |
uptime |
|
|
if [ -f /etc/daily.local ]; then |
start_part() { |
|
TITLE=$1 |
|
exec > $PARTOUT 2>&1 |
|
} |
|
|
|
end_part() { |
|
exec >> $MAINOUT 2>&1 |
|
test -s $PARTOUT || return |
echo "" |
echo "" |
echo "Running daily.local:" |
echo "$TITLE" |
. /etc/daily.local |
cat $PARTOUT |
fi |
} |
|
|
TMP=`mktemp /tmp/_daily.XXXXXXXXXX` || exit 1 |
next_part() { |
OUT=`mktemp /tmp/_security.XXXXXXXXXX` || { |
end_part |
rm -f ${TMP} |
start_part "$1" |
exit 1 |
|
} |
} |
|
|
trap 'rm -f $TMP $OUT; exit 1' 0 1 15 |
run_script() { |
|
f=/etc/$1 |
|
test -e $f || return |
|
if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then |
|
echo "$f has insecure permissions, skipping:" |
|
ls -l $f |
|
return |
|
fi |
|
. $f |
|
} |
|
|
echo "" |
start_part "Running /etc/daily.local:" |
echo "Removing scratch and junk files:" |
run_script "daily.local" |
|
|
|
next_part "Removing scratch and junk files:" |
if [ -d /tmp -a ! -L /tmp ]; then |
if [ -d /tmp -a ! -L /tmp ]; then |
cd /tmp && { |
cd /tmp && { |
find -x . \ |
find -x . \ |
|
|
msgs -c |
msgs -c |
fi |
fi |
|
|
|
next_part "Purging accounting records:" |
if [ -f /var/account/acct ]; then |
if [ -f /var/account/acct ]; then |
echo "" |
|
echo "Purging accounting records:" |
|
mv -f /var/account/acct.2 /var/account/acct.3 |
mv -f /var/account/acct.2 /var/account/acct.3 |
mv -f /var/account/acct.1 /var/account/acct.2 |
mv -f /var/account/acct.1 /var/account/acct.2 |
mv -f /var/account/acct.0 /var/account/acct.1 |
mv -f /var/account/acct.0 /var/account/acct.1 |
|
|
# If ROOTBACKUP is set to 1 in the environment, and |
# If ROOTBACKUP is set to 1 in the environment, and |
# if filesystem named /altroot is type ffs, on /dev/* and mounted "xx", |
# if filesystem named /altroot is type ffs, on /dev/* and mounted "xx", |
# use it as a backup root filesystem to be updated daily. |
# use it as a backup root filesystem to be updated daily. |
|
next_part "Backing up root filesystem:" |
[ "X$ROOTBACKUP" = X1 ] && { |
[ "X$ROOTBACKUP" = X1 ] && { |
rootdev=`df -n / | awk '/^\/dev\// { print substr($1, 6) }'` |
rootdev=`df -n / | awk '/^\/dev\// { print substr($1, 6) }'` |
rootbak=`awk '$2 == "/altroot" && $1 ~ /^\/dev\// && $3 == "ffs" && \ |
rootbak=`awk '$2 == "/altroot" && $1 ~ /^\/dev\// && $3 == "ffs" && \ |
$4 ~ /xx/ \ |
$4 ~ /xx/ \ |
{ print substr($1, 6) }' < /etc/fstab` |
{ print substr($1, 6) }' < /etc/fstab` |
[ X$rootdev != X -a X$rootbak != X -a X$rootdev != X$rootbak ] && { |
[ X$rootdev != X -a X$rootbak != X -a X$rootdev != X$rootbak ] && { |
|
next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:" |
sync |
sync |
echo "" |
|
echo "Backing up root filesystem:" |
|
echo "copying /dev/r$rootdev to /dev/r$rootbak" |
|
dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \ |
dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \ |
conv=noerror |
conv=noerror |
fsck -y /dev/r$rootbak |
fsck -y /dev/r$rootbak |
} |
} |
} |
} |
|
|
# Rotation of mail log now handled automatically by cron and 'newsyslog' |
next_part "Disk status:" |
|
|
echo "" |
|
echo "Checking subsystem status:" |
|
echo "" |
|
echo "disks:" |
|
df -kl |
df -kl |
echo "" |
echo "" |
dump W |
dump W |
echo "" |
|
|
|
mailq > $TMP |
# The first two regular expressions handle sendmail, the third postfix. |
if ! grep -q "^/var/spool/mqueue is empty$" $TMP; then |
# When the queue is empty, exim -bp keeps silent. |
echo "" |
next_part "Mail queue:" |
echo "mail:" |
mailq | grep -v -e "^/var/spool/mqueue is empty$" \ |
cat $TMP |
-e "^[[:blank:]]*Total requests: 0$" \ |
fi |
-e "^Mail queue is empty$" |
|
|
echo "" |
next_part "Network status:" |
echo "network:" |
|
netstat -ivn |
netstat -ivn |
echo "" |
|
|
|
t=/var/rwho/* |
t=/var/rwho/* |
if [ "$t" != '/var/rwho/*' ]; then |
if [ "$t" != '/var/rwho/*' ]; then |
|
|
ruptime |
ruptime |
fi |
fi |
|
|
echo "" |
next_part "Running calendar in the background:" |
if [ -d /var/yp/binding -a ! -d /var/yp/`domainname` -o "X$CALENDAR" = X0 ] |
if [ "X$CALENDAR" != X0 -a \ |
then |
\( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then |
if [ "X$CALENDAR" = X0 ]; then |
|
echo "Not running calendar, (disabled)." |
|
else |
|
echo "Not running calendar, (yp client)." |
|
fi |
|
else |
|
echo "Running calendar in the background." |
|
calendar -a & |
calendar -a & |
fi |
fi |
|
|
# If CHECKFILESYSTEMS is set to 1 in the environment, run fsck |
# If CHECKFILESYSTEMS is set to 1 in the environment, run fsck |
# with the no-write flag. |
# with the no-write flag. |
|
next_part "Checking filesystems:" |
[ "X$CHECKFILESYSTEMS" = X1 ] && { |
[ "X$CHECKFILESYSTEMS" = X1 ] && { |
echo "" |
|
echo "Checking filesystems:" |
|
fsck -n | grep -v '^\*\* Phase' |
fsck -n | grep -v '^\*\* Phase' |
} |
} |
|
|
|
next_part "Running rdist:" |
if [ -f /etc/Distfile ]; then |
if [ -f /etc/Distfile ]; then |
echo "" |
|
echo "Running rdist:" |
|
if [ -d /var/log/rdist ]; then |
if [ -d /var/log/rdist ]; then |
logf=`date +%Y.%b.%e` |
logf=`date +%Y.%b.%e` |
rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/$logf |
rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/$logf |
|
|
fi |
fi |
fi |
fi |
|
|
sh /etc/security 2>&1 > $OUT |
end_part |
if [ -s $OUT ]; then |
[ -s $MAINOUT ] && mail -s "`hostname` daily output" root < $MAINOUT |
mail -s "`hostname` daily insecurity output" root < $OUT |
|
fi |
|
|
MAINOUT=/var/log/security.out |
|
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT |
|
|
|
start_part "Running /etc/security:" |
|
run_script "security" |
|
end_part |
|
rm -f $PARTOUT |
|
|
|
[ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT |