diff options
Diffstat (limited to 'usr.sbin/periodic/etc')
62 files changed, 3047 insertions, 0 deletions
diff --git a/usr.sbin/periodic/etc/Makefile b/usr.sbin/periodic/etc/Makefile new file mode 100644 index 000000000000..b93d2515ccb4 --- /dev/null +++ b/usr.sbin/periodic/etc/Makefile @@ -0,0 +1,4 @@ +SUBDIR= daily security weekly monthly +SUBDIR_PARALLEL= + +.include <bsd.subdir.mk> diff --git a/usr.sbin/periodic/etc/Makefile.inc b/usr.sbin/periodic/etc/Makefile.inc new file mode 100644 index 000000000000..4eb9943df8d2 --- /dev/null +++ b/usr.sbin/periodic/etc/Makefile.inc @@ -0,0 +1,4 @@ +CONFMODE= 755 +CONFDIR= ETC_PERIODIC_${.CURDIR:T:U} +ETC_PERIODIC_${.CURDIR:T:U}= /etc/periodic/${.CURDIR:T} +NO_OBJ= diff --git a/usr.sbin/periodic/etc/daily/100.clean-disks b/usr.sbin/periodic/etc/daily/100.clean-disks new file mode 100755 index 000000000000..7eedcfce6f96 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/100.clean-disks @@ -0,0 +1,54 @@ +#!/bin/sh +# +# +# Remove garbage files more than $daily_clean_disks_days days old +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_disks_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_disks_days" ] + then + echo '$daily_clean_disks_enable is set but' \ + '$daily_clean_disks_days is not' + rc=2 + elif [ -z "$daily_clean_disks_files" ] + then + echo '$daily_clean_disks_enable is set but' \ + '$daily_clean_disks_files is not' + rc=2 + else + echo "" + echo "Cleaning disks:" + set -f noglob + args="-name "`echo "$daily_clean_disks_files" | + sed -e 's/^[ ]*//' \ + -e 's/[ ]*$//' \ + -e 's/[ ][ ]*/ -o -name /g'` + + case "$daily_clean_disks_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(find / \( ! -fstype local -o -fstype rdonly \) -prune -o \ + \( $args \) -atime +$daily_clean_disks_days \ + -execdir rm -df {} \; $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + set -f glob + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/110.clean-tmps b/usr.sbin/periodic/etc/daily/110.clean-tmps new file mode 100755 index 000000000000..4780aa72aa42 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/110.clean-tmps @@ -0,0 +1,59 @@ +#!/bin/sh +# +# +# Perform temporary directory cleaning so that long-lived systems +# don't end up with excessively old files there. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_tmps_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_tmps_days" ] + then + echo '$daily_clean_tmps_enable is set but' \ + '$daily_clean_tmps_days is not' + rc=2 + else + echo "" + echo "Removing old temporary files:" + + set -f noglob + args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days" + args="${args} -ctime +$daily_clean_tmps_days" + dargs="-empty -mtime +$daily_clean_tmps_days" + [ -n "$daily_clean_tmps_ignore" ] && { + args="$args "`echo " ${daily_clean_tmps_ignore% }" | + sed 's/[ ][ ]*/ ! -name /g'` + dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" | + sed 's/[ ][ ]*/ ! -name /g'` + } + case "$daily_clean_tmps_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(for dir in $daily_clean_tmps_dirs + do + [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && { + find -x -d . -type f $args -delete $print + find -x -d . ! -name . -type d $dargs -delete $print + } | sed "s,^\\., $dir," + done | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + set -f glob + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/120.clean-preserve b/usr.sbin/periodic/etc/daily/120.clean-preserve new file mode 100755 index 000000000000..9c2bc86ae48a --- /dev/null +++ b/usr.sbin/periodic/etc/daily/120.clean-preserve @@ -0,0 +1,52 @@ +#!/bin/sh +# +# +# Remove stale files in /var/preserve +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_preserve_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_preserve_days" ] + then + echo '$daily_clean_preserve_enable is set but' \ + '$daily_clean_preserve_days is not' + rc=2 + elif [ ! -d /var/preserve ] + then + echo '$daily_clean_preserve_enable is set but /var/preserve' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Removing stale files from /var/preserve:" + + if cd /var/preserve + then + case "$daily_clean_preserve_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(find . ! -name . -mtime +$daily_clean_preserve_days \ + -delete $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/130.clean-msgs b/usr.sbin/periodic/etc/daily/130.clean-msgs new file mode 100755 index 000000000000..df9f6ef2c1e1 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/130.clean-msgs @@ -0,0 +1,34 @@ +#!/bin/sh +# +# +# Remove system messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_msgs_enable" in + [Yy][Ee][Ss]) + if [ ! -d /var/msgs ] + then + echo '$daily_clean_msgs_enable is set but /var/msgs' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Cleaning out old system announcements:" + + [ -n "$daily_clean_msgs_days" ] && + arg=-${daily_clean_msgs_days#-} || arg= + msgs -c $arg && rc=0 || rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/140.clean-rwho b/usr.sbin/periodic/etc/daily/140.clean-rwho new file mode 100755 index 000000000000..b34fa80c58f7 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/140.clean-rwho @@ -0,0 +1,52 @@ +#!/bin/sh +# +# +# Remove stale files in /var/rwho +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_rwho_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_rwho_days" ] + then + echo '$daily_clean_rwho_enable is enabled but' \ + '$daily_clean_rwho_days is not set' + rc=2 + elif [ ! -d /var/rwho ] + then + echo '$daily_clean_rwho_enable is enabled but /var/rwho' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Removing stale files from /var/rwho:" + + case "$daily_clean_rwho_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + if cd /var/rwho + then + rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \ + -delete $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/150.clean-hoststat b/usr.sbin/periodic/etc/daily/150.clean-hoststat new file mode 100755 index 000000000000..5d2ba42831ee --- /dev/null +++ b/usr.sbin/periodic/etc/daily/150.clean-hoststat @@ -0,0 +1,30 @@ +#!/bin/sh +# +# +# Remove stale persistent host status files if the mailer supports it. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ]; then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_hoststat_enable" in + [Yy][Ee][Ss]) + if ! grep -q '^purgestat' /etc/mail/mailer.conf; then + rc=3 + elif [ -z "$(hoststat 2>&1)" ]; then + rc=2 + else + echo "" + echo "Removing stale entries from sendmail host status cache:" + rc=0 + purgestat || rc=1 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/200.backup-passwd b/usr.sbin/periodic/etc/daily/200.backup-passwd new file mode 100755 index 000000000000..7cd52fc7be4b --- /dev/null +++ b/usr.sbin/periodic/etc/daily/200.backup-passwd @@ -0,0 +1,76 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_backup_passwd_enable" in + [Yy][Ee][Ss]) + if [ ! -f /etc/master.passwd ] + then + echo '$daily_backup_passwd_enable" is set but /etc/master.passwd' \ + "doesn't exist" + rc=2 + elif [ ! -f /etc/group ] + then + echo '$daily_backup_passwd_enable" is set but /etc/group' \ + "doesn't exist" + rc=2 + else + bak=/var/backups + rc=0 + + echo "" + echo "Backup passwd and group files:" + + if [ ! -f $bak/master.passwd.bak ] + then + rc=1 + echo "no $bak/master.passwd.bak" + cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 + fi + + if ! cmp -s $bak/master.passwd.bak /etc/master.passwd + then + [ $rc -lt 1 ] && rc=1 + echo "$host passwd diffs:" + diff ${daily_diff_flags} -I '^#' $bak/master.passwd.bak /etc/master.passwd |\ + sed 's/^\([-+ ][^:]*\):[^:]*:/\1:(password):/' + mv $bak/master.passwd.bak $bak/master.passwd.bak2 + cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 + fi + + if [ ! -f $bak/group.bak ] + then + [ $rc -lt 1 ] && rc=1 + echo "no $bak/group.bak" + cp -p /etc/group $bak/group.bak || rc=3 + fi + + if ! cmp -s $bak/group.bak /etc/group + then + [ $rc -lt 1 ] && rc=1 + echo "$host group diffs:" + diff ${daily_diff_flags} $bak/group.bak /etc/group + mv $bak/group.bak $bak/group.bak2 + cp -p /etc/group $bak/group.bak || rc=3 + fi + + if [ -f /etc/group ] + then + echo "" + echo "Verifying group file syntax:" + chkgrp /etc/group || rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/210.backup-aliases b/usr.sbin/periodic/etc/daily/210.backup-aliases new file mode 100755 index 000000000000..d236d9615dba --- /dev/null +++ b/usr.sbin/periodic/etc/daily/210.backup-aliases @@ -0,0 +1,46 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_backup_aliases_enable" in + [Yy][Ee][Ss]) + if [ ! -f /etc/mail/aliases ] + then + echo '$daily_backup_aliases_enable is enabled but' \ + "/etc/mail/aliases doesn't exist" + rc=2 + else + bak=/var/backups + rc=0 + + echo "" + echo "Backing up mail aliases:" + + if [ ! -f $bak/aliases.bak ] + then + echo "no $bak/aliases.bak" + cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 + fi + + if ! cmp -s $bak/aliases.bak /etc/mail/aliases + then + [ $rc -lt 1 ] && rc=1 + echo "$host aliases diffs:" + diff ${daily_diff_flags} $bak/aliases.bak /etc/mail/aliases + mv $bak/aliases.bak $bak/aliases.bak2 + cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/221.backup-gpart b/usr.sbin/periodic/etc/daily/221.backup-gpart new file mode 100755 index 000000000000..50096e38f118 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/221.backup-gpart @@ -0,0 +1,122 @@ +#!/bin/sh +## Created by: Miroslav Lachman <000.fbsd@quip.cz> + +## Backup of disk partitions layout, useful for gpart restore. +## Data are stored on local filesystem, in /var/backup. +## It is recommended to copy those files to off-site storage. + + +## If there is a global system configuration file, suck it in. +## +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +bak_dir=/var/backups + +rotate() { + base_name=$1 + show_diff=$2 + file="$bak_dir/$base_name" + + if [ -f "${file}.bak" ] ; then + rc=0 + if cmp -s "${file}.bak" "${file}.tmp"; then + rm "${file}.tmp" + else + rc=1 + [ -n "$show_diff" ] && diff ${daily_diff_flags} "${file}.bak" "${file}.tmp" + mv "${file}.bak" "${file}.bak2" || rc=3 + mv "${file}.tmp" "${file}.bak" || rc=3 + fi + else + rc=1 + mv "${file}.tmp" "${file}.bak" || rc=3 + [ -n "$show_diff" ] && cat "${file}.bak" + fi +} + +case "$daily_backup_gpart_verbose" in + [Yy][Ee][Ss]) show="YES" +esac + +case "$daily_backup_gpart_enable" in + [Yy][Ee][Ss]) + + echo "" + echo "Dump of kern.geom.conftxt:"; + sysctl -n kern.geom.conftxt > "$bak_dir/kern.geom.conftxt.tmp" + rotate "kern.geom.conftxt" $show + + gpart_devs=$(gpart show | awk '$1 == "=>" { print $4 }') + if [ -n "$daily_backup_gpart_exclude" ]; then + gpart_devs=$(echo "${gpart_devs}" | grep -E -v "${daily_backup_gpart_exclude}") + fi + + if [ -z "$gpart_devs" ]; then + echo '$daily_backup_gpart_enable is set but no disk probed by kernel.' \ + "perhaps NFS diskless client." + rc=2 + else + echo "" + echo "Backup of partitions information for:"; + + for d in ${gpart_devs}; do + echo "$d" + safe_name=$(echo "gpart.${d}" | tr -cs ".[:alnum:]\n" "_") + gpart backup "$d" > "$bak_dir/$safe_name.tmp" + rotate "$safe_name" $show + done + + gpart_show=$(gpart show -p) + boot_part=$(echo "$gpart_show" | awk '$4 ~ /(bios|freebsd)-boot/ { print $3 }') + if [ -n "$boot_part" ]; then + echo "" + echo "Backup of boot partition content:" + for b in ${boot_part}; do + echo "$b" + safe_name=$(echo "boot.${b}" | tr -cs ".[:alnum:]\n" "_") + dd if="/dev/${b}" of="$bak_dir/$safe_name.tmp" 2> /dev/null + rotate "$safe_name" + done + fi + + mbr_part=$(echo "$gpart_show" | awk '$1 == "=>" && $5 == "MBR" { print $4 }') + if [ -n "$mbr_part" ]; then + echo "" + echo "Backup of MBR record:" + for mb in ${mbr_part}; do + echo "$mb" + safe_name=$(echo "boot.${mb}" | tr -cs ".[:alnum:]\n" "_") + dd if="/dev/${mb}" of="$bak_dir/$safe_name.tmp" bs=512 count=1 2> /dev/null + rotate "$safe_name" + done + fi + + fi + ;; + + *) rc=0 + ;; +esac + +case "$daily_backup_efi_enable" in + [Yy][Ee][Ss]) + + efi_part=$(gpart show -p | awk '$4 ~ /efi/ {print $3}') + if [ -n "$efi_part" ]; then + echo "" + echo "Backup of EFI partition content:" + for efi in ${efi_part}; do + echo "$efi" + safe_name=$(echo "efi.${efi}" | tr -cs ".[:alnum:]\n" "_") + dd if="/dev/${efi}" of="$bak_dir/$safe_name.tmp" 2> /dev/null + rotate "$safe_name" + done + fi + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/222.backup-gmirror b/usr.sbin/periodic/etc/daily/222.backup-gmirror new file mode 100755 index 000000000000..45c656dc4f41 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/222.backup-gmirror @@ -0,0 +1,70 @@ +#!/bin/sh +# Created by: Miroslav Lachman <000.fbsd@quip.cz> + +# Backup output from `gmirror list`, which provides detailed information +# of all gmirrors. The backup will be stored in /var/backups/. + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +bak_dir=/var/backups + +rotate() { + base_name=$1 + show_diff=$2 + file="$bak_dir/$base_name" + + if [ -f "${file}.bak" ]; then + rc=0 + if cmp -s "${file}.bak" "${file}.tmp"; then + rm "${file}.tmp" + else + rc=1 + [ -n "$show_diff" ] && diff ${daily_diff_flags} "${file}.bak" "${file}.tmp" + mv "${file}.bak" "${file}.bak2" || rc=3 + mv "${file}.tmp" "${file}.bak" || rc=3 + fi + else + rc=1 + mv "${file}.tmp" "${file}.bak" || rc=3 + [ -n "$show_diff" ] && cat "${file}.bak" + fi +} + +case "$daily_backup_gmirror_verbose" in + [Yy][Ee][Ss]) show="YES" +esac + +case "$daily_backup_gmirror_enable" in + [Yy][Ee][Ss]) + + gmirrors=$(gmirror status 2> /dev/null | \ + awk '$1 ~ /^mirror\// { sub(/mirror\//, ""); print $1 }') + + if [ -z "$gmirrors" ]; then + echo "" + echo "daily_backup_gmirror_enable is set to YES but no gmirrors found." + rc=2 + else + echo "" + echo "Backup of gmirror information for:"; + + for m in ${gmirrors}; do + echo "$m" + safe_name=$(echo "gmirror.${m}" | tr -cs ".[:alnum:]\n" "_") + if ! gmirror status -s "${m}" | grep -F -v "COMPLETE"; then + gmirror list "${m}" > "$bak_dir/$safe_name.tmp" + rotate "$safe_name" $show + fi + done + fi + ;; + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/223.backup-zfs b/usr.sbin/periodic/etc/daily/223.backup-zfs new file mode 100755 index 000000000000..e76421220a0b --- /dev/null +++ b/usr.sbin/periodic/etc/daily/223.backup-zfs @@ -0,0 +1,78 @@ +#!/bin/sh +# Created by: Miroslav Lachman <000.fbsd@quip.cz> + +# Backup of zpool list, zfs list, zpool properties and zfs properties +# for each filesystem. The backup will be stored in /var/backups. + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +bak_dir=/var/backups +rc=0 + +rotate() { + base_name=$1 + show_diff=$2 + file="$bak_dir/$base_name" + + if [ -f "${file}.bak" ] ; then + if cmp -s "${file}.bak" "${file}.tmp"; then + rm "${file}.tmp" + else + if [ -n "$show_diff" ]; then + rc=1 + diff ${daily_diff_flags} "${file}.bak" "${file}.tmp" + fi + mv "${file}.bak" "${file}.bak2" || rc=3 + mv "${file}.tmp" "${file}.bak" || rc=3 + fi + else + rc=1 + mv "${file}.tmp" "${file}.bak" || rc=3 + [ -n "$show_diff" ] && cat "${file}.bak" + fi +} + +show="" +case "$daily_backup_zfs_verbose" in + [Yy][Ee][Ss]) show="YES" +esac + +case "$daily_backup_zfs_enable" in + [Yy][Ee][Ss]) + + zpools=$(zpool list $daily_backup_zpool_list_flags) + + if [ -z "$zpools" ]; then + echo 'daily_backup_zfs_enable is set to YES but no zpools found.' + rc=2 + else + echo "" + echo "Backup of ZFS information for all imported pools"; + + echo "$zpools" > "$bak_dir/zpool_list.tmp" + rotate "zpool_list" $show + + zfs list $daily_backup_zfs_list_flags > "$bak_dir/zfs_list.tmp" + rotate "zfs_list" $show + fi + ;; +esac + +case "$daily_backup_zfs_props_enable" in + [Yy][Ee][Ss]) + + zfs get $daily_backup_zfs_get_flags > "$bak_dir/zfs_props.tmp" + rotate "zfs_props" $show + + zpool get $daily_backup_zpool_get_flags > "$bak_dir/zpool_props.tmp" + rotate "zpool_props" $show + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/300.calendar b/usr.sbin/periodic/etc/daily/300.calendar new file mode 100755 index 000000000000..3be90a8c4754 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/300.calendar @@ -0,0 +1,28 @@ +#!/bin/sh +# +# +# `calendar -a' needs to die. Why? Because it's a bad idea, particular +# with networked home directories, but also in general. If you want the +# output of `calendar' mailed to you, set up a cron job to do it, +# or run it from your ~/.profile or ~/.login. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_calendar_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Running calendar:" + + calendar -a && rc=0 || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/310.accounting b/usr.sbin/periodic/etc/daily/310.accounting new file mode 100755 index 000000000000..861a22720236 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/310.accounting @@ -0,0 +1,69 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_accounting_enable" in + [Yy][Ee][Ss]) + if [ ! -f /var/account/acct ] + then + echo '$daily_accounting_enable is set but /var/account/acct' \ + "doesn't exist" + rc=2 + elif [ $(sysctl -n kern.acct_configured) -eq 0 ] + then + echo '$daily_accounting_enable is set but' \ + 'process accounting is not active' + rc=2 + elif [ -z "$daily_accounting_save" ] + then + echo '$daily_accounting_enable is set but ' \ + '$daily_accounting_save is not' + rc=2 + else + echo "" + echo "Rotating accounting logs and gathering statistics:" + + cd /var/account + rc=0 + + n=$(( $daily_accounting_save - 1 )) + for f in acct.*; do + case "$f" in acct.\*) continue ;; esac # No files match + m=${f%.gz} ; m=${m#acct.} + [ $m -ge $n ] && { rm $f || rc=3; } + done + + m=$n + n=$(($n - 1)) + while [ $n -ge 0 ] + do + [ -f acct.$n.gz ] && { mv -f acct.$n.gz acct.$m.gz || rc=3; } + [ -f acct.$n ] && { mv -f acct.$n acct.$m || rc=3; } + m=$n + n=$(($n - 1)) + done + + /etc/rc.d/accounting onerotate_log || rc=3 + + rm -f acct.merge && cp acct.0 acct.merge || rc=3 + sa -s $daily_accounting_flags /var/account/acct.merge || rc=3 + rm acct.merge + + case "$daily_accounting_compress" in + [Yy][Ee][Ss]) + gzip -f acct.0 || rc=3;; + esac + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/400.status-disks b/usr.sbin/periodic/etc/daily/400.status-disks new file mode 100755 index 000000000000..cc1fe8dc0ab3 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/400.status-disks @@ -0,0 +1,39 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_disks_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Disk status:" + + if [ -n "${daily_status_disks_ignore}" ] ; then + ignore="egrep -v ${daily_status_disks_ignore}" + else + ignore="cat" + fi + (df $daily_status_disks_df_flags | ${ignore}) && rc=1 || rc=3 + + # display which filesystems need backing up + if [ -s /etc/dumpdates ]; then + if ! [ -f /etc/fstab ]; then + export PATH_FSTAB=/dev/null + fi + + echo "" + dump W || rc=3 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/401.status-graid b/usr.sbin/periodic/etc/daily/401.status-graid new file mode 100755 index 000000000000..259722a94a0c --- /dev/null +++ b/usr.sbin/periodic/etc/daily/401.status-graid @@ -0,0 +1,33 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_graid_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of graid(8) devices:' + + if graid status; then + components="$(graid status -s | fgrep -v OPTIMAL)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/404.status-zfs b/usr.sbin/periodic/etc/daily/404.status-zfs new file mode 100755 index 000000000000..052f794c0bbc --- /dev/null +++ b/usr.sbin/periodic/etc/daily/404.status-zfs @@ -0,0 +1,44 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_zfs_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of zfs pools:' + + case "$daily_status_zfs_zpool_list_enable" in + [Yy][Ee][Ss]) + lout=`zpool list` + echo "$lout" + echo + ;; + *) + ;; + esac + sout=`zpool status -x` + echo "$sout" + # zpool status -x always exits with 0, so we have to interpret its + # output to see what's going on. + if [ "$sout" = "all pools are healthy" \ + -o "$sout" = "no pools available" ]; then + rc=0 + else + rc=1 + fi + ;; + + *) + rc=0 + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/406.status-gmirror b/usr.sbin/periodic/etc/daily/406.status-gmirror new file mode 100755 index 000000000000..06fbb9491576 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/406.status-gmirror @@ -0,0 +1,33 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gmirror_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gmirror(8) devices:' + + if gmirror status; then + components="$(gmirror status -s | fgrep -v COMPLETE)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/407.status-graid3 b/usr.sbin/periodic/etc/daily/407.status-graid3 new file mode 100755 index 000000000000..af73ca4dd754 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/407.status-graid3 @@ -0,0 +1,33 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_graid3_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of graid3(8) devices:' + + if graid3 status; then + components="$(graid3 status -s | fgrep -v COMPLETE)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/408.status-gstripe b/usr.sbin/periodic/etc/daily/408.status-gstripe new file mode 100755 index 000000000000..1a4c9f053747 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/408.status-gstripe @@ -0,0 +1,33 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gstripe_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gstripe(8) devices:' + + if gstripe status; then + components="$(gstripe status -s | fgrep -v UP)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/409.status-gconcat b/usr.sbin/periodic/etc/daily/409.status-gconcat new file mode 100755 index 000000000000..2fabac1caeed --- /dev/null +++ b/usr.sbin/periodic/etc/daily/409.status-gconcat @@ -0,0 +1,33 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gconcat_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gconcat(8) devices:' + + if gconcat status; then + components="$(gconcat status -s | fgrep -v UP)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/410.status-mfi b/usr.sbin/periodic/etc/daily/410.status-mfi new file mode 100644 index 000000000000..141cd777380c --- /dev/null +++ b/usr.sbin/periodic/etc/daily/410.status-mfi @@ -0,0 +1,32 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mfi_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of mfi(4) devices:' + + if mfiutil show volumes; then + if mfiutil show volumes | grep -q DEGRADED; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/420.status-network b/usr.sbin/periodic/etc/daily/420.status-network new file mode 100755 index 000000000000..955d6b0e9146 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/420.status-network @@ -0,0 +1,30 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_network_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Network interface status:" + + flags="${daily_status_network_netstat_flags}" + case "$daily_status_network_usedns" in + [Yy][Ee][Ss]) + ;; + *) + flags="${flags} -n";; + esac + netstat -i ${flags} && rc=0 || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/430.status-uptime b/usr.sbin/periodic/etc/daily/430.status-uptime new file mode 100755 index 000000000000..19c4bcd0b0d0 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/430.status-uptime @@ -0,0 +1,37 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_uptime_enable" in + [Yy][Ee][Ss]) + rwho=$(echo /var/rwho/*) + if [ -f "${rwho%% *}" ] + then + echo "" + echo "Local network system status:" + prog=ruptime + else + echo "" + echo "Local system status:" + prog=uptime + fi + rc=$($prog | tee /dev/stderr | wc -l) + if [ $? -eq 0 ] + then + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/440.status-mailq b/usr.sbin/periodic/etc/daily/440.status-mailq new file mode 100755 index 000000000000..ad2c7f6af293 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/440.status-mailq @@ -0,0 +1,65 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mailq_enable" in + [Yy][Ee][Ss]) + if [ ! -x /usr/bin/mailq ] + then + echo '$daily_status_mailq_enable is set but /usr/bin/mailq' \ + "isn't executable" + rc=2 + else + echo "" + echo "Mail in local queue:" + + rc=$(case "$daily_status_mailq_shorten" in + [Yy][Ee][Ss]) + mailq | + egrep -e '^[[:space:]]+[^[:space:]]+@' | + sort | + uniq -c | + sort -nr | + awk '$1 >= 1 {print $1, $2}';; + *) + mailq;; + esac | tee /dev/stderr | + egrep -v '((Mail |m)queue is empty|Total requests)' | wc -l) + [ $rc -gt 0 ] && rc=1 || rc=0 + + case "$daily_status_include_submit_mailq" in + [Yy][Ee][Ss]) + if [ -f /etc/mail/submit.cf ] && mailq -Ac >/dev/null 2>&1 + then + echo "" + echo "Mail in submit queue:" + + rc_submit=$(case "$daily_status_mailq_shorten" in + [Yy][Ee][Ss]) + mailq -Ac | + egrep -e '^[[:space:]]+[^[:space:]]+@' | + sort | + uniq -c | + sort -nr | + awk '$1 >= 1 {print $1, $2}';; + *) + mailq -Ac;; + esac | tee /dev/stderr | + egrep -v '(mqueue is empty|Total requests)' | wc -l) + [ $rc_submit -gt 0 ] && rc=1 + fi;; + esac + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/450.status-security b/usr.sbin/periodic/etc/daily/450.status-security new file mode 100755 index 000000000000..c004e0ae98ac --- /dev/null +++ b/usr.sbin/periodic/etc/daily/450.status-security @@ -0,0 +1,46 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$daily_status_security_inline" in + [Yy][Ee][Ss]) + daily_status_security_output="";; + esac + + export security_output="${daily_status_security_output}" + rc=0 + case "${daily_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/460.status-mail-rejects b/usr.sbin/periodic/etc/daily/460.status-mail-rejects new file mode 100755 index 000000000000..b33e0062f3d7 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/460.status-mail-rejects @@ -0,0 +1,78 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mail_rejects_shorten" in +[Yy][Ee][Ss]) shorten='cut -d" " -f2,3';; +*) shorten=cat;; +esac + +case "$daily_status_mail_rejects_enable" in + [Yy][Ee][Ss]) + if [ ! -d /etc/mail ] + then + echo '$daily_status_mail_rejects_enable is set but /etc/mail' \ + "doesn't exist" + rc=2 + elif [ ! -f /var/log/maillog ] + then + echo '$daily_status_mail_rejects_enable is set but ' \ + "/var/log/maillog doesn't exist" + rc=2 + elif [ "$daily_status_mail_rejects_logs" -le 0 ] + then + echo '$daily_status_mail_rejects_enable is set but ' \ + '$daily_status_mail_rejects_logs is not greater than zero' + rc=2 + else + echo + echo Checking for rejected mail hosts: + + yesterday=$(date -v-1d '+%b %e') + today=$(date '+%b %e') + n=$(($daily_status_mail_rejects_logs - 2)) + rc=$({ + while [ $n -ge 0 ] + do + if [ -f /var/log/maillog.$n ] + then + cat /var/log/maillog.$n + elif [ -f /var/log/maillog.$n.gz ] + then + zcat -fc /var/log/maillog.$n.gz + elif [ -f /var/log/maillog.$n.bz2 ] + then + bzcat -fc /var/log/maillog.$n.bz2 + elif [ -f /var/log/maillog.$n.xz ] + then + xzcat -f /var/log/maillog.$n.xz + elif [ -f /var/log/maillog.$n.zst ] + then + zstdcat -fc /var/log/maillog.$n.zst + fi + n=$(($n - 1)) + done + cat /var/log/maillog + } | sed -Ene "/^$today/q" -e "/^$yesterday/{"' + s/.*ruleset=check_relay,.* relay=([^,]+), reject=([^ ]*).*/\2 check_relay \1/p + t end + s/.*ruleset=check_rcpt,.* arg1=<?([^>,]+).* reject=([^ ]+) .* ([^ ]+)/\2 check_rcpt \1 \3/p + t end + s/.*ruleset=check_([^,]+),.* arg1=<?([^@]+@)?([^>,]+).* reject=([^ ]+) .* ([^ ]+)/\4 check_\1 \3 \5/p + :end + }' | eval $shorten | sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l) + [ $rc -gt 0 ] && rc=1 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/480.leapfile-ntpd b/usr.sbin/periodic/etc/daily/480.leapfile-ntpd new file mode 100755 index 000000000000..c7de845ea87d --- /dev/null +++ b/usr.sbin/periodic/etc/daily/480.leapfile-ntpd @@ -0,0 +1,22 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_ntpd_leapfile_enable" in + [Yy][Ee][Ss]) + if service ntpd enabled && service ntpd needfetch; then + anticongestion + service ntpd fetch + fi + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/480.status-ntpd b/usr.sbin/periodic/etc/daily/480.status-ntpd new file mode 100755 index 000000000000..f77910befea8 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/480.status-ntpd @@ -0,0 +1,27 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 + +case "$daily_status_ntpd_enable" in + [Yy][Ee][Ss]) + echo "" + echo "NTP status:" + + synchronized=$(ntpq -pn | tee /dev/stderr | grep '^\*') + if [ -z "$synchronized" ]; then + rc=1 + fi + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/500.queuerun b/usr.sbin/periodic/etc/daily/500.queuerun new file mode 100755 index 000000000000..cdc4e979b5a8 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/500.queuerun @@ -0,0 +1,35 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_queuerun_enable" in + [Yy][Ee][Ss]) + if [ ! -x /usr/sbin/sendmail ] + then + echo '$daily_queuerun_enable is set but /usr/sbin/sendmail' \ + "isn't executable" + rc=2 + else + /usr/sbin/sendmail -q >/dev/null 2>&1 & + case "$daily_submit_queuerun" in + [Yy][Ee][Ss]) + if [ -f /etc/mail/submit.cf ] + then + /usr/sbin/sendmail -q -Ac >/dev/null 2>&1 & + fi;; + esac + rc=0 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/510.status-world-kernel b/usr.sbin/periodic/etc/daily/510.status-world-kernel new file mode 100755 index 000000000000..e9ebc0a830a9 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/510.status-world-kernel @@ -0,0 +1,35 @@ +#!/bin/sh +# +# +# Check that the running userland and kernel versions are in sync. + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_world_kernel" in + [Yy][Ee][Ss]) + rc=0 + _U=$(/usr/bin/uname -U 2>/dev/null) + _K=$(/usr/bin/uname -K 2>/dev/null) + [ -z "${_U}" -o -z "${_K}" ] && exit 0 + echo "" + echo "Checking userland and kernel versions:" + if [ "${_U}" != "${_K}" ]; then + echo "Userland and kernel are not in sync" + echo "Userland version: ${_U}" + echo "Kernel version: ${_K}" + rc=1 + else + echo "Userland and kernel are in sync." + fi + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/800.scrub-zfs b/usr.sbin/periodic/etc/daily/800.scrub-zfs new file mode 100755 index 000000000000..3a19c09b4698 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/800.scrub-zfs @@ -0,0 +1,109 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# + +newline=" +" # A single newline + +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +: ${daily_scrub_zfs_default_threshold=35} + +case "$daily_scrub_zfs_enable" in + [Yy][Ee][Ss]) + echo + echo 'Scrubbing of zfs pools:' + + if [ -z "${daily_scrub_zfs_pools}" ]; then + daily_scrub_zfs_pools="$(zpool list -H -o name)" + fi + + rc=0 + for pool in ${daily_scrub_zfs_pools}; do + # sanity check + _status=$(zpool list "${pool}" 2> /dev/null) + if [ $? -ne 0 ]; then + rc=2 + echo " WARNING: pool '${pool}' specified in" + echo " '/etc/periodic.conf:daily_scrub_zfs_pools'" + echo " does not exist" + continue + fi + _status=${_status##*$newline} + case ${_status} in + *FAULTED*) + rc=3 + echo "Skipping faulted pool: ${pool}" + continue ;; + *UNAVAIL*) + rc=4 + echo "Skipping unavailable pool: ${pool}" + continue ;; + esac + + # determine how many days shall be between scrubs + eval _pool_threshold=\${daily_scrub_zfs_$(echo "${pool}"|tr ".:-" "_")_threshold} + if [ -z "${_pool_threshold}" ];then + _pool_threshold=${daily_scrub_zfs_default_threshold} + fi + + _last_scrub=$(zpool history ${pool} | \ + egrep "^[0-9\.\:\-]{19} zpool scrub ${pool}\$" | tail -1 |\ + cut -d ' ' -f 1) + if [ -z "${_last_scrub}" ]; then + # creation time of the pool if no scrub was done + _last_scrub=$(zpool history ${pool} | \ + sed -ne '2s/ .*$//p') + fi + if [ -z "${_last_scrub}" ]; then + echo " skipping scrubbing of pool '${pool}':" + echo " can't get last scrubbing date" + continue + fi + + # Now minus last scrub (both in seconds) converted to days. + _scrub_diff=$(expr -e \( $(date +%s) - \ + $(date -j -v -70M -f %F.%T ${_last_scrub} +%s) \) / 60 / 60 / 24) + if [ ${_scrub_diff} -lt ${_pool_threshold} ]; then + echo " skipping scrubbing of pool '${pool}':" + echo " last scrubbing is ${_scrub_diff} days ago, threshold is set to ${_pool_threshold} days" + continue + fi + + _status="$(zpool status ${pool} | grep scan:)" + case "${_status}" in + *"scrub in progress"*) + echo " scrubbing of pool '${pool}' already in progress, skipping:" + ;; + *"resilver in progress"*) + echo " resilvering of pool '${pool}' is in progress, skipping:" + ;; + *"none requested"*) + echo " starting first scrub (since reboot) of pool '${pool}':" + zpool scrub ${pool} + [ $rc -eq 0 ] && rc=1 + ;; + *) + echo " starting scrub of pool '${pool}':" + zpool scrub ${pool} + [ $rc -eq 0 ] && rc=1 + ;; + esac + + echo " consult 'zpool status ${pool}' for the result" + done + ;; + + *) + rc=0 + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/801.trim-zfs b/usr.sbin/periodic/etc/daily/801.trim-zfs new file mode 100755 index 000000000000..17d2ce217c10 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/801.trim-zfs @@ -0,0 +1,59 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# + +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_trim_zfs_enable" in + [Yy][Ee][Ss]) + echo + echo 'Trimming of zfs pools:' + + if [ -z "${daily_trim_zfs_pools}" ]; then + daily_trim_zfs_pools="$(zpool list -H -o name)" + fi + + rc=0 + for pool in ${daily_trim_zfs_pools}; do + # sanity check + _status=$(zpool list -Hohealth "${pool}" 2> /dev/null) + if [ $? -ne 0 ]; then + rc=2 + echo " WARNING: pool '${pool}' specified in" + echo " '/etc/periodic.conf:daily_trim_zfs_pools'" + echo " does not exist" + continue + fi + case ${_status} in + FAULTED) + rc=3 + echo "Skipping faulted pool: ${pool}" + continue ;; + UNAVAIL) + rc=4 + echo "Skipping unavailable pool: ${pool}" + continue ;; + esac + + if ! zpool status "${pool}" | grep -q '(trimming)'; then + echo " starting trim of pool '${pool}'" + zpool trim ${daily_zfs_trim_flags} "${pool}" + else + echo " trim of pool '${pool}' already in progress, skipping" + fi + done + ;; + + *) + rc=0 + ;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/999.local b/usr.sbin/periodic/etc/daily/999.local new file mode 100755 index 000000000000..29c410f416b3 --- /dev/null +++ b/usr.sbin/periodic/etc/daily/999.local @@ -0,0 +1,42 @@ +#!/bin/sh +# +# +# Run the old /etc/daily.local script. This is really for backwards +# compatibility more than anything else. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $daily_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc diff --git a/usr.sbin/periodic/etc/daily/Makefile b/usr.sbin/periodic/etc/daily/Makefile new file mode 100644 index 000000000000..c92b4ed8a6ee --- /dev/null +++ b/usr.sbin/periodic/etc/daily/Makefile @@ -0,0 +1,77 @@ +.include <src.opts.mk> + +PACKAGE= periodic + +CONFGROUPS= CONFS + +CONFS= 100.clean-disks \ + 110.clean-tmps \ + 120.clean-preserve \ + 200.backup-passwd \ + 210.backup-aliases \ + 400.status-disks \ + 410.status-mfi \ + 420.status-network \ + 430.status-uptime \ + 450.status-security \ + 510.status-world-kernel \ + 999.local + +CONFGROUPS+= GEOM +GEOM+= 221.backup-gpart \ + 222.backup-gmirror \ + 401.status-graid \ + 406.status-gmirror \ + 407.status-graid3 \ + 408.status-gstripe \ + 409.status-gconcat +GEOMPACKAGE= geom + +CONFGROUPS+= RCMDS +RCMDS+= 140.clean-rwho +RCMDSPACKAGE= rcmds + +# NB: keep these sorted by MK_* knobs + +.if ${MK_ACCT} != "no" +CONFGROUPS+= ACCT +ACCT+= 310.accounting +ACCTMODE= ${BINMODE} +ACCTPACKAGE= acct +.endif + +.if ${MK_CALENDAR} != "no" +CONFS+= 300.calendar +.endif + +.if ${MK_MAIL} != "no" +CONFS+= 130.clean-msgs +.endif + +.if ${MK_NTP} != "no" +CONFGROUPS+= NTP +NTP+= 480.status-ntpd \ + 480.leapfile-ntpd +NTPMODE= ${BINMODE} +NTPPACKAGE= ntp +.endif + +.if ${MK_SENDMAIL} != "no" +CONFGROUPS+= SENDMAIL +SENDMAIL+= 150.clean-hoststat \ + 440.status-mailq \ + 460.status-mail-rejects \ + 500.queuerun +SENDMAILPACKAGE= sendmail +.endif + +.if ${MK_ZFS} != "no" +CONFGROUPS+= ZFS +ZFS+= 223.backup-zfs \ + 404.status-zfs \ + 800.scrub-zfs \ + 801.trim-zfs +ZFSPACKAGE= zfs +.endif + +.include <bsd.prog.mk> diff --git a/usr.sbin/periodic/etc/monthly/200.accounting b/usr.sbin/periodic/etc/monthly/200.accounting new file mode 100755 index 000000000000..0571bebeabf0 --- /dev/null +++ b/usr.sbin/periodic/etc/monthly/200.accounting @@ -0,0 +1,64 @@ +#!/bin/sh - +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +oldmask=$(umask) +umask 066 +case "$monthly_accounting_enable" in + [Yy][Ee][Ss]) + W=/var/log/utx.log + rc=0 + remove=NO + filetoread=$W.0 + if [ ! -f $W.0 ] + then + if [ -f $W.0.gz ] || [ -f $W.0.bz2 ] || [ -f $W.0.xz ] || [ -f $W.0.zst ] + then + TMP=`mktemp -t accounting` + remove=YES + filetoread=$TMP + if [ -f $W.0.gz ] + then + zcat $W.0.gz > $TMP || rc=1 + elif [ -f $W.0.bz2 ] + then + bzcat $W.0.bz2 > $TMP || rc=1 + elif [ -f $W.0.xz ] + then + xzcat $W.0.xz > $TMP || rc=1 + elif [ -f $W.0.zst ] + then + zstdcat $W.0.zst > $TMP || rc=1 + else + # shouldn't get here, unless something disappeared under us. + rc=2 + fi + else + echo '$monthly_accounting_enable is set but' \ + "$W.0 doesn't exist" + rc=2 + fi + fi + if [ $rc -eq 0 ] + then + echo "" + echo "Doing login accounting:" + + rc=$(ac -p -w $filetoread | sort -nr -k 2 | tee /dev/stderr | wc -l) + [ $rc -gt 0 ] && rc=1 + fi + [ $remove = YES ] && rm -f $TMP;; + + *) rc=0;; +esac + +umask $oldmask +exit $rc diff --git a/usr.sbin/periodic/etc/monthly/450.status-security b/usr.sbin/periodic/etc/monthly/450.status-security new file mode 100755 index 000000000000..ad6312c3cb20 --- /dev/null +++ b/usr.sbin/periodic/etc/monthly/450.status-security @@ -0,0 +1,46 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$monthly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$monthly_status_security_inline" in + [Yy][Ee][Ss]) + monthly_status_security_output="";; + esac + + export security_output="${monthly_status_security_output}" + rc=0 + case "${monthly_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/monthly/999.local b/usr.sbin/periodic/etc/monthly/999.local new file mode 100755 index 000000000000..154d8dfe090c --- /dev/null +++ b/usr.sbin/periodic/etc/monthly/999.local @@ -0,0 +1,39 @@ +#!/bin/sh - +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $monthly_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc diff --git a/usr.sbin/periodic/etc/monthly/Makefile b/usr.sbin/periodic/etc/monthly/Makefile new file mode 100644 index 000000000000..a158426c68b2 --- /dev/null +++ b/usr.sbin/periodic/etc/monthly/Makefile @@ -0,0 +1,20 @@ +.include <src.opts.mk> + +PACKAGE= periodic + +CONFGROUPS= CONFS + +CONFS= 450.status-security \ + 999.local + +# NB: keep these sorted by MK_* knobs + +.if ${MK_UTMPX} != "no" +CONFGROUPS+= ACCT +ACCT+= 200.accounting +ACCTDIR= /etc/periodic/monthly +ACCTMODE= ${BINMODE} +ACCTPACKAGE= acct +.endif + +.include <bsd.prog.mk> diff --git a/usr.sbin/periodic/etc/security/100.chksetuid b/usr.sbin/periodic/etc/security/100.chksetuid new file mode 100755 index 000000000000..6ade53a180be --- /dev/null +++ b/usr.sbin/periodic/etc/security/100.chksetuid @@ -0,0 +1,59 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +rc=0 + +if check_yesno_period security_status_chksetuid_enable +then + echo "" + echo 'Checking setuid files and devices:' + IFS=$'\n' # Don't split mount points with spaces or tabs + MP=`mount -t ufs,zfs | awk ' + $0 !~ /no(suid|exec)/ { + sub(/^.* on \//, "/"); + sub(/ \(.*\)/, ""); + print $0 + }'` + find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ + \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ + \( -perm -u+s -or -perm -g+s \) -exec ls -lid -D "%FT%T" \{\} \+ | + check_diff setuid - "${host} setuid diffs:" + rc=$? +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/110.neggrpperm b/usr.sbin/periodic/etc/security/110.neggrpperm new file mode 100755 index 000000000000..41f2713533b0 --- /dev/null +++ b/usr.sbin/periodic/etc/security/110.neggrpperm @@ -0,0 +1,58 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 + +if check_yesno_period security_status_neggrpperm_enable +then + echo "" + echo 'Checking negative group permissions:' + IFS=$'\n' # Don't split mount points with spaces or tabs + MP=`mount -t ufs,zfs | awk ' + $0 !~ /no(suid|exec)/ { + sub(/^.* on \//, "/"); + sub(/ \(.*\)/, ""); + print $0 + }'` + n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ + \( \( ! -perm +010 -and -perm +001 \) -or \ + \( ! -perm +020 -and -perm +002 \) -or \ + \( ! -perm +040 -and -perm +004 \) \) \ + -exec ls -lid -D "%FT%T" \{\} \+ | tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/200.chkmounts b/usr.sbin/periodic/etc/security/200.chkmounts new file mode 100755 index 000000000000..055cf256018a --- /dev/null +++ b/usr.sbin/periodic/etc/security/200.chkmounts @@ -0,0 +1,60 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# Show changes in the way filesystems are mounted +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +ignore="${security_status_chkmounts_ignore}" +rc=0 + +if check_yesno_period security_status_chkmounts_enable +then + case "$security_status_noamd" in + [Yy][Ee][Ss]) + ignore="${ignore}|^amd:" + esac + [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat + if ! [ -f /etc/fstab ]; then + export PATH_FSTAB=/dev/null + fi + mount -p | sort | ${cmd} | + check_diff mount - "${host} changes in mounted filesystems:" + rc=$? +fi + +exit "$rc" diff --git a/usr.sbin/periodic/etc/security/300.chkuid0 b/usr.sbin/periodic/etc/security/300.chkuid0 new file mode 100755 index 000000000000..c73980300d70 --- /dev/null +++ b/usr.sbin/periodic/etc/security/300.chkuid0 @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 + +if check_yesno_period security_status_chkuid0_enable +then + echo "" + echo 'Checking for uids of 0:' + n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | + tee /dev/stderr | + sed -e '/^root 0$/d' -e '/^toor 0$/d' | + wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" diff --git a/usr.sbin/periodic/etc/security/400.passwdless b/usr.sbin/periodic/etc/security/400.passwdless new file mode 100755 index 000000000000..3e30e5e9cf5f --- /dev/null +++ b/usr.sbin/periodic/etc/security/400.passwdless @@ -0,0 +1,48 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 + +if check_yesno_period security_status_passwdless_enable +then + echo "" + echo 'Checking for passwordless accounts:' + n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" diff --git a/usr.sbin/periodic/etc/security/410.logincheck b/usr.sbin/periodic/etc/security/410.logincheck new file mode 100755 index 000000000000..a3f3f3f1a21a --- /dev/null +++ b/usr.sbin/periodic/etc/security/410.logincheck @@ -0,0 +1,52 @@ +#!/bin/sh - +# +# Copyright (c) 2006 Tom Rhodes +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 + +if check_yesno_period security_status_logincheck_enable +then + echo "" + echo 'Checking login.conf permissions:' + if [ -G /etc/login.conf -a -O /etc/login.conf ]; then + n=0 + else + echo "Bad ownership of /etc/login.conf" + n=1 + fi + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" diff --git a/usr.sbin/periodic/etc/security/500.ipfwdenied b/usr.sbin/periodic/etc/security/500.ipfwdenied new file mode 100755 index 000000000000..3ee7b3aa5cdc --- /dev/null +++ b/usr.sbin/periodic/etc/security/500.ipfwdenied @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +rc=0 + +if check_yesno_period security_status_ipfwdenied_enable +then + TMP=`mktemp -t security` + if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then + check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/510.ipfdenied b/usr.sbin/periodic/etc/security/510.ipfdenied new file mode 100755 index 000000000000..b9f468fb96e5 --- /dev/null +++ b/usr.sbin/periodic/etc/security/510.ipfdenied @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +rc=0 + +if check_yesno_period security_status_ipfdenied_enable +then + TMP=`mktemp -t security` + if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then + check_diff new_only ipf ${TMP} "${host} ipf denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/520.pfdenied b/usr.sbin/periodic/etc/security/520.pfdenied new file mode 100755 index 000000000000..d87dfa0ae64c --- /dev/null +++ b/usr.sbin/periodic/etc/security/520.pfdenied @@ -0,0 +1,56 @@ +#!/bin/sh - +# +# Copyright (c) 2004 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +rc=0 + +if check_yesno_period security_status_pfdenied_enable +then + TMP=`mktemp -t security` + for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) $(pfctl -a "blocklistd" -sA 2>/dev/null) ${security_status_pfdenied_additionalanchors} + do + pfctl -a "${_a}" -sr -v -z 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} + done + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/550.ipfwlimit b/usr.sbin/periodic/etc/security/550.ipfwlimit new file mode 100755 index 000000000000..8382c12df22f --- /dev/null +++ b/usr.sbin/periodic/etc/security/550.ipfwlimit @@ -0,0 +1,66 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# Show ipfw rules which have reached the log limit +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 + +if check_yesno_period security_status_ipfwlimit_enable +then + IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` + if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then + exit 0 + fi + TMP=`mktemp -t security` + ipfw -a list | grep " log " | \ + grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ + awk \ + '{if ($6 == "logamount") { + if ($2 > $7) + {print $0}} + }' > ${TMP} + + if [ -s "${TMP}" ]; then + rc=1 + echo "" + echo 'ipfw log limit reached:' + cat ${TMP} + fi + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/610.ipf6denied b/usr.sbin/periodic/etc/security/610.ipf6denied new file mode 100755 index 000000000000..e1db7611557b --- /dev/null +++ b/usr.sbin/periodic/etc/security/610.ipf6denied @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +rc=0 + +if check_yesno_period security_status_ipf6denied_enable +then + TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` + if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then + check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/700.kernelmsg b/usr.sbin/periodic/etc/security/700.kernelmsg new file mode 100755 index 000000000000..016bfbef36d0 --- /dev/null +++ b/usr.sbin/periodic/etc/security/700.kernelmsg @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# Show kernel log messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +rc=0 + +if check_yesno_period security_status_kernelmsg_enable +then + dmesg 2>/dev/null | + check_diff new_only dmesg - "${host} kernel log messages:" + rc=$? +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/800.loginfail b/usr.sbin/periodic/etc/security/800.loginfail new file mode 100755 index 000000000000..19bf9a4b3b91 --- /dev/null +++ b/usr.sbin/periodic/etc/security/800.loginfail @@ -0,0 +1,65 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# Show login failures +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +LOG="${security_status_logdir}" + +yesterday=`date -v-1d "+%b %e "` + +catmsgs() { + find ${LOG} -name 'auth.log.*' -mtime -2 | + sort -t. -r -n -k 2,2 | + while read f + do + zcat -f $f + done + [ -f ${LOG}/auth.log ] && cat $LOG/auth.log +} + +rc=0 + +if check_yesno_period security_status_loginfail_enable +then + echo "" + echo "${host} login failures:" + n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/900.tcpwrap b/usr.sbin/periodic/etc/security/900.tcpwrap new file mode 100755 index 000000000000..bbbc04a03988 --- /dev/null +++ b/usr.sbin/periodic/etc/security/900.tcpwrap @@ -0,0 +1,65 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# Show tcp_wrapper warning messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +LOG="${security_status_logdir}" + +yesterday=`date -v-1d "+%b %e "` + +catmsgs() { + find ${LOG} -name 'messages.*' -mtime -2 | + sort -t. -r -n -k 2,2 | + while read f + do + zcat -f $f + done + [ -f ${LOG}/messages ] && cat $LOG/messages +} + +rc=0 + +if check_yesno_period security_status_tcpwrap_enable +then + echo "" + echo "${host} refused connections:" + n=$(catmsgs | grep -i "^$yesterday.*refused connect" | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc diff --git a/usr.sbin/periodic/etc/security/Makefile b/usr.sbin/periodic/etc/security/Makefile new file mode 100644 index 000000000000..c153523d7c39 --- /dev/null +++ b/usr.sbin/periodic/etc/security/Makefile @@ -0,0 +1,48 @@ +.include <src.opts.mk> + +PACKAGE= periodic + +CONFGROUPS= CONFS DATA + +CONFS= 100.chksetuid \ + 110.neggrpperm \ + 200.chkmounts \ + 300.chkuid0 \ + 400.passwdless \ + 410.logincheck \ + 700.kernelmsg \ + 800.loginfail + +DATA= security.functions +DATAMODE= 444 +DATAPACKAGE= periodic + +# NB: keep these sorted by MK_* knobs + +.if ${MK_IPFILTER} != "no" +CONFGROUPS+= IPFILTER +IPFILTER+= 510.ipfdenied +IPFILTER+= 610.ipf6denied +IPFILTERPACKAGE= ipf +.endif + +.if ${MK_IPFW} != "no" +CONFGROUPS+= IPFW +IPFW+= 500.ipfwdenied \ + 550.ipfwlimit +IPFWPACKAGE= ipfw +.endif + +.if ${MK_PF} != "no" +CONFGROUPS+= PF +PF+= 520.pfdenied +PFPACKAGE= pf +.endif + +.if ${MK_INETD} != "no" && ${MK_TCP_WRAPPERS} != "no" +CONFGROUPS+= TCPWRAP +TCPWRAP+= 900.tcpwrap +TCPWRAPPACKAGE= tcpd +.endif + +.include <bsd.prog.mk> diff --git a/usr.sbin/periodic/etc/security/security.functions b/usr.sbin/periodic/etc/security/security.functions new file mode 100644 index 000000000000..c3ff6eb69391 --- /dev/null +++ b/usr.sbin/periodic/etc/security/security.functions @@ -0,0 +1,83 @@ +#!/bin/sh +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# + +# This is a library file, so we only try to do something when sourced. +case "$0" in +*/security.functions) exit 0 ;; +esac + +# +# Show differences in the output of an audit command +# + +LOG="${security_status_logdir}" +rc=0 + +# Usage: COMMAND | check_diff [new_only] LABEL - MSG +# COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG +# if $1 is new_only, show only the 'new' part of the diff. +# LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files. + +check_diff() { + unset IFS + rc=0 + if [ "$1" = "new_only" ]; then + shift + filter="grep '^[>+][^+]'" + else + filter="cat" + fi + label="$1"; shift + tmpf="$1"; shift + msg="$1"; shift + + if [ "${tmpf}" = "-" ]; then + tmpf=`mktemp -t security` + cat > ${tmpf} + fi + + if [ ! -f ${LOG}/${label}.today ]; then + rc=1 + echo "" + echo "No ${LOG}/${label}.today" + cp ${tmpf} ${LOG}/${label}.today || rc=3 + fi + + if ! cmp -s ${LOG}/${label}.today ${tmpf} >/dev/null; then + [ $rc -lt 1 ] && rc=1 + echo "" + echo "${msg}" + diff ${security_status_diff_flags} ${LOG}/${label}.today \ + ${tmpf} | eval "${filter}" + mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 + mv ${tmpf} ${LOG}/${label}.today || rc=3 + fi + + rm -f ${tmpf} + exit ${rc} +} diff --git a/usr.sbin/periodic/etc/weekly/310.locate b/usr.sbin/periodic/etc/weekly/310.locate new file mode 100755 index 000000000000..84c0d69610e1 --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/310.locate @@ -0,0 +1,32 @@ +#!/bin/sh - +# +# + +# If there is a global system configuration file, read it. +# +if [ -r /etc/defaults/periodic.conf ]; then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_locate_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Rebuilding locate database:" + + . /etc/locate.rc + : "${FCODES:=/var/db/locate.database}" + locdb="$FCODES" + + touch "$locdb" && rc=0 || rc=3 + chown nobody "$locdb" || rc=3 + chmod 644 "$locdb" || rc=3 + + cd / + echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 + chmod 444 "$locdb" || rc=3;; + + *) rc=0;; +esac + +exit "$rc" diff --git a/usr.sbin/periodic/etc/weekly/320.whatis b/usr.sbin/periodic/etc/weekly/320.whatis new file mode 100755 index 000000000000..22d9070a4dbb --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/320.whatis @@ -0,0 +1,50 @@ +#!/bin/sh - +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_whatis_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Rebuilding whatis database:" + + MANPATH=`/usr/bin/manpath -q` + if [ $? = 0 ] + then + if [ -z "${MANPATH}" ] + then + echo "manpath failed to find any manpage directories" + rc=3 + else + man_locales=`/usr/bin/manpath -qL` + rc=0 + + # Build whatis(1) database(s) for original, non-localized + # manpages. + /usr/libexec/makewhatis.local "${MANPATH}" || rc=3 + + # Build whatis(1) database(s) for localized manpages. + if [ X"${man_locales}" != X ] + then + for i in ${man_locales} + do + LC_ALL=$i /usr/libexec/makewhatis.local -a \ + -L "${MANPATH}" || rc=3 + done + fi + fi + else + rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/340.noid b/usr.sbin/periodic/etc/weekly/340.noid new file mode 100755 index 000000000000..6151840ea3c2 --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/340.noid @@ -0,0 +1,57 @@ +#!/bin/sh - +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_noid_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Check for files with an unknown user or group:" + + # Host should not test jailed subtrees as jails have their own + # databases of users and groups. Leave them for jailed invocations + # of this script. + + exclude='' + if [ $(sysctl -n security.jail.jailed) = 0 ]; then + # For jail_conf + . /etc/rc.subr + load_rc_config jail + + sep=: + OIFS="$IFS" + IFS="$sep" + for param in $(jail -f "$jail_conf" -e "$sep" 2>/dev/null) + do + case "$param" in + path=*) + _p=${param#path=} + if [ -z "$_p" -o "$_p" = / ]; then + continue + fi + + exclude="$exclude -path $_p -prune -or" + ;; + esac + done + IFS="$OIFS" + fi + + rc=$(find -H ${weekly_noid_dirs:-/} \ + \( $exclude ! -fstype local -prune -or -name \* \) -and \ + \( -nogroup -o -nouser \) -print | sed 's/^/ /' | + tee /dev/stderr | wc -l) + [ $rc -gt 1 ] && rc=1 + ;; + + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/450.status-security b/usr.sbin/periodic/etc/weekly/450.status-security new file mode 100755 index 000000000000..8bb0c02859c4 --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/450.status-security @@ -0,0 +1,46 @@ +#!/bin/sh +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$weekly_status_security_inline" in + [Yy][Ee][Ss]) + weekly_status_security_output="";; + esac + + export security_output="${weekly_status_security_output}" + rc=0 + case "${weekly_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/999.local b/usr.sbin/periodic/etc/weekly/999.local new file mode 100755 index 000000000000..c53e9113cbd2 --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/999.local @@ -0,0 +1,39 @@ +#!/bin/sh - +# +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $weekly_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc diff --git a/usr.sbin/periodic/etc/weekly/Makefile b/usr.sbin/periodic/etc/weekly/Makefile new file mode 100644 index 000000000000..d194a988acf0 --- /dev/null +++ b/usr.sbin/periodic/etc/weekly/Makefile @@ -0,0 +1,19 @@ +.include <src.opts.mk> + +PACKAGE= periodic + +CONFS= 340.noid \ + 450.status-security \ + 999.local + +# NB: keep these sorted by MK_* knobs + +.if ${MK_LOCATE} != "no" +CONFS+= 310.locate +.endif + +.if ${MK_MAN_UTILS} != "no" +CONFS+= 320.whatis +.endif + +.include <bsd.prog.mk> |