Annotation of src/etc/daily, Revision 1.76
1.1 deraadt 1: #
1.75 ajacouto 2: # $OpenBSD: daily,v 1.74 2012/02/11 00:37:04 krw Exp $
1.17 millert 3: # From: @(#)daily 8.2 (Berkeley) 1/25/94
1.1 deraadt 4: #
1.65 schwarze 5: # For local additions, create the file /etc/daily.local.
6: # To get section headers, use the function next_part in daily.local.
7: #
1.56 ajacouto 8: umask 022
1.47 nick 9:
1.58 schwarze 10: PARTOUT=/var/log/daily.part
11: MAINOUT=/var/log/daily.out
12: install -o 0 -g 0 -m 600 /dev/null $PARTOUT
13: install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
14:
15: start_part() {
16: TITLE=$1
17: exec > $PARTOUT 2>&1
18: }
19:
20: end_part() {
21: exec >> $MAINOUT 2>&1
22: test -s $PARTOUT || return
1.2 david 23: echo ""
1.58 schwarze 24: echo "$TITLE"
25: cat $PARTOUT
26: }
27:
28: next_part() {
29: end_part
30: start_part "$1"
31: }
1.2 david 32:
1.58 schwarze 33: run_script() {
34: f=/etc/$1
35: test -e $f || return
36: if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
37: echo "$f has insecure permissions, skipping:"
38: ls -l $f
39: return
40: fi
41: . $f
1.42 pvalchev 42: }
1.16 millert 43:
1.59 schwarze 44: start_part "Running daily.local:"
1.58 schwarze 45: run_script "daily.local"
1.14 millert 46:
1.58 schwarze 47: next_part "Removing scratch and junk files:"
1.32 aaron 48: if [ -d /tmp -a ! -L /tmp ]; then
1.17 millert 49: cd /tmp && {
1.50 millert 50: find -x . \
1.67 espie 51: \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
52: -o -path ./portslocks \) \
1.72 halex 53: -prune -o -type f -atime +3 -execdir rm -f -- {} \; 2>/dev/null
1.49 millert 54: find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
1.67 espie 55: ! -path ./.ICE-unix ! -path ./portslocks ! -name . \
56: -execdir rmdir -- {} \; >/dev/null 2>&1; }
1.17 millert 57: fi
1.1 deraadt 58:
1.32 aaron 59: if [ -d /var/tmp -a ! -L /var/tmp ]; then
1.17 millert 60: cd /var/tmp && {
1.50 millert 61: find -x . \
1.67 espie 62: \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
63: -o -path ./portslocks \) \
1.72 halex 64: -prune -o ! -type d -atime +7 -execdir rm -f -- {} \; 2>/dev/null
1.49 millert 65: find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
1.67 espie 66: ! -path ./.ICE-unix ! -path ./portslocks ! -name . \
67: -execdir rmdir -- {} \; >/dev/null 2>&1; }
1.17 millert 68: fi
1.1 deraadt 69:
1.3 deraadt 70: # Additional junk directory cleanup would go like this:
1.32 aaron 71: #if [ -d /scratch -a ! -L /scratch ]; then
1.3 deraadt 72: # cd /scratch && {
1.17 millert 73: # find . ! -name . -atime +1 -execdir rm -f -- {} \;
74: # find . ! -name . -type d -mtime +1 -execdir rmdir -- {} \; \
1.3 deraadt 75: # >/dev/null 2>&1; }
76: #fi
1.17 millert 77:
1.32 aaron 78: if [ -d /var/rwho -a ! -L /var/rwho ] ; then
1.17 millert 79: cd /var/rwho && {
80: find . ! -name . -mtime +7 -execdir rm -f -- {} \; ; }
1.1 deraadt 81: fi
82:
1.58 schwarze 83: next_part "Purging accounting records:"
1.1 deraadt 84: if [ -f /var/account/acct ]; then
1.44 mickey 85: mv -f /var/account/acct.2 /var/account/acct.3
86: mv -f /var/account/acct.1 /var/account/acct.2
87: mv -f /var/account/acct.0 /var/account/acct.1
88: cp -f /var/account/acct /var/account/acct.0
1.17 millert 89: sa -sq
90: fi
91:
92: # If ROOTBACKUP is set to 1 in the environment, and
1.73 krw 93: # if filesystem named /altroot is type ffs and mounted "xx",
1.17 millert 94: # use it as a backup root filesystem to be updated daily.
1.58 schwarze 95: next_part "Backing up root filesystem:"
1.64 schwarze 96: while [ "X$ROOTBACKUP" = X1 ]; do
1.74 krw 97: rootbak=`awk '$1 !~ /^#/ && $2 == "/altroot" && $3 == "ffs" && \
98: $4 ~ /xx/ { print $1 }' < /etc/fstab`
1.64 schwarze 99: if [ -z "$rootbak" ]; then
100: echo "No xx ffs /altroot device found in the fstab(5)."
101: break
102: fi
1.73 krw 103: rootbak=${rootbak#/dev/}
104: bakdisk=${rootbak%%?(.)[a-p]}
1.64 schwarze 105: sysctl -n hw.disknames | grep -Fqw $bakdisk || break
1.73 krw 106: bakpart=${rootbak##$bakdisk?(.)}
1.74 krw 107: OLDIFS=$IFS
108: IFS=,
109: for d in `sysctl -n hw.disknames`; do
110: # If the provided disk name is a duid, substitute the device.
111: if [ X$bakdisk = X${d#*:} ]; then
112: bakdisk=${d%:*}
113: rootbak=$bakdisk$bakpart
114: fi
115: done
116: IFS=$OLDIFS
1.64 schwarze 117: baksize=`disklabel $bakdisk 2>/dev/null | \
118: awk -v "part=$bakpart:" '$1 == part { print $2 }'`
119: rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \
120: { print substr($1, 6) }'`
121: if [ -z "$rootdev" ]; then
122: echo "The root filesystem is not local or not ffs."
123: break
124: fi
125: if [ X$rootdev = X$rootbak ]; then
126: echo "The device $rootdev holds both root and /altroot."
127: break
128: fi
129: rootdisk=${rootdev%[a-p]}
130: rootpart=${rootdev#$rootdisk}
131: rootsize=`disklabel $rootdisk 2>/dev/null | \
132: awk -v "part=$rootpart:" '$1 == part { print $2 }'`
133: if [ $rootsize -gt $baksize ]; then
134: echo "Root ($rootsize) is larger than /altroot ($baksize)."
135: break
136: fi
137: next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:"
138: sync
139: dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
140: conv=noerror
141: fsck -y /dev/r$rootbak
142: break
143: done
1.1 deraadt 144:
1.61 schwarze 145: next_part "Checking subsystem status:"
1.60 schwarze 146: if [ "X$VERBOSESTATUS" != X0 ]; then
147: echo ""
148: echo "disks:"
149: df -kl
150: echo ""
151: dump W
152: fi
1.1 deraadt 153:
1.58 schwarze 154: # The first two regular expressions handle sendmail, the third postfix.
1.65 schwarze 155: # When the queue is empty, smtpd(8) and exim -bp keep silent.
1.59 schwarze 156: next_part "mail:"
1.58 schwarze 157: mailq | grep -v -e "^/var/spool/mqueue is empty$" \
158: -e "^[[:blank:]]*Total requests: 0$" \
159: -e "^Mail queue is empty$"
1.1 deraadt 160:
1.59 schwarze 161: next_part "network:"
1.60 schwarze 162: if [ "X$VERBOSESTATUS" != X0 ]; then
163: netstat -ivn
1.14 millert 164:
1.60 schwarze 165: t=/var/rwho/*
166: if [ "$t" != '/var/rwho/*' ]; then
167: echo ""
168: ruptime
169: fi
1.38 millert 170: fi
171:
1.58 schwarze 172: next_part "Running calendar in the background:"
173: if [ "X$CALENDAR" != X0 -a \
174: \( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then
1.38 millert 175: calendar -a &
1.14 millert 176: fi
1.1 deraadt 177:
1.17 millert 178: # If CHECKFILESYSTEMS is set to 1 in the environment, run fsck
179: # with the no-write flag.
1.58 schwarze 180: next_part "Checking filesystems:"
1.17 millert 181: [ "X$CHECKFILESYSTEMS" = X1 ] && {
182: fsck -n | grep -v '^\*\* Phase'
183: }
1.1 deraadt 184:
1.58 schwarze 185: next_part "Running rdist:"
1.1 deraadt 186: if [ -f /etc/Distfile ]; then
1.17 millert 187: if [ -d /var/log/rdist ]; then
1.66 schwarze 188: rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F`
1.17 millert 189: else
1.39 deraadt 190: rdist -f /etc/Distfile
1.17 millert 191: fi
1.1 deraadt 192: fi
193:
1.58 schwarze 194: end_part
1.61 schwarze 195: [ -s $MAINOUT ] && {
196: sysctl -n kern.version
197: uptime
198: cat $MAINOUT
199: } 2>&1 | mail -s "`hostname` daily output" root
1.58 schwarze 200:
201:
202: MAINOUT=/var/log/security.out
203: install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
204:
1.70 schwarze 205: start_part "Running security(8):"
1.71 schwarze 206: export SUIDSKIP
1.70 schwarze 207: /usr/libexec/security
1.58 schwarze 208: end_part
209: rm -f $PARTOUT
210:
211: [ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT