Return to daily CVS log | Up to [local] / src / etc |
File: [local] / src / etc / daily (download)
Revision 1.93, Mon Sep 9 20:02:26 2019 UTC (4 years, 8 months ago) by bluhm
Inform about system call memory write protection and stack mapping violations in system accounting. This will help to find missbehaving programs and possible attacks. The flags bit field is full, so recycle the PDP-11 compatibility on VAX. lastcomm(1) prints the AMAP flag as 'M'. daily(8) prints a list of affected processes. OK deraadt@ |
# # $OpenBSD: daily,v 1.93 2019/09/09 20:02:26 bluhm Exp $ # From: @(#)daily 8.2 (Berkeley) 1/25/94 # # For local additions, create the file /etc/daily.local. # To get section headers, use the function next_part in daily.local. # umask 022 PARTOUT=/var/log/daily.part MAINOUT=/var/log/daily.out install -o 0 -g 0 -m 600 /dev/null $PARTOUT install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT start_part() { TITLE=$1 exec > $PARTOUT 2>&1 } end_part() { exec >> $MAINOUT 2>&1 test -s $PARTOUT || return echo "" echo "$TITLE" cat $PARTOUT } next_part() { end_part start_part "$1" } run_script() { f=/etc/$1 test -e $f || return if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then echo "$f has insecure permissions, skipping:" ls -l $f return fi . $f } start_part "Running daily.local:" run_script "daily.local" next_part "Removing scratch and junk files:" if [ -d /tmp -a ! -L /tmp ]; then cd /tmp && { find -x . \ \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \ -o -path './tmux-*' \) \ -prune -o -type f -atime +7 -execdir rm -f -- {} \; 2>/dev/null find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \ ! -path ./.ICE-unix ! -name . \ -execdir rmdir -- {} \; >/dev/null 2>&1; } fi # Additional junk directory cleanup would go like this: #if [ -d /scratch -a ! -L /scratch ]; then # cd /scratch && { # find . ! -name . -atime +1 -execdir rm -f -- {} \; # find . ! -name . -type d -mtime +1 -execdir rmdir -- {} \; \ # >/dev/null 2>&1; } #fi next_part "Purging accounting records:" if [ -f /var/account/acct ]; then test -f /var/account/acct.2 && \ mv -f /var/account/acct.2 /var/account/acct.3 test -f /var/account/acct.1 && \ mv -f /var/account/acct.1 /var/account/acct.2 test -f /var/account/acct.0 && \ mv -f /var/account/acct.0 /var/account/acct.1 cp -f /var/account/acct /var/account/acct.0 sa -sq lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[MPTU]' fi # If ROOTBACKUP is set to 1 in the environment, and # if filesystem named /altroot is type ffs and mounted "xx", # use it as a backup root filesystem to be updated daily. next_part "Backing up root filesystem:" while [ "X$ROOTBACKUP" = X1 ]; do rootbak=`awk '$1 !~ /^#/ && $2 == "/altroot" && $3 == "ffs" && \ $4 ~ /xx/ { print $1 }' < /etc/fstab` if [ -z "$rootbak" ]; then echo "No xx ffs /altroot device found in the fstab(5)." break fi rootbak=${rootbak#/dev/} bakdisk=${rootbak%%?(.)[a-p]} if ! sysctl -n hw.disknames | grep -Fqw $bakdisk; then echo "Backup disk '$bakdisk' not present in hw.disknames." break fi bakpart=${rootbak##$bakdisk?(.)} OLDIFS=$IFS IFS=, for d in `sysctl -n hw.disknames`; do # If the provided disk name is a duid, substitute the device. if [ X$bakdisk = X${d#*:} ]; then bakdisk=${d%:*} rootbak=$bakdisk$bakpart fi done IFS=$OLDIFS baksize=`disklabel $bakdisk 2>/dev/null | \ awk -v "part=$bakpart:" '$1 == part { print $2 }'` rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \ { print substr($1, 6) }'` if [ -z "$rootdev" ]; then echo "The root filesystem is not local or not ffs." break fi if [ X$rootdev = X$rootbak ]; then echo "The device $rootdev holds both root and /altroot." break fi rootdisk=${rootdev%[a-p]} rootpart=${rootdev#$rootdisk} rootsize=`disklabel $rootdisk 2>/dev/null | \ awk -v "part=$rootpart:" '$1 == part { print $2 }'` if [ $rootsize -gt $baksize ]; then echo "Root ($rootsize) is larger than /altroot ($baksize)." break fi next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:" sync dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \ conv=noerror fsck -y /dev/r$rootbak break done next_part "Services that should be running but aren't:" rcctl ls failed next_part "Checking subsystem status:" if [ "X$VERBOSESTATUS" != X0 ]; then echo "" echo "disks:" df -ikl echo "" dump W else dump w | grep -vB1 ^Dump fi next_part "network:" if [ "X$VERBOSESTATUS" != X0 ]; then netstat -ivn fi next_part "Running calendar in the background:" if [ "X$CALENDAR" != X0 -a \ \( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then calendar -a & fi # If CHECKFILESYSTEMS is set to 1 in the environment, run fsck # with the no-write flag. next_part "Checking filesystems:" [ "X$CHECKFILESYSTEMS" = X1 ] && { fsck -n | grep -v '^\*\* Phase' } next_part "Running rdist:" if [ -f /etc/Distfile ]; then if [ -d /var/log/rdist ]; then rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F` else rdist -f /etc/Distfile fi fi end_part [ -s $MAINOUT ] && { sysctl -n kern.version uptime cat $MAINOUT } 2>&1 | mail -s "`hostname` daily output" root MAINOUT=/var/log/security.out install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT start_part "Running security(8):" export SUIDSKIP /usr/libexec/security end_part rm -f $PARTOUT [ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT