Index: head/etc/Makefile =================================================================== --- head/etc/Makefile +++ head/etc/Makefile @@ -178,7 +178,6 @@ .if ${MK_NTP} != "no" ${_+_}cd ${.CURDIR}/ntp; ${MAKE} install .endif - ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install ${_+_}cd ${SRCTOP}/share/termcap; ${MAKE} etc-termcap ${_+_}cd ${.CURDIR}/syslog.d; ${MAKE} install ${_+_}cd ${SRCTOP}/usr.sbin/rmt; ${MAKE} etc-rmt Index: head/etc/defaults/Makefile =================================================================== --- head/etc/defaults/Makefile +++ head/etc/defaults/Makefile @@ -2,7 +2,7 @@ .include -FILES= devfs.rules periodic.conf +FILES= devfs.rules FILESDIR= /etc/defaults .if ${MK_BLUETOOTH} != "no" Index: head/etc/defaults/periodic.conf =================================================================== --- head/etc/defaults/periodic.conf +++ head/etc/defaults/periodic.conf @@ -1,407 +0,0 @@ -#!/bin/sh -# -# This is defaults/periodic.conf - a file full of useful variables that -# you can set to change the default behaviour of periodic jobs on your -# system. You should not edit this file! Put any overrides into one of the -# $periodic_conf_files instead and you will be able to update these defaults -# later without spamming your local configuration information. -# -# The $periodic_conf_files files should only contain values which override -# values set in this file. This eases the upgrade path when defaults -# are changed and new features are added. -# -# For a more detailed explanation of all the periodic.conf variables, please -# refer to the periodic.conf(5) manual page. -# -# $FreeBSD$ -# - -# What files override these defaults ? -periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local" - -# periodic script dirs -local_periodic="/usr/local/etc/periodic" - -# Max time to sleep to avoid causing congestion on download servers -anticongestion_sleeptime=3600 - -# Daily options - -# These options are used by periodic(8) itself to determine what to do -# with the output of the sub-programs that are run, and where to send -# that output. $daily_output might be set to /var/log/daily.log if you -# wish to log the daily output and have the files rotated by newsyslog(8) -# -daily_output="root" # user or /file -daily_show_success="YES" # scripts returning 0 -daily_show_info="YES" # scripts returning 1 -daily_show_badconfig="NO" # scripts returning 2 - -# 100.clean-disks -daily_clean_disks_enable="NO" # Delete files daily -daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*" -daily_clean_disks_days=3 # If older than this -daily_clean_disks_verbose="YES" # Mention files deleted - -# 110.clean-tmps -daily_clean_tmps_enable="NO" # Delete stuff daily -daily_clean_tmps_dirs="/tmp" # Delete under here -daily_clean_tmps_days="3" # If not accessed for -daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix" -daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap" -daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal" - # Don't delete these -daily_clean_tmps_verbose="YES" # Mention files deleted - -# 120.clean-preserve -daily_clean_preserve_enable="YES" # Delete files daily -daily_clean_preserve_days=7 # If not modified for -daily_clean_preserve_verbose="YES" # Mention files deleted - -# 130.clean-msgs -daily_clean_msgs_enable="YES" # Delete msgs daily -daily_clean_msgs_days= # If not modified for - -# 140.clean-rwho -daily_clean_rwho_enable="YES" # Delete rwho daily -daily_clean_rwho_days=7 # If not modified for -daily_clean_rwho_verbose="YES" # Mention files deleted - -# 150.clean-hoststat -daily_clean_hoststat_enable="YES" # Purge sendmail host - # status cache daily - -# 200.backup-passwd -daily_backup_passwd_enable="YES" # Backup passwd & group - -# 210.backup-aliases -daily_backup_aliases_enable="YES" # Backup mail aliases - -# 300.calendar -daily_calendar_enable="NO" # Run calendar -a - -# 310.accounting -daily_accounting_enable="YES" # Rotate acct files -daily_accounting_compress="NO" # Gzip rotated files -daily_accounting_flags=-q # Flags to /usr/sbin/sa -daily_accounting_save=3 # How many files to save - -# 330.news -daily_news_expire_enable="YES" # Run news.expire - -# 400.status-disks -daily_status_disks_enable="YES" # Check disk status -daily_status_disks_df_flags="-l -h" # df(1) flags for check - -# 401.status-graid -daily_status_graid_enable="NO" # Check graid(8) - -# 404.status-zfs -daily_status_zfs_enable="NO" # Check ZFS -daily_status_zfs_zpool_list_enable="YES" # List ZFS pools - -# 406.status-gmirror -daily_status_gmirror_enable="NO" # Check gmirror(8) - -# 407.status-graid3 -daily_status_graid3_enable="NO" # Check graid3(8) - -# 408.status-gstripe -daily_status_gstripe_enable="NO" # Check gstripe(8) - -# 409.status-gconcat -daily_status_gconcat_enable="NO" # Check gconcat(8) - -# 410.status-mfi -daily_status_mfi_enable="NO" # Check mfiutil(8) - -# 420.status-network -daily_status_network_enable="YES" # Check network status -daily_status_network_usedns="YES" # DNS lookups are ok -daily_status_network_netstat_flags="-d" # netstat(1) flags - -# 430.status-uptime -daily_status_uptime_enable="YES" # Check system uptime - -# 440.status-mailq -daily_status_mailq_enable="YES" # Check mail status -daily_status_mailq_shorten="NO" # Shorten output -daily_status_include_submit_mailq="YES" # Also submit queue - -# 450.status-security -daily_status_security_enable="YES" # Security check -# See also "Security options" below for more options -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file - -# 460.status-mail-rejects -daily_status_mail_rejects_enable="YES" # Check mail rejects -daily_status_mail_rejects_logs=3 # How many logs to check -daily_status_mail_rejects_shorten="NO" # Shorten output - -# 480.leapfile-ntpd -daily_ntpd_leapfile_enable="YES" # Fetch NTP leapfile - -# 480.status-ntpd -daily_status_ntpd_enable="NO" # Check NTP status - -# 500.queuerun -daily_queuerun_enable="YES" # Run mail queue -daily_submit_queuerun="YES" # Also submit queue - -# 510.status-world-kernel -daily_status_world_kernel="YES" # Check the running - # userland/kernel version - -# 800.scrub-zfs -daily_scrub_zfs_enable="NO" -daily_scrub_zfs_pools="" # empty string selects all pools -daily_scrub_zfs_default_threshold="35" # days between scrubs -#daily_scrub_zfs_${poolname}_threshold="35" # pool specific threshold - -# 999.local -daily_local="/etc/daily.local" # Local scripts - - -# Weekly options - -# These options are used by periodic(8) itself to determine what to do -# with the output of the sub-programs that are run, and where to send -# that output. $weekly_output might be set to /var/log/weekly.log if you -# wish to log the weekly output and have the files rotated by newsyslog(8) -# -weekly_output="root" # user or /file -weekly_show_success="YES" # scripts returning 0 -weekly_show_info="YES" # scripts returning 1 -weekly_show_badconfig="NO" # scripts returning 2 - -# 310.locate -weekly_locate_enable="YES" # Update locate weekly - -# 320.whatis -weekly_whatis_enable="YES" # Update whatis weekly - -# 340.noid -weekly_noid_enable="NO" # Find unowned files -weekly_noid_dirs="/" # Look here - -# 450.status-security -weekly_status_security_enable="YES" # Security check -# See also "Security options" above for more options -weekly_status_security_inline="NO" # Run inline ? -weekly_status_security_output="root" # user or /file - -# 999.local -weekly_local="/etc/weekly.local" # Local scripts - - -# Monthly options - -# These options are used by periodic(8) itself to determine what to do -# with the output of the sub-programs that are run, and where to send -# that output. $monthly_output might be set to /var/log/monthly.log if you -# wish to log the monthly output and have the files rotated by newsyslog(8) -# -monthly_output="root" # user or /file -monthly_show_success="YES" # scripts returning 0 -monthly_show_info="YES" # scripts returning 1 -monthly_show_badconfig="NO" # scripts returning 2 - -# 200.accounting -monthly_accounting_enable="YES" # Login accounting - -# 450.status-security -monthly_status_security_enable="YES" # Security check -# See also "Security options" above for more options -monthly_status_security_inline="NO" # Run inline ? -monthly_status_security_output="root" # user or /file - -# 999.local -monthly_local="/etc/monthly.local" # Local scripts - - -# Security options - -security_show_success="YES" # scripts returning 0 -security_show_info="YES" # scripts returning 1 -security_show_badconfig="NO" # scripts returning 2 - -# These options are used by the security periodic(8) scripts spawned in -# daily and weekly 450.status-security. -security_status_logdir="/var/log" # Directory for logs -security_status_diff_flags="-b -u" # flags for diff output - -# Each of the security_status_*_period options below can have one of the -# following values: -# - NO: do not run at all -# - daily: only run during the daily security status -# - weekly: only run during the weekly security status -# - monthly: only run during the monthly security status -# Note that if periodic security scripts are run from crontab(5) directly, -# they will be run unless _enable or _period is set to "NO". - -# 100.chksetuid -security_status_chksetuid_enable="YES" -security_status_chksetuid_period="daily" - -# 110.neggrpperm -security_status_neggrpperm_enable="YES" -security_status_neggrpperm_period="daily" - -# 200.chkmounts -security_status_chkmounts_enable="YES" -security_status_chkmounts_period="daily" -#security_status_chkmounts_ignore="^amd:" # Don't check matching - # FS types -security_status_noamd="NO" # Don't check amd mounts - -# 300.chkuid0 -security_status_chkuid0_enable="YES" -security_status_chkuid0_period="daily" - -# 400.passwdless -security_status_passwdless_enable="YES" -security_status_passwdless_period="daily" - -# 410.logincheck -security_status_logincheck_enable="YES" -security_status_logincheck_period="daily" - -# 500.ipfwdenied -security_status_ipfwdenied_enable="YES" -security_status_ipfwdenied_period="daily" - -# 510.ipfdenied -security_status_ipfdenied_enable="YES" -security_status_ipfdenied_period="daily" - -# 520.pfdenied -security_status_pfdenied_enable="YES" -security_status_pfdenied_period="daily" - -# 550.ipfwlimit -security_status_ipfwlimit_enable="YES" -security_status_ipfwlimit_period="daily" - -# 610.ipf6denied -security_status_ipf6denied_enable="YES" -security_status_ipf6denied_period="daily" - -# 700.kernelmsg -security_status_kernelmsg_enable="YES" -security_status_kernelmsg_period="daily" - -# 800.loginfail -security_status_loginfail_enable="YES" -security_status_loginfail_period="daily" - -# 900.tcpwrap -security_status_tcpwrap_enable="YES" -security_status_tcpwrap_period="daily" - - - -# Define source_periodic_confs, the mechanism used by /etc/periodic/*/* -# scripts to source defaults/periodic.conf overrides safely. - -if [ -z "${source_periodic_confs_defined}" ]; then - source_periodic_confs_defined=yes - - # Sleep for a random amount of time in order to mitigate the thundering - # herd problem of multiple hosts running periodic simultaneously. - # Will not sleep when used interactively. - # Will sleep at most once per invocation of periodic - anticongestion() { - [ -n "$PERIODIC_IS_INTERACTIVE" ] && return - if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then - rm -f $PERIODIC_ANTICONGESTION_FILE - sleep `jot -r 1 0 ${anticongestion_sleeptime}` - fi - } - - # Compatibility with old daily variable names. - # They can be removed in stable/11. - security_daily_compat_var() { - local var=$1 dailyvar value - - dailyvar=daily_status_security${var#security_status} - periodvar=${var%enable}period - eval value=\"\$$dailyvar\" - [ -z "$value" ] && return - echo "Warning: Variable \$$dailyvar is deprecated," \ - "use \$$var instead." >&2 - case "$value" in - [Yy][Ee][Ss]) - eval $var=YES - eval $periodvar=daily - ;; - *) - eval $var=\"$value\" - ;; - esac - } - - check_yesno_period() { - local var="$1" periodvar value period - - eval value=\"\$$var\" - case "$value" in - [Yy][Ee][Ss]) ;; - *) return 1 ;; - esac - - periodvar=${var%enable}period - eval period=\"\$$periodvar\" - case "$PERIODIC" in - "security daily") - case "$period" in - [Dd][Aa][Ii][Ll][Yy]) return 0 ;; - *) return 1 ;; - esac - ;; - "security weekly") - case "$period" in - [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; - *) return 1 ;; - esac - ;; - "security monthly") - case "$period" in - [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; - *) return 1 ;; - esac - ;; - security) - # Run directly from crontab(5). - case "$period" in - [Nn][Oo]) return 1 ;; - *) return 0 ;; - esac - ;; - '') - # Script run manually. - return 0 - ;; - *) - echo "ASSERTION FAILED: Unexpected value for" \ - "\$PERIODIC: '$PERIODIC'" >&2 - exit 127 - ;; - esac - } - - source_periodic_confs() { - local i sourced_files - - for i in ${periodic_conf_files}; do - case ${sourced_files} in - *:$i:*) - ;; - *) - sourced_files="${sourced_files}:$i:" - [ -r $i ] && . $i - ;; - esac - done - } -fi Index: head/etc/periodic/Makefile =================================================================== --- head/etc/periodic/Makefile +++ head/etc/periodic/Makefile @@ -1,6 +0,0 @@ -# $FreeBSD$ - -SUBDIR= daily security weekly monthly -SUBDIR_PARALLEL= - -.include Index: head/etc/periodic/Makefile.inc =================================================================== --- head/etc/periodic/Makefile.inc +++ head/etc/periodic/Makefile.inc @@ -1,5 +0,0 @@ -# $FreeBSD$ - -BINDIR= /etc/periodic/${.CURDIR:T} -NO_OBJ= -FILESMODE= 755 Index: head/etc/periodic/daily/100.clean-disks =================================================================== --- head/etc/periodic/daily/100.clean-disks +++ head/etc/periodic/daily/100.clean-disks @@ -1,55 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove garbage files more than $daily_clean_disks_days days old -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_disks_enable" in - [Yy][Ee][Ss]) - if [ -z "$daily_clean_disks_days" ] - then - echo '$daily_clean_disks_enable is set but' \ - '$daily_clean_disks_days is not' - rc=2 - elif [ -z "$daily_clean_disks_files" ] - then - echo '$daily_clean_disks_enable is set but' \ - '$daily_clean_disks_files is not' - rc=2 - else - echo "" - echo "Cleaning disks:" - set -f noglob - args="-name "`echo "$daily_clean_disks_files" | - sed -e 's/^[ ]*//' \ - -e 's/[ ]*$//' \ - -e 's/[ ][ ]*/ -o -name /g'` - - case "$daily_clean_disks_verbose" in - [Yy][Ee][Ss]) - print=-print;; - *) - print=;; - esac - - rc=$(find / \( ! -fstype local -o -fstype rdonly \) -prune -o \ - \( $args \) -atime +$daily_clean_disks_days \ - -execdir rm -df {} \; $print | tee /dev/stderr | wc -l) - [ -z "$print" ] && rc=0 - [ $rc -gt 1 ] && rc=1 - set -f glob - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/110.clean-tmps =================================================================== --- head/etc/periodic/daily/110.clean-tmps +++ head/etc/periodic/daily/110.clean-tmps @@ -1,60 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Perform temporary directory cleaning so that long-lived systems -# don't end up with excessively old files there. -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_tmps_enable" in - [Yy][Ee][Ss]) - if [ -z "$daily_clean_tmps_days" ] - then - echo '$daily_clean_tmps_enable is set but' \ - '$daily_clean_tmps_days is not' - rc=2 - else - echo "" - echo "Removing old temporary files:" - - set -f noglob - args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days" - args="${args} -ctime +$daily_clean_tmps_days" - dargs="-empty -mtime +$daily_clean_tmps_days" - [ -n "$daily_clean_tmps_ignore" ] && { - args="$args "`echo " ${daily_clean_tmps_ignore% }" | - sed 's/[ ][ ]*/ ! -name /g'` - dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" | - sed 's/[ ][ ]*/ ! -name /g'` - } - case "$daily_clean_tmps_verbose" in - [Yy][Ee][Ss]) - print=-print;; - *) - print=;; - esac - - rc=$(for dir in $daily_clean_tmps_dirs - do - [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && { - find -x -d . -type f $args -delete $print - find -x -d . ! -name . -type d $dargs -delete $print - } | sed "s,^\\., $dir," - done | tee /dev/stderr | wc -l) - [ -z "$print" ] && rc=0 - [ $rc -gt 1 ] && rc=1 - set -f glob - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/120.clean-preserve =================================================================== --- head/etc/periodic/daily/120.clean-preserve +++ head/etc/periodic/daily/120.clean-preserve @@ -1,53 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove stale files in /var/preserve -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_preserve_enable" in - [Yy][Ee][Ss]) - if [ -z "$daily_clean_preserve_days" ] - then - echo '$daily_clean_preserve_enable is set but' \ - '$daily_clean_preserve_days is not' - rc=2 - elif [ ! -d /var/preserve ] - then - echo '$daily_clean_preserve_enable is set but /var/preserve' \ - "doesn't exist" - rc=2 - else - echo "" - echo "Removing stale files from /var/preserve:" - - if cd /var/preserve - then - case "$daily_clean_preserve_verbose" in - [Yy][Ee][Ss]) - print=-print;; - *) - print=;; - esac - - rc=$(find . ! -name . -mtime +$daily_clean_preserve_days \ - -delete $print | tee /dev/stderr | wc -l) - [ -z "$print" ] && rc=0 - [ $rc -gt 1 ] && rc=1 - else - rc=3 - fi - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/130.clean-msgs =================================================================== --- head/etc/periodic/daily/130.clean-msgs +++ head/etc/periodic/daily/130.clean-msgs @@ -1,35 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove system messages -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_msgs_enable" in - [Yy][Ee][Ss]) - if [ ! -d /var/msgs ] - then - echo '$daily_clean_msgs_enable is set but /var/msgs' \ - "doesn't exist" - rc=2 - else - echo "" - echo "Cleaning out old system announcements:" - - [ -n "$daily_clean_msgs_days" ] && - arg=-${daily_clean_msgs_days#-} || arg= - msgs -c $arg && rc=0 || rc=3 - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/140.clean-rwho =================================================================== --- head/etc/periodic/daily/140.clean-rwho +++ head/etc/periodic/daily/140.clean-rwho @@ -1,53 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove stale files in /var/rwho -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_rwho_enable" in - [Yy][Ee][Ss]) - if [ -z "$daily_clean_rwho_days" ] - then - echo '$daily_clean_rwho_enable is enabled but' \ - '$daily_clean_rwho_days is not set' - rc=2 - elif [ ! -d /var/rwho ] - then - echo '$daily_clean_rwho_enable is enabled but /var/rwho' \ - "doesn't exist" - rc=2 - else - echo "" - echo "Removing stale files from /var/rwho:" - - case "$daily_clean_rwho_verbose" in - [Yy][Ee][Ss]) - print=-print;; - *) - print=;; - esac - - if cd /var/rwho - then - rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \ - -delete $print | tee /dev/stderr | wc -l) - [ -z "$print" ] && rc=0 - [ $rc -gt 1 ] && rc=1 - else - rc=3 - fi - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/150.clean-hoststat =================================================================== --- head/etc/periodic/daily/150.clean-hoststat +++ head/etc/periodic/daily/150.clean-hoststat @@ -1,29 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove stale persistent host status files -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ]; then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_hoststat_enable" in - [Yy][Ee][Ss]) - if [ -z "$(hoststat 2>&1)" ]; then - rc=2 - else - echo "" - echo "Removing stale entries from sendmail host status cache:" - rc=0 - purgestat || rc=1 - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/200.backup-passwd =================================================================== --- head/etc/periodic/daily/200.backup-passwd +++ head/etc/periodic/daily/200.backup-passwd @@ -1,77 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_backup_passwd_enable" in - [Yy][Ee][Ss]) - if [ ! -f /etc/master.passwd ] - then - echo '$daily_backup_passwd_enable" is set but /etc/master.passwd' \ - "doesn't exist" - rc=2 - elif [ ! -f /etc/group ] - then - echo '$daily_backup_passwd_enable" is set but /etc/group' \ - "doesn't exist" - rc=2 - else - bak=/var/backups - rc=0 - - echo "" - echo "Backup passwd and group files:" - - if [ ! -f $bak/master.passwd.bak ] - then - rc=1 - echo "no $bak/master.passwd.bak" - cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 - fi - - if ! cmp -s $bak/master.passwd.bak /etc/master.passwd - then - [ $rc -lt 1 ] && rc=1 - echo "$host passwd diffs:" - diff -uI '^#' $bak/master.passwd.bak /etc/master.passwd |\ - sed 's/^\([-+ ][^-+:]*\):[^:]*:/\1:(password):/' - mv $bak/master.passwd.bak $bak/master.passwd.bak2 - cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 - fi - - if [ ! -f $bak/group.bak ] - then - [ $rc -lt 1 ] && rc=1 - echo "no $bak/group.bak" - cp -p /etc/group $bak/group.bak || rc=3 - fi - - if ! cmp -s $bak/group.bak /etc/group - then - [ $rc -lt 1 ] && rc=1 - echo "$host group diffs:" - diff -u $bak/group.bak /etc/group - mv $bak/group.bak $bak/group.bak2 - cp -p /etc/group $bak/group.bak || rc=3 - fi - - if [ -f /etc/group ] - then - echo "" - echo "Verifying group file syntax:" - chkgrp /etc/group || rc=3 - fi - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/210.backup-aliases =================================================================== --- head/etc/periodic/daily/210.backup-aliases +++ head/etc/periodic/daily/210.backup-aliases @@ -1,47 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_backup_aliases_enable" in - [Yy][Ee][Ss]) - if [ ! -f /etc/mail/aliases ] - then - echo '$daily_backup_aliases_enable is enabled but' \ - "/etc/mail/aliases doesn't exist" - rc=2 - else - bak=/var/backups - rc=0 - - echo "" - echo "Backing up mail aliases:" - - if [ ! -f $bak/aliases.bak ] - then - echo "no $bak/aliases.bak" - cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 - fi - - if ! cmp -s $bak/aliases.bak /etc/mail/aliases - then - [ $rc -lt 1 ] && rc=1 - echo "$host aliases diffs:" - diff -u $bak/aliases.bak /etc/mail/aliases - mv $bak/aliases.bak $bak/aliases.bak2 - cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 - fi - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/300.calendar =================================================================== --- head/etc/periodic/daily/300.calendar +++ head/etc/periodic/daily/300.calendar @@ -1,29 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# `calendar -a' needs to die. Why? Because it's a bad idea, particular -# with networked home directories, but also in general. If you want the -# output of `calendar' mailed to you, set up a cron job to do it, -# or run it from your ~/.profile or ~/.login. -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_calendar_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Running calendar:" - - calendar -a && rc=0 || rc=3;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/310.accounting =================================================================== --- head/etc/periodic/daily/310.accounting +++ head/etc/periodic/daily/310.accounting @@ -1,65 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_accounting_enable" in - [Yy][Ee][Ss]) - if [ ! -f /var/account/acct ] - then - echo '$daily_accounting_enable is set but /var/account/acct' \ - "doesn't exist" - rc=2 - elif [ -z "$daily_accounting_save" ] - then - echo '$daily_accounting_enable is set but ' \ - '$daily_accounting_save is not' - rc=2 - else - echo "" - echo "Rotating accounting logs and gathering statistics:" - - cd /var/account - rc=0 - - n=$(( $daily_accounting_save - 1 )) - for f in acct.*; do - case "$f" in acct.\*) continue ;; esac # No files match - m=${f%.gz} ; m=${m#acct.} - [ $m -ge $n ] && { rm $f || rc=3; } - done - - m=$n - n=$(($n - 1)) - while [ $n -ge 0 ] - do - [ -f acct.$n.gz ] && { mv -f acct.$n.gz acct.$m.gz || rc=3; } - [ -f acct.$n ] && { mv -f acct.$n acct.$m || rc=3; } - m=$n - n=$(($n - 1)) - done - - /etc/rc.d/accounting rotate_log || rc=3 - - rm -f acct.merge && cp acct.0 acct.merge || rc=3 - sa -s $daily_accounting_flags /var/account/acct.merge || rc=3 - rm acct.merge - - case "$daily_accounting_compress" in - [Yy][Ee][Ss]) - gzip -f acct.0 || rc=3;; - esac - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/330.news =================================================================== --- head/etc/periodic/daily/330.news +++ head/etc/periodic/daily/330.news @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Expire news articles -# (This is present only for backwards compatibility, usually the news -# system handles this on its own). - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_news_expire_enable" in - [Yy][Ee][Ss]) - if [ ! -f /etc/news.expire ] - then - echo '$daily_news_expire_enable is set but /etc/news.expire' \ - "doesn't exist" - rc=2 - else - echo "" - echo "Running news.expire:" - - /etc/news.expire && rc=0 || rc=3 - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/400.status-disks =================================================================== --- head/etc/periodic/daily/400.status-disks +++ head/etc/periodic/daily/400.status-disks @@ -1,40 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_disks_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Disk status:" - - if [ -n "${daily_status_disks_ignore}" ] ; then - ignore="egrep -v ${daily_status_disks_ignore}" - else - ignore="cat" - fi - (df $daily_status_disks_df_flags | ${ignore}) && rc=1 || rc=3 - - # display which filesystems need backing up - if [ -s /etc/dumpdates ]; then - if ! [ -f /etc/fstab ]; then - export PATH_FSTAB=/dev/null - fi - - echo "" - dump W || rc=3 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/401.status-graid =================================================================== --- head/etc/periodic/daily/401.status-graid +++ head/etc/periodic/daily/401.status-graid @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_graid_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of graid(8) devices:' - - if graid status; then - components="$(graid status -s | fgrep -v OPTIMAL)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/404.status-zfs =================================================================== --- head/etc/periodic/daily/404.status-zfs +++ head/etc/periodic/daily/404.status-zfs @@ -1,45 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_zfs_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of zfs pools:' - - case "$daily_status_zfs_zpool_list_enable" in - [Yy][Ee][Ss]) - lout=`zpool list` - echo "$lout" - echo - ;; - *) - ;; - esac - sout=`zpool status -x` - echo "$sout" - # zpool status -x always exits with 0, so we have to interpret its - # output to see what's going on. - if [ "$sout" = "all pools are healthy" \ - -o "$sout" = "no pools available" ]; then - rc=0 - else - rc=1 - fi - ;; - - *) - rc=0 - ;; -esac - -exit $rc Index: head/etc/periodic/daily/406.status-gmirror =================================================================== --- head/etc/periodic/daily/406.status-gmirror +++ head/etc/periodic/daily/406.status-gmirror @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_gmirror_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of gmirror(8) devices:' - - if gmirror status; then - components="$(gmirror status -s | fgrep -v COMPLETE)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/407.status-graid3 =================================================================== --- head/etc/periodic/daily/407.status-graid3 +++ head/etc/periodic/daily/407.status-graid3 @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_graid3_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of graid3(8) devices:' - - if graid3 status; then - components="$(graid3 status -s | fgrep -v COMPLETE)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/408.status-gstripe =================================================================== --- head/etc/periodic/daily/408.status-gstripe +++ head/etc/periodic/daily/408.status-gstripe @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_gstripe_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of gstripe(8) devices:' - - if gstripe status; then - components="$(gstripe status -s | fgrep -v UP)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/409.status-gconcat =================================================================== --- head/etc/periodic/daily/409.status-gconcat +++ head/etc/periodic/daily/409.status-gconcat @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_gconcat_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of gconcat(8) devices:' - - if gconcat status; then - components="$(gconcat status -s | fgrep -v UP)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/410.status-mfi =================================================================== --- head/etc/periodic/daily/410.status-mfi +++ head/etc/periodic/daily/410.status-mfi @@ -1,33 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_mfi_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of mfi(4) devices:' - - if mfiutil show volumes; then - if mfiutil show volumes | grep -q DEGRADED; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/420.status-network =================================================================== --- head/etc/periodic/daily/420.status-network +++ head/etc/periodic/daily/420.status-network @@ -1,31 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_network_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Network interface status:" - - flags="${daily_status_network_netstat_flags}" - case "$daily_status_network_usedns" in - [Yy][Ee][Ss]) - ;; - *) - flags="${flags} -n";; - esac - netstat -i ${flags} && rc=0 || rc=3;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/430.status-uptime =================================================================== --- head/etc/periodic/daily/430.status-uptime +++ head/etc/periodic/daily/430.status-uptime @@ -1,38 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_uptime_enable" in - [Yy][Ee][Ss]) - rwho=$(echo /var/rwho/*) - if [ -f "${rwho%% *}" ] - then - echo "" - echo "Local network system status:" - prog=ruptime - else - echo "" - echo "Local system status:" - prog=uptime - fi - rc=$($prog | tee /dev/stderr | wc -l) - if [ $? -eq 0 ] - then - [ $rc -gt 1 ] && rc=1 - else - rc=3 - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/440.status-mailq =================================================================== --- head/etc/periodic/daily/440.status-mailq +++ head/etc/periodic/daily/440.status-mailq @@ -1,66 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_mailq_enable" in - [Yy][Ee][Ss]) - if [ ! -x /usr/bin/mailq ] - then - echo '$daily_status_mailq_enable is set but /usr/bin/mailq' \ - "isn't executable" - rc=2 - else - echo "" - echo "Mail in local queue:" - - rc=$(case "$daily_status_mailq_shorten" in - [Yy][Ee][Ss]) - mailq | - egrep -e '^[[:space:]]+[^[:space:]]+@' | - sort | - uniq -c | - sort -nr | - awk '$1 >= 1 {print $1, $2}';; - *) - mailq;; - esac | tee /dev/stderr | - egrep -v '(mqueue is empty|Total requests)' | wc -l) - [ $rc -gt 0 ] && rc=1 || rc=0 - - case "$daily_status_include_submit_mailq" in - [Yy][Ee][Ss]) - if [ -f /etc/mail/submit.cf ] - then - echo "" - echo "Mail in submit queue:" - - rc_submit=$(case "$daily_status_mailq_shorten" in - [Yy][Ee][Ss]) - mailq -Ac | - egrep -e '^[[:space:]]+[^[:space:]]+@' | - sort | - uniq -c | - sort -nr | - awk '$1 >= 1 {print $1, $2}';; - *) - mailq -Ac;; - esac | tee /dev/stderr | - egrep -v '(mqueue is empty|Total requests)' | wc -l) - [ $rc_submit -gt 0 ] && rc=1 - fi;; - esac - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/450.status-security =================================================================== --- head/etc/periodic/daily/450.status-security +++ head/etc/periodic/daily/450.status-security @@ -1,47 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_security_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Security check:" - - case "$daily_status_security_inline" in - [Yy][Ee][Ss]) - daily_status_security_output="";; - esac - - export security_output="${daily_status_security_output}" - rc=0 - case "${daily_status_security_output}" in - "") - if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` - then - periodic security > $tempfile || rc=3 - if [ -s "$tempfile" ]; then - cat "$tempfile" - rc=3 - fi - rm -f "$tempfile" - fi;; - /*) - echo " (output logged separately)" - periodic security || rc=3;; - *) - echo " (output mailed separately)" - periodic security || rc=3;; - esac;; - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/460.status-mail-rejects =================================================================== --- head/etc/periodic/daily/460.status-mail-rejects +++ head/etc/periodic/daily/460.status-mail-rejects @@ -1,73 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_mail_rejects_shorten" in -[Yy][Ee][Ss]) shorten='cut -d" " -f2,3';; -*) shorten=cat;; -esac - -case "$daily_status_mail_rejects_enable" in - [Yy][Ee][Ss]) - if [ ! -d /etc/mail ] - then - echo '$daily_status_mail_rejects_enable is set but /etc/mail' \ - "doesn't exist" - rc=2 - elif [ ! -f /var/log/maillog ] - then - echo '$daily_status_mail_rejects_enable is set but ' \ - "/var/log/maillog doesn't exist" - rc=2 - elif [ "$daily_status_mail_rejects_logs" -le 0 ] - then - echo '$daily_status_mail_rejects_enable is set but ' \ - '$daily_status_mail_rejects_logs is not greater than zero' - rc=2 - else - echo - echo Checking for rejected mail hosts: - - yesterday=$(date -v-1d '+%b %e') - today=$(date '+%b %e') - n=$(($daily_status_mail_rejects_logs - 2)) - rc=$({ - while [ $n -ge 0 ] - do - if [ -f /var/log/maillog.$n ] - then - cat /var/log/maillog.$n - elif [ -f /var/log/maillog.$n.gz ] - then - zcat -fc /var/log/maillog.$n.gz - elif [ -f /var/log/maillog.$n.bz2 ] - then - bzcat -fc /var/log/maillog.$n.bz2 - fi - n=$(($n - 1)) - done - cat /var/log/maillog - } | sed -Ene "/^$today/q" -e "/^$yesterday/{"' - s/.*ruleset=check_relay,.* relay=([^,]+), reject=([^ ]*).*/\2 check_relay \1/p - t end - s/.*ruleset=check_rcpt,.* arg1=,]+).* reject=([^ ]+) .* ([^ ]+)/\2 check_rcpt \1 \3/p - t end - s/.*ruleset=check_([^,]+),.* arg1=,]+).* reject=([^ ]+) .* ([^ ]+)/\4 check_\1 \3 \5/p - :end - }' | eval $shorten | sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l) - [ $rc -gt 0 ] && rc=1 - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/480.leapfile-ntpd =================================================================== --- head/etc/periodic/daily/480.leapfile-ntpd +++ head/etc/periodic/daily/480.leapfile-ntpd @@ -1,23 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_ntpd_leapfile_enable" in - [Yy][Ee][Ss]) - if service ntpd oneneedfetch; then - anticongestion - service ntpd onefetch - fi - ;; -esac - -exit $rc Index: head/etc/periodic/daily/480.status-ntpd =================================================================== --- head/etc/periodic/daily/480.status-ntpd +++ head/etc/periodic/daily/480.status-ntpd @@ -1,28 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 - -case "$daily_status_ntpd_enable" in - [Yy][Ee][Ss]) - echo "" - echo "NTP status:" - - synchronized=$(ntpq -pn | tee /dev/stderr | grep '^\*') - if [ -z "$synchronized" ]; then - rc=1 - fi - ;; -esac - -exit $rc Index: head/etc/periodic/daily/500.queuerun =================================================================== --- head/etc/periodic/daily/500.queuerun +++ head/etc/periodic/daily/500.queuerun @@ -1,36 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_queuerun_enable" in - [Yy][Ee][Ss]) - if [ ! -x /usr/sbin/sendmail ] - then - echo '$daily_queuerun_enable is set but /usr/sbin/sendmail' \ - "isn't executable" - rc=2 - else - /usr/sbin/sendmail -q >/dev/null 2>&1 & - case "$daily_submit_queuerun" in - [Yy][Ee][Ss]) - if [ -f /etc/mail/submit.cf ] - then - /usr/sbin/sendmail -q -Ac >/dev/null 2>&1 & - fi;; - esac - rc=0 - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/510.status-world-kernel =================================================================== --- head/etc/periodic/daily/510.status-world-kernel +++ head/etc/periodic/daily/510.status-world-kernel @@ -1,36 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Check that the running userland and kernel versions are in sync. - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_world_kernel" in - [Yy][Ee][Ss]) - rc=0 - _U=$(/usr/bin/uname -U 2>/dev/null) - _K=$(/usr/bin/uname -K 2>/dev/null) - [ -z "${_U}" -o -z "${_K}" ] && exit 0 - echo "" - echo "Checking userland and kernel versions:" - if [ "${_U}" != "${_K}" ]; then - echo "Userland and kernel are not in sync" - echo "Userland version: ${_U}" - echo "Kernel version: ${_K}" - rc=1 - else - echo "Userland and kernel are in sync." - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/daily/800.scrub-zfs =================================================================== --- head/etc/periodic/daily/800.scrub-zfs +++ head/etc/periodic/daily/800.scrub-zfs @@ -1,110 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# - -newline=" -" # A single newline - -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -: ${daily_scrub_zfs_default_threshold=35} - -case "$daily_scrub_zfs_enable" in - [Yy][Ee][Ss]) - echo - echo 'Scrubbing of zfs pools:' - - if [ -z "${daily_scrub_zfs_pools}" ]; then - daily_scrub_zfs_pools="$(zpool list -H -o name)" - fi - - rc=0 - for pool in ${daily_scrub_zfs_pools}; do - # sanity check - _status=$(zpool list "${pool}" 2> /dev/null) - if [ $? -ne 0 ]; then - rc=2 - echo " WARNING: pool '${pool}' specified in" - echo " '/etc/periodic.conf:daily_scrub_zfs_pools'" - echo " does not exist" - continue - fi - _status=${_status##*$newline} - case ${_status} in - *FAULTED*) - rc=3 - echo "Skipping faulted pool: ${pool}" - continue ;; - *UNAVAIL*) - rc=4 - echo "Skipping unavailable pool: ${pool}" - continue ;; - esac - - # determine how many days shall be between scrubs - eval _pool_threshold=\${daily_scrub_zfs_$(echo "${pool}"|tr ".:-" "_")_threshold} - if [ -z "${_pool_threshold}" ];then - _pool_threshold=${daily_scrub_zfs_default_threshold} - fi - - _last_scrub=$(zpool history ${pool} | \ - egrep "^[0-9\.\:\-]{19} zpool scrub ${pool}\$" | tail -1 |\ - cut -d ' ' -f 1) - if [ -z "${_last_scrub}" ]; then - # creation time of the pool if no scrub was done - _last_scrub=$(zpool history ${pool} | \ - sed -ne '2s/ .*$//p') - fi - if [ -z "${_last_scrub}" ]; then - echo " skipping scrubbing of pool '${pool}':" - echo " can't get last scrubbing date" - continue - fi - - # Now minus last scrub (both in seconds) converted to days. - _scrub_diff=$(expr -e \( $(date +%s) - \ - $(date -j -v -70M -f %F.%T ${_last_scrub} +%s) \) / 60 / 60 / 24) - if [ ${_scrub_diff} -lt ${_pool_threshold} ]; then - echo " skipping scrubbing of pool '${pool}':" - echo " last scrubbing is ${_scrub_diff} days ago, threshold is set to ${_pool_threshold} days" - continue - fi - - _status="$(zpool status ${pool} | grep scan:)" - case "${_status}" in - *"scrub in progress"*) - echo " scrubbing of pool '${pool}' already in progress, skipping:" - ;; - *"resilver in progress"*) - echo " resilvering of pool '${pool}' is in progress, skipping:" - ;; - *"none requested"*) - echo " starting first scrub (since reboot) of pool '${pool}':" - zpool scrub ${pool} - [ $rc -eq 0 ] && rc=1 - ;; - *) - echo " starting scrub of pool '${pool}':" - zpool scrub ${pool} - [ $rc -eq 0 ] && rc=1 - ;; - esac - - echo " consult 'zpool status ${pool}' for the result" - done - ;; - - *) - rc=0 - ;; -esac - -exit $rc Index: head/etc/periodic/daily/999.local =================================================================== --- head/etc/periodic/daily/999.local +++ head/etc/periodic/daily/999.local @@ -1,43 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Run the old /etc/daily.local script. This is really for backwards -# compatibility more than anything else. -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 -for script in $daily_local -do - echo '' - case "$script" in - /*) - if [ -x "$script" ] - then - echo "Running $script:" - - $script || rc=3 - elif [ -f "$script" ] - then - echo "Running $script:" - - sh $script || rc=3 - else - echo "$script: No such file" - [ $rc -lt 2 ] && rc=2 - fi;; - *) - echo "$script: Not an absolute path" - [ $rc -lt 2 ] && rc=2;; - esac -done - -exit $rc Index: head/etc/periodic/daily/Makefile =================================================================== --- head/etc/periodic/daily/Makefile +++ head/etc/periodic/daily/Makefile @@ -1,62 +0,0 @@ -# $FreeBSD$ - -.include - -FILESGROUPS=FILES - -FILES= 100.clean-disks \ - 110.clean-tmps \ - 120.clean-preserve \ - 140.clean-rwho \ - 200.backup-passwd \ - 210.backup-aliases \ - 330.news \ - 400.status-disks \ - 401.status-graid \ - 406.status-gmirror \ - 407.status-graid3 \ - 408.status-gstripe \ - 409.status-gconcat \ - 410.status-mfi \ - 420.status-network \ - 430.status-uptime \ - 450.status-security \ - 510.status-world-kernel \ - 999.local - -# NB: keep these sorted by MK_* knobs - -.if ${MK_ACCT} != "no" -FILESGROUPS+= ACCT -ACCT+= 310.accounting -.endif -ACCTDIR= /etc/periodic/daily -ACCTMODE= ${BINMODE} -ACCTPACKAGE= acct - -.if ${MK_CALENDAR} != "no" -FILES+= 300.calendar -.endif - -.if ${MK_MAIL} != "no" -FILES+= 130.clean-msgs -.endif - -.if ${MK_NTP} != "no" -FILES+= 480.status-ntpd \ - 480.leapfile-ntpd -.endif - -.if ${MK_SENDMAIL} != "no" -FILES+= 150.clean-hoststat \ - 440.status-mailq \ - 460.status-mail-rejects \ - 500.queuerun -.endif - -.if ${MK_ZFS} != "no" -FILES+= 404.status-zfs \ - 800.scrub-zfs -.endif - -.include Index: head/etc/periodic/monthly/200.accounting =================================================================== --- head/etc/periodic/monthly/200.accounting +++ head/etc/periodic/monthly/200.accounting @@ -1,51 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -oldmask=$(umask) -umask 066 -case "$monthly_accounting_enable" in - [Yy][Ee][Ss]) - W=/var/log/utx.log - rc=0 - remove=NO - if [ ! -f $W.0 ] - then - if [ -f $W.0.gz ] - then - remove=YES - zcat $W.0.gz > $W.0 || rc=1 - elif [ -f $W.0.bz2 ] - then - remove=YES - bzcat $W.0.bz2 > $W.0 || rc=1 - else - echo '$monthly_accounting_enable is set but' \ - "$W.0 doesn't exist" - rc=2 - fi - fi - if [ $rc -eq 0 ] - then - echo "" - echo "Doing login accounting:" - - rc=$(ac -p -w $W.0 | sort -nr -k 2 | tee /dev/stderr | wc -l) - [ $rc -gt 0 ] && rc=1 - fi - [ $remove = YES ] && rm -f $W.0;; - - *) rc=0;; -esac - -umask $oldmask -exit $rc Index: head/etc/periodic/monthly/450.status-security =================================================================== --- head/etc/periodic/monthly/450.status-security +++ head/etc/periodic/monthly/450.status-security @@ -1,47 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$monthly_status_security_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Security check:" - - case "$monthly_status_security_inline" in - [Yy][Ee][Ss]) - monthly_status_security_output="";; - esac - - export security_output="${monthly_status_security_output}" - rc=0 - case "${monthly_status_security_output}" in - "") - if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` - then - periodic security > $tempfile || rc=3 - if [ -s "$tempfile" ]; then - cat "$tempfile" - rc=3 - fi - rm -f "$tempfile" - fi;; - /*) - echo " (output logged separately)" - periodic security || rc=3;; - *) - echo " (output mailed separately)" - periodic security || rc=3;; - esac;; - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/monthly/999.local =================================================================== --- head/etc/periodic/monthly/999.local +++ head/etc/periodic/monthly/999.local @@ -1,40 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 -for script in $monthly_local -do - echo '' - case "$script" in - /*) - if [ -x "$script" ] - then - echo "Running $script:" - - $script || rc=3 - elif [ -f "$script" ] - then - echo "Running $script:" - - sh $script || rc=3 - else - echo "$script: No such file" - [ $rc -lt 2 ] && rc=2 - fi;; - *) - echo "$script: Not an absolute path" - [ $rc -lt 2 ] && rc=2;; - esac -done - -exit $rc Index: head/etc/periodic/monthly/Makefile =================================================================== --- head/etc/periodic/monthly/Makefile +++ head/etc/periodic/monthly/Makefile @@ -1,20 +0,0 @@ -# $FreeBSD$ - -.include - -FILESGROUPS=FILES - -FILES= 450.status-security \ - 999.local - -# NB: keep these sorted by MK_* knobs - -.if ${MK_UTMPX} != "no" -FILESGROUPS+= ACCT -ACCT+= 200.accounting -.endif -ACCTDIR= /etc/periodic/monthly -ACCTMODE= ${BINMODE} -ACCTPACKAGE= acct - -.include Index: head/etc/periodic/security/100.chksetuid =================================================================== --- head/etc/periodic/security/100.chksetuid +++ head/etc/periodic/security/100.chksetuid @@ -1,62 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_chksetuid_enable - -rc=0 - -if check_yesno_period security_status_chksetuid_enable -then - echo "" - echo 'Checking setuid files and devices:' - IFS=$'\n' # Don't split mount points with spaces or tabs - MP=`mount -t ufs,zfs | awk ' - $0 !~ /no(suid|exec)/ { - sub(/^.* on \//, "/"); - sub(/ \(.*\)/, ""); - print $0 - }'` - find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ - \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ - \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | - check_diff setuid - "${host} setuid diffs:" - rc=$? -fi - -exit $rc Index: head/etc/periodic/security/110.neggrpperm =================================================================== --- head/etc/periodic/security/110.neggrpperm +++ head/etc/periodic/security/110.neggrpperm @@ -1,61 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_neggrpperm_enable - -rc=0 - -if check_yesno_period security_status_neggrpperm_enable -then - echo "" - echo 'Checking negative group permissions:' - IFS=$'\n' # Don't split mount points with spaces or tabs - MP=`mount -t ufs,zfs | awk ' - $0 !~ /no(suid|exec)/ { - sub(/^.* on \//, "/"); - sub(/ \(.*\)/, ""); - print $0 - }'` - n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ - \( \( ! -perm +010 -and -perm +001 \) -or \ - \( ! -perm +020 -and -perm +002 \) -or \ - \( ! -perm +040 -and -perm +004 \) \) \ - -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit $rc Index: head/etc/periodic/security/200.chkmounts =================================================================== --- head/etc/periodic/security/200.chkmounts +++ head/etc/periodic/security/200.chkmounts @@ -1,65 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show changes in the way filesystems are mounted -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_chkmounts_enable -security_daily_compat_var security_status_chkmounts_ignore -security_daily_compat_var security_status_noamd - -ignore="${security_status_chkmounts_ignore}" -rc=0 - -if check_yesno_period security_status_chkmounts_enable -then - case "$security_status_noamd" in - [Yy][Ee][Ss]) - ignore="${ignore}|^amd:" - esac - [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat - if ! [ -f /etc/fstab ]; then - export PATH_FSTAB=/dev/null - fi - mount -p | sort | ${cmd} | - check_diff mount - "${host} changes in mounted filesystems:" - rc=$? -fi - -exit "$rc" Index: head/etc/periodic/security/300.chkuid0 =================================================================== --- head/etc/periodic/security/300.chkuid0 +++ head/etc/periodic/security/300.chkuid0 @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_chkuid0_enable - -rc=0 - -if check_yesno_period security_status_chkuid0_enable -then - echo "" - echo 'Checking for uids of 0:' - n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | - tee /dev/stderr | - sed -e '/^root 0$/d' -e '/^toor 0$/d' | - wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit "$rc" Index: head/etc/periodic/security/400.passwdless =================================================================== --- head/etc/periodic/security/400.passwdless +++ head/etc/periodic/security/400.passwdless @@ -1,51 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_passwdless_enable - -rc=0 - -if check_yesno_period security_status_passwdless_enable -then - echo "" - echo 'Checking for passwordless accounts:' - n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | - tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit "$rc" Index: head/etc/periodic/security/410.logincheck =================================================================== --- head/etc/periodic/security/410.logincheck +++ head/etc/periodic/security/410.logincheck @@ -1,55 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2006 Tom Rhodes -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_logincheck_enable - -rc=0 - -if check_yesno_period security_status_logincheck_enable -then - echo "" - echo 'Checking login.conf permissions:' - if [ -G /etc/login.conf -a -O /etc/login.conf ]; then - n=0 - else - echo "Bad ownership of /etc/login.conf" - n=1 - fi - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit "$rc" Index: head/etc/periodic/security/500.ipfwdenied =================================================================== --- head/etc/periodic/security/500.ipfwdenied +++ head/etc/periodic/security/500.ipfwdenied @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_ipfwdenied_enable - -rc=0 - -if check_yesno_period security_status_ipfwdenied_enable -then - TMP=`mktemp -t security` - if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then - check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" - fi - rc=$? - rm -f ${TMP} -fi - -exit $rc Index: head/etc/periodic/security/510.ipfdenied =================================================================== --- head/etc/periodic/security/510.ipfdenied +++ head/etc/periodic/security/510.ipfdenied @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_ipfdenied_enable - -rc=0 - -if check_yesno_period security_status_ipfdenied_enable -then - TMP=`mktemp -t security` - if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then - check_diff new_only ipf ${TMP} "${host} ipf denied packets:" - fi - rc=$? - rm -f ${TMP} -fi - -exit $rc Index: head/etc/periodic/security/520.pfdenied =================================================================== --- head/etc/periodic/security/520.pfdenied +++ head/etc/periodic/security/520.pfdenied @@ -1,59 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2004 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_pfdenied_enable - -rc=0 - -if check_yesno_period security_status_pfdenied_enable -then - TMP=`mktemp -t security` - for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) - do - pfctl -a ${_a} -sr -v -z 2>/dev/null | \ - nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} - done - if [ -s ${TMP} ]; then - check_diff new_only pf ${TMP} "${host} pf denied packets:" - fi - rc=$? - rm -f ${TMP} -fi - -exit $rc Index: head/etc/periodic/security/550.ipfwlimit =================================================================== --- head/etc/periodic/security/550.ipfwlimit +++ head/etc/periodic/security/550.ipfwlimit @@ -1,69 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show ipfw rules which have reached the log limit -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_ipfwlimit_enable - -rc=0 - -if check_yesno_period security_status_ipfwlimit_enable -then - IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` - if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then - exit 0 - fi - TMP=`mktemp -t security` - ipfw -a list | grep " log " | \ - grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ - awk \ - '{if ($6 == "logamount") { - if ($2 > $7) - {print $0}} - }' > ${TMP} - - if [ -s "${TMP}" ]; then - rc=1 - echo "" - echo 'ipfw log limit reached:' - cat ${TMP} - fi - rm -f ${TMP} -fi - -exit $rc Index: head/etc/periodic/security/610.ipf6denied =================================================================== --- head/etc/periodic/security/610.ipf6denied +++ head/etc/periodic/security/610.ipf6denied @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_ipf6denied_enable - -rc=0 - -if check_yesno_period security_status_ipf6denied_enable -then - TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` - if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then - check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" - fi - rc=$? - rm -f ${TMP} -fi - -exit $rc Index: head/etc/periodic/security/700.kernelmsg =================================================================== --- head/etc/periodic/security/700.kernelmsg +++ head/etc/periodic/security/700.kernelmsg @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show kernel log messages -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_kernelmsg_enable - -rc=0 - -if check_yesno_period security_status_kernelmsg_enable -then - dmesg 2>/dev/null | - check_diff new_only dmesg - "${host} kernel log messages:" - rc=$? -fi - -exit $rc Index: head/etc/periodic/security/800.loginfail =================================================================== --- head/etc/periodic/security/800.loginfail +++ head/etc/periodic/security/800.loginfail @@ -1,72 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show login failures -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_loginfail_enable - -LOG="${security_status_logdir}" - -yesterday=`date -v-1d "+%b %e "` - -catmsgs() { - find ${LOG} -name 'auth.log.*' -mtime -2 | - sort -t. -r -n -k 2,2 | - while read f - do - case $f in - *.gz) zcat -f $f;; - *.bz2) bzcat -f $f;; - esac - done - [ -f ${LOG}/auth.log ] && cat $LOG/auth.log -} - -rc=0 - -if check_yesno_period security_status_loginfail_enable -then - echo "" - echo "${host} login failures:" - n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | - tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit $rc Index: head/etc/periodic/security/900.tcpwrap =================================================================== --- head/etc/periodic/security/900.tcpwrap +++ head/etc/periodic/security/900.tcpwrap @@ -1,72 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show tcp_wrapper warning messages -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_tcpwrap_enable - -LOG="${security_status_logdir}" - -yesterday=`date -v-1d "+%b %e "` - -catmsgs() { - find ${LOG} -name 'messages.*' -mtime -2 | - sort -t. -r -n -k 2,2 | - while read f - do - case $f in - *.gz) zcat -f $f;; - *.bz2) bzcat -f $f;; - esac - done - [ -f ${LOG}/messages ] && cat $LOG/messages -} - -rc=0 - -if check_yesno_period security_status_tcpwrap_enable -then - echo "" - echo "${host} refused connections:" - n=$(catmsgs | grep -i "^$yesterday.*refused connect" | - tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit $rc Index: head/etc/periodic/security/Makefile =================================================================== --- head/etc/periodic/security/Makefile +++ head/etc/periodic/security/Makefile @@ -1,37 +0,0 @@ -# $FreeBSD$ - -.include - -FILESGROUPS= FILES DATA - -FILES= 100.chksetuid \ - 110.neggrpperm \ - 200.chkmounts \ - 300.chkuid0 \ - 400.passwdless \ - 410.logincheck \ - 700.kernelmsg \ - 800.loginfail -DATA= security.functions - -# NB: keep these sorted by MK_* knobs - -.if ${MK_IPFILTER} != "no" -FILES+= 510.ipfdenied -FILES+= 610.ipf6denied -.endif - -.if ${MK_IPFW} != "no" -FILES+= 500.ipfwdenied \ - 550.ipfwlimit -.endif - -.if ${MK_PF} != "no" -FILES+= 520.pfdenied -.endif - -.if ${MK_INETD} != "no" && ${MK_TCP_WRAPPERS} != "no" -FILES+= 900.tcpwrap -.endif - -.include Index: head/etc/periodic/security/security.functions =================================================================== --- head/etc/periodic/security/security.functions +++ head/etc/periodic/security/security.functions @@ -1,87 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a library file, so we only try to do something when sourced. -case "$0" in -*/security.functions) exit 0 ;; -esac - -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_diff_flags - -# -# Show differences in the output of an audit command -# - -LOG="${security_status_logdir}" -rc=0 - -# Usage: COMMAND | check_diff [new_only] LABEL - MSG -# COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG -# if $1 is new_only, show only the 'new' part of the diff. -# LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files. - -check_diff() { - unset IFS - rc=0 - if [ "$1" = "new_only" ]; then - shift - filter="grep '^[>+][^+]'" - else - filter="cat" - fi - label="$1"; shift - tmpf="$1"; shift - msg="$1"; shift - - if [ "${tmpf}" = "-" ]; then - tmpf=`mktemp -t security` - cat > ${tmpf} - fi - - if [ ! -f ${LOG}/${label}.today ]; then - rc=1 - echo "" - echo "No ${LOG}/${label}.today" - cp ${tmpf} ${LOG}/${label}.today || rc=3 - fi - - if ! cmp -s ${LOG}/${label}.today ${tmpf} >/dev/null; then - [ $rc -lt 1 ] && rc=1 - echo "" - echo "${msg}" - diff ${security_status_diff_flags} ${LOG}/${label}.today \ - ${tmpf} | eval "${filter}" - mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 - mv ${tmpf} ${LOG}/${label}.today || rc=3 - fi - - rm -f ${tmpf} - exit ${rc} -} Index: head/etc/periodic/weekly/310.locate =================================================================== --- head/etc/periodic/weekly/310.locate +++ head/etc/periodic/weekly/310.locate @@ -1,32 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$weekly_locate_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Rebuilding locate database:" - - locdb=/var/db/locate.database - - touch $locdb && rc=0 || rc=3 - chown nobody $locdb || rc=3 - chmod 644 $locdb || rc=3 - - cd / - echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 - chmod 444 $locdb || rc=3;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/weekly/320.whatis =================================================================== --- head/etc/periodic/weekly/320.whatis +++ head/etc/periodic/weekly/320.whatis @@ -1,51 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$weekly_whatis_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Rebuilding whatis database:" - - MANPATH=`/usr/bin/manpath -q` - if [ $? = 0 ] - then - if [ -z "${MANPATH}" ] - then - echo "manpath failed to find any manpage directories" - rc=3 - else - man_locales=`/usr/bin/manpath -qL` - rc=0 - - # Build whatis(1) database(s) for original, non-localized - # manpages. - /usr/libexec/makewhatis.local "${MANPATH}" || rc=3 - - # Build whatis(1) database(s) for localized manpages. - if [ X"${man_locales}" != X ] - then - for i in ${man_locales} - do - LC_ALL=$i /usr/libexec/makewhatis.local -a \ - -L "${MANPATH}" || rc=3 - done - fi - fi - else - rc=3 - fi;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/weekly/340.noid =================================================================== --- head/etc/periodic/weekly/340.noid +++ head/etc/periodic/weekly/340.noid @@ -1,29 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$weekly_noid_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Check for files with an unknown user or group:" - - rc=$(find -H ${weekly_noid_dirs:-/} \ - \( ! -fstype local -prune -or -name \* \) -and \ - \( -nogroup -o -nouser \) -print | sed 's/^/ /' | - tee /dev/stderr | wc -l) - [ $rc -gt 1 ] && rc=1 - ;; - - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/weekly/450.status-security =================================================================== --- head/etc/periodic/weekly/450.status-security +++ head/etc/periodic/weekly/450.status-security @@ -1,47 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$weekly_status_security_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Security check:" - - case "$weekly_status_security_inline" in - [Yy][Ee][Ss]) - weekly_status_security_output="";; - esac - - export security_output="${weekly_status_security_output}" - rc=0 - case "${weekly_status_security_output}" in - "") - if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` - then - periodic security > $tempfile || rc=3 - if [ -s "$tempfile" ]; then - cat "$tempfile" - rc=3 - fi - rm -f "$tempfile" - fi;; - /*) - echo " (output logged separately)" - periodic security || rc=3;; - *) - echo " (output mailed separately)" - periodic security || rc=3;; - esac;; - *) rc=0;; -esac - -exit $rc Index: head/etc/periodic/weekly/999.local =================================================================== --- head/etc/periodic/weekly/999.local +++ head/etc/periodic/weekly/999.local @@ -1,40 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 -for script in $weekly_local -do - echo '' - case "$script" in - /*) - if [ -x "$script" ] - then - echo "Running $script:" - - $script || rc=3 - elif [ -f "$script" ] - then - echo "Running $script:" - - sh $script || rc=3 - else - echo "$script: No such file" - [ $rc -lt 2 ] && rc=2 - fi;; - *) - echo "$script: Not an absolute path" - [ $rc -lt 2 ] && rc=2;; - esac -done - -exit $rc Index: head/etc/periodic/weekly/Makefile =================================================================== --- head/etc/periodic/weekly/Makefile +++ head/etc/periodic/weekly/Makefile @@ -1,19 +0,0 @@ -# $FreeBSD$ - -.include - -FILES= 340.noid \ - 450.status-security \ - 999.local - -# NB: keep these sorted by MK_* knobs - -.if ${MK_LOCATE} != "no" -FILES+= 310.locate -.endif - -.if ${MK_MAN_UTILS} != "no" -FILES+= 320.whatis -.endif - -.include Index: head/usr.sbin/periodic/Makefile =================================================================== --- head/usr.sbin/periodic/Makefile +++ head/usr.sbin/periodic/Makefile @@ -1,6 +1,10 @@ # $FreeBSD$ +FILES= periodic.conf +FILESDIR= /etc/defaults SCRIPTS=periodic.sh MAN= periodic.8 + +SUBDIR= etc .include Index: head/usr.sbin/periodic/etc/Makefile =================================================================== --- head/usr.sbin/periodic/etc/Makefile +++ head/usr.sbin/periodic/etc/Makefile @@ -0,0 +1,6 @@ +# $FreeBSD$ + +SUBDIR= daily security weekly monthly +SUBDIR_PARALLEL= + +.include Index: head/usr.sbin/periodic/etc/Makefile.inc =================================================================== --- head/usr.sbin/periodic/etc/Makefile.inc +++ head/usr.sbin/periodic/etc/Makefile.inc @@ -0,0 +1,6 @@ +# $FreeBSD$ + +CONFMODE= 755 +CONFDIR= ETC_PERIODIC_${.CURDIR:T:U} +ETC_PERIODIC_${.CURDIR:T:U}= /etc/periodic/${.CURDIR:T} +NO_OBJ= Index: head/usr.sbin/periodic/etc/daily/100.clean-disks =================================================================== --- head/usr.sbin/periodic/etc/daily/100.clean-disks +++ head/usr.sbin/periodic/etc/daily/100.clean-disks @@ -0,0 +1,55 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove garbage files more than $daily_clean_disks_days days old +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_disks_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_disks_days" ] + then + echo '$daily_clean_disks_enable is set but' \ + '$daily_clean_disks_days is not' + rc=2 + elif [ -z "$daily_clean_disks_files" ] + then + echo '$daily_clean_disks_enable is set but' \ + '$daily_clean_disks_files is not' + rc=2 + else + echo "" + echo "Cleaning disks:" + set -f noglob + args="-name "`echo "$daily_clean_disks_files" | + sed -e 's/^[ ]*//' \ + -e 's/[ ]*$//' \ + -e 's/[ ][ ]*/ -o -name /g'` + + case "$daily_clean_disks_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(find / \( ! -fstype local -o -fstype rdonly \) -prune -o \ + \( $args \) -atime +$daily_clean_disks_days \ + -execdir rm -df {} \; $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + set -f glob + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/110.clean-tmps =================================================================== --- head/usr.sbin/periodic/etc/daily/110.clean-tmps +++ head/usr.sbin/periodic/etc/daily/110.clean-tmps @@ -0,0 +1,60 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Perform temporary directory cleaning so that long-lived systems +# don't end up with excessively old files there. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_tmps_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_tmps_days" ] + then + echo '$daily_clean_tmps_enable is set but' \ + '$daily_clean_tmps_days is not' + rc=2 + else + echo "" + echo "Removing old temporary files:" + + set -f noglob + args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days" + args="${args} -ctime +$daily_clean_tmps_days" + dargs="-empty -mtime +$daily_clean_tmps_days" + [ -n "$daily_clean_tmps_ignore" ] && { + args="$args "`echo " ${daily_clean_tmps_ignore% }" | + sed 's/[ ][ ]*/ ! -name /g'` + dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" | + sed 's/[ ][ ]*/ ! -name /g'` + } + case "$daily_clean_tmps_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(for dir in $daily_clean_tmps_dirs + do + [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && { + find -x -d . -type f $args -delete $print + find -x -d . ! -name . -type d $dargs -delete $print + } | sed "s,^\\., $dir," + done | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + set -f glob + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/120.clean-preserve =================================================================== --- head/usr.sbin/periodic/etc/daily/120.clean-preserve +++ head/usr.sbin/periodic/etc/daily/120.clean-preserve @@ -0,0 +1,53 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove stale files in /var/preserve +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_preserve_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_preserve_days" ] + then + echo '$daily_clean_preserve_enable is set but' \ + '$daily_clean_preserve_days is not' + rc=2 + elif [ ! -d /var/preserve ] + then + echo '$daily_clean_preserve_enable is set but /var/preserve' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Removing stale files from /var/preserve:" + + if cd /var/preserve + then + case "$daily_clean_preserve_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + rc=$(find . ! -name . -mtime +$daily_clean_preserve_days \ + -delete $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/130.clean-msgs =================================================================== --- head/usr.sbin/periodic/etc/daily/130.clean-msgs +++ head/usr.sbin/periodic/etc/daily/130.clean-msgs @@ -0,0 +1,35 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove system messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_msgs_enable" in + [Yy][Ee][Ss]) + if [ ! -d /var/msgs ] + then + echo '$daily_clean_msgs_enable is set but /var/msgs' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Cleaning out old system announcements:" + + [ -n "$daily_clean_msgs_days" ] && + arg=-${daily_clean_msgs_days#-} || arg= + msgs -c $arg && rc=0 || rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/140.clean-rwho =================================================================== --- head/usr.sbin/periodic/etc/daily/140.clean-rwho +++ head/usr.sbin/periodic/etc/daily/140.clean-rwho @@ -0,0 +1,53 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove stale files in /var/rwho +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_rwho_enable" in + [Yy][Ee][Ss]) + if [ -z "$daily_clean_rwho_days" ] + then + echo '$daily_clean_rwho_enable is enabled but' \ + '$daily_clean_rwho_days is not set' + rc=2 + elif [ ! -d /var/rwho ] + then + echo '$daily_clean_rwho_enable is enabled but /var/rwho' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Removing stale files from /var/rwho:" + + case "$daily_clean_rwho_verbose" in + [Yy][Ee][Ss]) + print=-print;; + *) + print=;; + esac + + if cd /var/rwho + then + rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \ + -delete $print | tee /dev/stderr | wc -l) + [ -z "$print" ] && rc=0 + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/150.clean-hoststat =================================================================== --- head/usr.sbin/periodic/etc/daily/150.clean-hoststat +++ head/usr.sbin/periodic/etc/daily/150.clean-hoststat @@ -0,0 +1,29 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Remove stale persistent host status files +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ]; then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_hoststat_enable" in + [Yy][Ee][Ss]) + if [ -z "$(hoststat 2>&1)" ]; then + rc=2 + else + echo "" + echo "Removing stale entries from sendmail host status cache:" + rc=0 + purgestat || rc=1 + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/200.backup-passwd =================================================================== --- head/usr.sbin/periodic/etc/daily/200.backup-passwd +++ head/usr.sbin/periodic/etc/daily/200.backup-passwd @@ -0,0 +1,77 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_backup_passwd_enable" in + [Yy][Ee][Ss]) + if [ ! -f /etc/master.passwd ] + then + echo '$daily_backup_passwd_enable" is set but /etc/master.passwd' \ + "doesn't exist" + rc=2 + elif [ ! -f /etc/group ] + then + echo '$daily_backup_passwd_enable" is set but /etc/group' \ + "doesn't exist" + rc=2 + else + bak=/var/backups + rc=0 + + echo "" + echo "Backup passwd and group files:" + + if [ ! -f $bak/master.passwd.bak ] + then + rc=1 + echo "no $bak/master.passwd.bak" + cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 + fi + + if ! cmp -s $bak/master.passwd.bak /etc/master.passwd + then + [ $rc -lt 1 ] && rc=1 + echo "$host passwd diffs:" + diff -uI '^#' $bak/master.passwd.bak /etc/master.passwd |\ + sed 's/^\([-+ ][^-+:]*\):[^:]*:/\1:(password):/' + mv $bak/master.passwd.bak $bak/master.passwd.bak2 + cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 + fi + + if [ ! -f $bak/group.bak ] + then + [ $rc -lt 1 ] && rc=1 + echo "no $bak/group.bak" + cp -p /etc/group $bak/group.bak || rc=3 + fi + + if ! cmp -s $bak/group.bak /etc/group + then + [ $rc -lt 1 ] && rc=1 + echo "$host group diffs:" + diff -u $bak/group.bak /etc/group + mv $bak/group.bak $bak/group.bak2 + cp -p /etc/group $bak/group.bak || rc=3 + fi + + if [ -f /etc/group ] + then + echo "" + echo "Verifying group file syntax:" + chkgrp /etc/group || rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/210.backup-aliases =================================================================== --- head/usr.sbin/periodic/etc/daily/210.backup-aliases +++ head/usr.sbin/periodic/etc/daily/210.backup-aliases @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_backup_aliases_enable" in + [Yy][Ee][Ss]) + if [ ! -f /etc/mail/aliases ] + then + echo '$daily_backup_aliases_enable is enabled but' \ + "/etc/mail/aliases doesn't exist" + rc=2 + else + bak=/var/backups + rc=0 + + echo "" + echo "Backing up mail aliases:" + + if [ ! -f $bak/aliases.bak ] + then + echo "no $bak/aliases.bak" + cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 + fi + + if ! cmp -s $bak/aliases.bak /etc/mail/aliases + then + [ $rc -lt 1 ] && rc=1 + echo "$host aliases diffs:" + diff -u $bak/aliases.bak /etc/mail/aliases + mv $bak/aliases.bak $bak/aliases.bak2 + cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 + fi + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/300.calendar =================================================================== --- head/usr.sbin/periodic/etc/daily/300.calendar +++ head/usr.sbin/periodic/etc/daily/300.calendar @@ -0,0 +1,29 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# `calendar -a' needs to die. Why? Because it's a bad idea, particular +# with networked home directories, but also in general. If you want the +# output of `calendar' mailed to you, set up a cron job to do it, +# or run it from your ~/.profile or ~/.login. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_calendar_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Running calendar:" + + calendar -a && rc=0 || rc=3;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/310.accounting =================================================================== --- head/usr.sbin/periodic/etc/daily/310.accounting +++ head/usr.sbin/periodic/etc/daily/310.accounting @@ -0,0 +1,65 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_accounting_enable" in + [Yy][Ee][Ss]) + if [ ! -f /var/account/acct ] + then + echo '$daily_accounting_enable is set but /var/account/acct' \ + "doesn't exist" + rc=2 + elif [ -z "$daily_accounting_save" ] + then + echo '$daily_accounting_enable is set but ' \ + '$daily_accounting_save is not' + rc=2 + else + echo "" + echo "Rotating accounting logs and gathering statistics:" + + cd /var/account + rc=0 + + n=$(( $daily_accounting_save - 1 )) + for f in acct.*; do + case "$f" in acct.\*) continue ;; esac # No files match + m=${f%.gz} ; m=${m#acct.} + [ $m -ge $n ] && { rm $f || rc=3; } + done + + m=$n + n=$(($n - 1)) + while [ $n -ge 0 ] + do + [ -f acct.$n.gz ] && { mv -f acct.$n.gz acct.$m.gz || rc=3; } + [ -f acct.$n ] && { mv -f acct.$n acct.$m || rc=3; } + m=$n + n=$(($n - 1)) + done + + /etc/rc.d/accounting rotate_log || rc=3 + + rm -f acct.merge && cp acct.0 acct.merge || rc=3 + sa -s $daily_accounting_flags /var/account/acct.merge || rc=3 + rm acct.merge + + case "$daily_accounting_compress" in + [Yy][Ee][Ss]) + gzip -f acct.0 || rc=3;; + esac + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/330.news =================================================================== --- head/usr.sbin/periodic/etc/daily/330.news +++ head/usr.sbin/periodic/etc/daily/330.news @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Expire news articles +# (This is present only for backwards compatibility, usually the news +# system handles this on its own). + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_news_expire_enable" in + [Yy][Ee][Ss]) + if [ ! -f /etc/news.expire ] + then + echo '$daily_news_expire_enable is set but /etc/news.expire' \ + "doesn't exist" + rc=2 + else + echo "" + echo "Running news.expire:" + + /etc/news.expire && rc=0 || rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/400.status-disks =================================================================== --- head/usr.sbin/periodic/etc/daily/400.status-disks +++ head/usr.sbin/periodic/etc/daily/400.status-disks @@ -0,0 +1,40 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_disks_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Disk status:" + + if [ -n "${daily_status_disks_ignore}" ] ; then + ignore="egrep -v ${daily_status_disks_ignore}" + else + ignore="cat" + fi + (df $daily_status_disks_df_flags | ${ignore}) && rc=1 || rc=3 + + # display which filesystems need backing up + if [ -s /etc/dumpdates ]; then + if ! [ -f /etc/fstab ]; then + export PATH_FSTAB=/dev/null + fi + + echo "" + dump W || rc=3 + fi + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/401.status-graid =================================================================== --- head/usr.sbin/periodic/etc/daily/401.status-graid +++ head/usr.sbin/periodic/etc/daily/401.status-graid @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_graid_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of graid(8) devices:' + + if graid status; then + components="$(graid status -s | fgrep -v OPTIMAL)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/404.status-zfs =================================================================== --- head/usr.sbin/periodic/etc/daily/404.status-zfs +++ head/usr.sbin/periodic/etc/daily/404.status-zfs @@ -0,0 +1,45 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_zfs_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of zfs pools:' + + case "$daily_status_zfs_zpool_list_enable" in + [Yy][Ee][Ss]) + lout=`zpool list` + echo "$lout" + echo + ;; + *) + ;; + esac + sout=`zpool status -x` + echo "$sout" + # zpool status -x always exits with 0, so we have to interpret its + # output to see what's going on. + if [ "$sout" = "all pools are healthy" \ + -o "$sout" = "no pools available" ]; then + rc=0 + else + rc=1 + fi + ;; + + *) + rc=0 + ;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/406.status-gmirror =================================================================== --- head/usr.sbin/periodic/etc/daily/406.status-gmirror +++ head/usr.sbin/periodic/etc/daily/406.status-gmirror @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gmirror_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gmirror(8) devices:' + + if gmirror status; then + components="$(gmirror status -s | fgrep -v COMPLETE)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/407.status-graid3 =================================================================== --- head/usr.sbin/periodic/etc/daily/407.status-graid3 +++ head/usr.sbin/periodic/etc/daily/407.status-graid3 @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_graid3_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of graid3(8) devices:' + + if graid3 status; then + components="$(graid3 status -s | fgrep -v COMPLETE)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/408.status-gstripe =================================================================== --- head/usr.sbin/periodic/etc/daily/408.status-gstripe +++ head/usr.sbin/periodic/etc/daily/408.status-gstripe @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gstripe_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gstripe(8) devices:' + + if gstripe status; then + components="$(gstripe status -s | fgrep -v UP)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/409.status-gconcat =================================================================== --- head/usr.sbin/periodic/etc/daily/409.status-gconcat +++ head/usr.sbin/periodic/etc/daily/409.status-gconcat @@ -0,0 +1,34 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_gconcat_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of gconcat(8) devices:' + + if gconcat status; then + components="$(gconcat status -s | fgrep -v UP)" + if [ "${components}" ]; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/410.status-mfi =================================================================== --- head/usr.sbin/periodic/etc/daily/410.status-mfi +++ head/usr.sbin/periodic/etc/daily/410.status-mfi @@ -0,0 +1,33 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mfi_enable" in + [Yy][Ee][Ss]) + echo + echo 'Checking status of mfi(4) devices:' + + if mfiutil show volumes; then + if mfiutil show volumes | grep -q DEGRADED; then + rc=3 + else + rc=0 + fi + else + rc=2 + fi + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/420.status-network =================================================================== --- head/usr.sbin/periodic/etc/daily/420.status-network +++ head/usr.sbin/periodic/etc/daily/420.status-network @@ -0,0 +1,31 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_network_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Network interface status:" + + flags="${daily_status_network_netstat_flags}" + case "$daily_status_network_usedns" in + [Yy][Ee][Ss]) + ;; + *) + flags="${flags} -n";; + esac + netstat -i ${flags} && rc=0 || rc=3;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/430.status-uptime =================================================================== --- head/usr.sbin/periodic/etc/daily/430.status-uptime +++ head/usr.sbin/periodic/etc/daily/430.status-uptime @@ -0,0 +1,38 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_uptime_enable" in + [Yy][Ee][Ss]) + rwho=$(echo /var/rwho/*) + if [ -f "${rwho%% *}" ] + then + echo "" + echo "Local network system status:" + prog=ruptime + else + echo "" + echo "Local system status:" + prog=uptime + fi + rc=$($prog | tee /dev/stderr | wc -l) + if [ $? -eq 0 ] + then + [ $rc -gt 1 ] && rc=1 + else + rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/440.status-mailq =================================================================== --- head/usr.sbin/periodic/etc/daily/440.status-mailq +++ head/usr.sbin/periodic/etc/daily/440.status-mailq @@ -0,0 +1,66 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mailq_enable" in + [Yy][Ee][Ss]) + if [ ! -x /usr/bin/mailq ] + then + echo '$daily_status_mailq_enable is set but /usr/bin/mailq' \ + "isn't executable" + rc=2 + else + echo "" + echo "Mail in local queue:" + + rc=$(case "$daily_status_mailq_shorten" in + [Yy][Ee][Ss]) + mailq | + egrep -e '^[[:space:]]+[^[:space:]]+@' | + sort | + uniq -c | + sort -nr | + awk '$1 >= 1 {print $1, $2}';; + *) + mailq;; + esac | tee /dev/stderr | + egrep -v '(mqueue is empty|Total requests)' | wc -l) + [ $rc -gt 0 ] && rc=1 || rc=0 + + case "$daily_status_include_submit_mailq" in + [Yy][Ee][Ss]) + if [ -f /etc/mail/submit.cf ] + then + echo "" + echo "Mail in submit queue:" + + rc_submit=$(case "$daily_status_mailq_shorten" in + [Yy][Ee][Ss]) + mailq -Ac | + egrep -e '^[[:space:]]+[^[:space:]]+@' | + sort | + uniq -c | + sort -nr | + awk '$1 >= 1 {print $1, $2}';; + *) + mailq -Ac;; + esac | tee /dev/stderr | + egrep -v '(mqueue is empty|Total requests)' | wc -l) + [ $rc_submit -gt 0 ] && rc=1 + fi;; + esac + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/450.status-security =================================================================== --- head/usr.sbin/periodic/etc/daily/450.status-security +++ head/usr.sbin/periodic/etc/daily/450.status-security @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$daily_status_security_inline" in + [Yy][Ee][Ss]) + daily_status_security_output="";; + esac + + export security_output="${daily_status_security_output}" + rc=0 + case "${daily_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/460.status-mail-rejects =================================================================== --- head/usr.sbin/periodic/etc/daily/460.status-mail-rejects +++ head/usr.sbin/periodic/etc/daily/460.status-mail-rejects @@ -0,0 +1,73 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_mail_rejects_shorten" in +[Yy][Ee][Ss]) shorten='cut -d" " -f2,3';; +*) shorten=cat;; +esac + +case "$daily_status_mail_rejects_enable" in + [Yy][Ee][Ss]) + if [ ! -d /etc/mail ] + then + echo '$daily_status_mail_rejects_enable is set but /etc/mail' \ + "doesn't exist" + rc=2 + elif [ ! -f /var/log/maillog ] + then + echo '$daily_status_mail_rejects_enable is set but ' \ + "/var/log/maillog doesn't exist" + rc=2 + elif [ "$daily_status_mail_rejects_logs" -le 0 ] + then + echo '$daily_status_mail_rejects_enable is set but ' \ + '$daily_status_mail_rejects_logs is not greater than zero' + rc=2 + else + echo + echo Checking for rejected mail hosts: + + yesterday=$(date -v-1d '+%b %e') + today=$(date '+%b %e') + n=$(($daily_status_mail_rejects_logs - 2)) + rc=$({ + while [ $n -ge 0 ] + do + if [ -f /var/log/maillog.$n ] + then + cat /var/log/maillog.$n + elif [ -f /var/log/maillog.$n.gz ] + then + zcat -fc /var/log/maillog.$n.gz + elif [ -f /var/log/maillog.$n.bz2 ] + then + bzcat -fc /var/log/maillog.$n.bz2 + fi + n=$(($n - 1)) + done + cat /var/log/maillog + } | sed -Ene "/^$today/q" -e "/^$yesterday/{"' + s/.*ruleset=check_relay,.* relay=([^,]+), reject=([^ ]*).*/\2 check_relay \1/p + t end + s/.*ruleset=check_rcpt,.* arg1=,]+).* reject=([^ ]+) .* ([^ ]+)/\2 check_rcpt \1 \3/p + t end + s/.*ruleset=check_([^,]+),.* arg1=,]+).* reject=([^ ]+) .* ([^ ]+)/\4 check_\1 \3 \5/p + :end + }' | eval $shorten | sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l) + [ $rc -gt 0 ] && rc=1 + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/480.leapfile-ntpd =================================================================== --- head/usr.sbin/periodic/etc/daily/480.leapfile-ntpd +++ head/usr.sbin/periodic/etc/daily/480.leapfile-ntpd @@ -0,0 +1,23 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_ntpd_leapfile_enable" in + [Yy][Ee][Ss]) + if service ntpd oneneedfetch; then + anticongestion + service ntpd onefetch + fi + ;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/480.status-ntpd =================================================================== --- head/usr.sbin/periodic/etc/daily/480.status-ntpd +++ head/usr.sbin/periodic/etc/daily/480.status-ntpd @@ -0,0 +1,28 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 + +case "$daily_status_ntpd_enable" in + [Yy][Ee][Ss]) + echo "" + echo "NTP status:" + + synchronized=$(ntpq -pn | tee /dev/stderr | grep '^\*') + if [ -z "$synchronized" ]; then + rc=1 + fi + ;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/500.queuerun =================================================================== --- head/usr.sbin/periodic/etc/daily/500.queuerun +++ head/usr.sbin/periodic/etc/daily/500.queuerun @@ -0,0 +1,36 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_queuerun_enable" in + [Yy][Ee][Ss]) + if [ ! -x /usr/sbin/sendmail ] + then + echo '$daily_queuerun_enable is set but /usr/sbin/sendmail' \ + "isn't executable" + rc=2 + else + /usr/sbin/sendmail -q >/dev/null 2>&1 & + case "$daily_submit_queuerun" in + [Yy][Ee][Ss]) + if [ -f /etc/mail/submit.cf ] + then + /usr/sbin/sendmail -q -Ac >/dev/null 2>&1 & + fi;; + esac + rc=0 + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/510.status-world-kernel =================================================================== --- head/usr.sbin/periodic/etc/daily/510.status-world-kernel +++ head/usr.sbin/periodic/etc/daily/510.status-world-kernel @@ -0,0 +1,36 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Check that the running userland and kernel versions are in sync. + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_status_world_kernel" in + [Yy][Ee][Ss]) + rc=0 + _U=$(/usr/bin/uname -U 2>/dev/null) + _K=$(/usr/bin/uname -K 2>/dev/null) + [ -z "${_U}" -o -z "${_K}" ] && exit 0 + echo "" + echo "Checking userland and kernel versions:" + if [ "${_U}" != "${_K}" ]; then + echo "Userland and kernel are not in sync" + echo "Userland version: ${_U}" + echo "Kernel version: ${_K}" + rc=1 + else + echo "Userland and kernel are in sync." + fi + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/800.scrub-zfs =================================================================== --- head/usr.sbin/periodic/etc/daily/800.scrub-zfs +++ head/usr.sbin/periodic/etc/daily/800.scrub-zfs @@ -0,0 +1,110 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# + +newline=" +" # A single newline + +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +: ${daily_scrub_zfs_default_threshold=35} + +case "$daily_scrub_zfs_enable" in + [Yy][Ee][Ss]) + echo + echo 'Scrubbing of zfs pools:' + + if [ -z "${daily_scrub_zfs_pools}" ]; then + daily_scrub_zfs_pools="$(zpool list -H -o name)" + fi + + rc=0 + for pool in ${daily_scrub_zfs_pools}; do + # sanity check + _status=$(zpool list "${pool}" 2> /dev/null) + if [ $? -ne 0 ]; then + rc=2 + echo " WARNING: pool '${pool}' specified in" + echo " '/etc/periodic.conf:daily_scrub_zfs_pools'" + echo " does not exist" + continue + fi + _status=${_status##*$newline} + case ${_status} in + *FAULTED*) + rc=3 + echo "Skipping faulted pool: ${pool}" + continue ;; + *UNAVAIL*) + rc=4 + echo "Skipping unavailable pool: ${pool}" + continue ;; + esac + + # determine how many days shall be between scrubs + eval _pool_threshold=\${daily_scrub_zfs_$(echo "${pool}"|tr ".:-" "_")_threshold} + if [ -z "${_pool_threshold}" ];then + _pool_threshold=${daily_scrub_zfs_default_threshold} + fi + + _last_scrub=$(zpool history ${pool} | \ + egrep "^[0-9\.\:\-]{19} zpool scrub ${pool}\$" | tail -1 |\ + cut -d ' ' -f 1) + if [ -z "${_last_scrub}" ]; then + # creation time of the pool if no scrub was done + _last_scrub=$(zpool history ${pool} | \ + sed -ne '2s/ .*$//p') + fi + if [ -z "${_last_scrub}" ]; then + echo " skipping scrubbing of pool '${pool}':" + echo " can't get last scrubbing date" + continue + fi + + # Now minus last scrub (both in seconds) converted to days. + _scrub_diff=$(expr -e \( $(date +%s) - \ + $(date -j -v -70M -f %F.%T ${_last_scrub} +%s) \) / 60 / 60 / 24) + if [ ${_scrub_diff} -lt ${_pool_threshold} ]; then + echo " skipping scrubbing of pool '${pool}':" + echo " last scrubbing is ${_scrub_diff} days ago, threshold is set to ${_pool_threshold} days" + continue + fi + + _status="$(zpool status ${pool} | grep scan:)" + case "${_status}" in + *"scrub in progress"*) + echo " scrubbing of pool '${pool}' already in progress, skipping:" + ;; + *"resilver in progress"*) + echo " resilvering of pool '${pool}' is in progress, skipping:" + ;; + *"none requested"*) + echo " starting first scrub (since reboot) of pool '${pool}':" + zpool scrub ${pool} + [ $rc -eq 0 ] && rc=1 + ;; + *) + echo " starting scrub of pool '${pool}':" + zpool scrub ${pool} + [ $rc -eq 0 ] && rc=1 + ;; + esac + + echo " consult 'zpool status ${pool}' for the result" + done + ;; + + *) + rc=0 + ;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/daily/999.local =================================================================== --- head/usr.sbin/periodic/etc/daily/999.local +++ head/usr.sbin/periodic/etc/daily/999.local @@ -0,0 +1,43 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Run the old /etc/daily.local script. This is really for backwards +# compatibility more than anything else. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $daily_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc Index: head/usr.sbin/periodic/etc/daily/Makefile =================================================================== --- head/usr.sbin/periodic/etc/daily/Makefile +++ head/usr.sbin/periodic/etc/daily/Makefile @@ -0,0 +1,61 @@ +# $FreeBSD$ + +.include + +CONFGROUPS= CONFS + +CONFS= 100.clean-disks \ + 110.clean-tmps \ + 120.clean-preserve \ + 140.clean-rwho \ + 200.backup-passwd \ + 210.backup-aliases \ + 330.news \ + 400.status-disks \ + 401.status-graid \ + 406.status-gmirror \ + 407.status-graid3 \ + 408.status-gstripe \ + 409.status-gconcat \ + 410.status-mfi \ + 420.status-network \ + 430.status-uptime \ + 450.status-security \ + 510.status-world-kernel \ + 999.local + +# NB: keep these sorted by MK_* knobs + +.if ${MK_ACCT} != "no" +CONFGROUPS+= ACCT +ACCT+= 310.accounting +ACCTMODE= ${BINMODE} +ACCTPACKAGE= acct +.endif + +.if ${MK_CALENDAR} != "no" +CONFS+= 300.calendar +.endif + +.if ${MK_MAIL} != "no" +CONFS+= 130.clean-msgs +.endif + +.if ${MK_NTP} != "no" +CONFS+= 480.status-ntpd \ + 480.leapfile-ntpd +.endif + +.if ${MK_SENDMAIL} != "no" +CONFS+= 150.clean-hoststat \ + 440.status-mailq \ + 460.status-mail-rejects \ + 500.queuerun +.endif + +.if ${MK_ZFS} != "no" +CONFS+= 404.status-zfs \ + 800.scrub-zfs +.endif + +.include Index: head/usr.sbin/periodic/etc/monthly/200.accounting =================================================================== --- head/usr.sbin/periodic/etc/monthly/200.accounting +++ head/usr.sbin/periodic/etc/monthly/200.accounting @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +oldmask=$(umask) +umask 066 +case "$monthly_accounting_enable" in + [Yy][Ee][Ss]) + W=/var/log/utx.log + rc=0 + remove=NO + if [ ! -f $W.0 ] + then + if [ -f $W.0.gz ] + then + remove=YES + zcat $W.0.gz > $W.0 || rc=1 + elif [ -f $W.0.bz2 ] + then + remove=YES + bzcat $W.0.bz2 > $W.0 || rc=1 + else + echo '$monthly_accounting_enable is set but' \ + "$W.0 doesn't exist" + rc=2 + fi + fi + if [ $rc -eq 0 ] + then + echo "" + echo "Doing login accounting:" + + rc=$(ac -p -w $W.0 | sort -nr -k 2 | tee /dev/stderr | wc -l) + [ $rc -gt 0 ] && rc=1 + fi + [ $remove = YES ] && rm -f $W.0;; + + *) rc=0;; +esac + +umask $oldmask +exit $rc Index: head/usr.sbin/periodic/etc/monthly/450.status-security =================================================================== --- head/usr.sbin/periodic/etc/monthly/450.status-security +++ head/usr.sbin/periodic/etc/monthly/450.status-security @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$monthly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$monthly_status_security_inline" in + [Yy][Ee][Ss]) + monthly_status_security_output="";; + esac + + export security_output="${monthly_status_security_output}" + rc=0 + case "${monthly_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/monthly/999.local =================================================================== --- head/usr.sbin/periodic/etc/monthly/999.local +++ head/usr.sbin/periodic/etc/monthly/999.local @@ -0,0 +1,40 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $monthly_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc Index: head/usr.sbin/periodic/etc/monthly/Makefile =================================================================== --- head/usr.sbin/periodic/etc/monthly/Makefile +++ head/usr.sbin/periodic/etc/monthly/Makefile @@ -0,0 +1,20 @@ +# $FreeBSD$ + +.include + +CONFGROUPS= CONFS + +CONFS= 450.status-security \ + 999.local + +# NB: keep these sorted by MK_* knobs + +.if ${MK_UTMPX} != "no" +CONFGROUPS+= ACCT +ACCT+= 200.accounting +ACCTDIR= /etc/periodic/monthly +ACCTMODE= ${BINMODE} +ACCTPACKAGE= acct +.endif + +.include Index: head/usr.sbin/periodic/etc/security/100.chksetuid =================================================================== --- head/usr.sbin/periodic/etc/security/100.chksetuid +++ head/usr.sbin/periodic/etc/security/100.chksetuid @@ -0,0 +1,62 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_chksetuid_enable + +rc=0 + +if check_yesno_period security_status_chksetuid_enable +then + echo "" + echo 'Checking setuid files and devices:' + IFS=$'\n' # Don't split mount points with spaces or tabs + MP=`mount -t ufs,zfs | awk ' + $0 !~ /no(suid|exec)/ { + sub(/^.* on \//, "/"); + sub(/ \(.*\)/, ""); + print $0 + }'` + find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ + \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ + \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | + check_diff setuid - "${host} setuid diffs:" + rc=$? +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/110.neggrpperm =================================================================== --- head/usr.sbin/periodic/etc/security/110.neggrpperm +++ head/usr.sbin/periodic/etc/security/110.neggrpperm @@ -0,0 +1,61 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_neggrpperm_enable + +rc=0 + +if check_yesno_period security_status_neggrpperm_enable +then + echo "" + echo 'Checking negative group permissions:' + IFS=$'\n' # Don't split mount points with spaces or tabs + MP=`mount -t ufs,zfs | awk ' + $0 !~ /no(suid|exec)/ { + sub(/^.* on \//, "/"); + sub(/ \(.*\)/, ""); + print $0 + }'` + n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ + \( \( ! -perm +010 -and -perm +001 \) -or \ + \( ! -perm +020 -and -perm +002 \) -or \ + \( ! -perm +040 -and -perm +004 \) \) \ + -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/200.chkmounts =================================================================== --- head/usr.sbin/periodic/etc/security/200.chkmounts +++ head/usr.sbin/periodic/etc/security/200.chkmounts @@ -0,0 +1,65 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show changes in the way filesystems are mounted +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_chkmounts_enable +security_daily_compat_var security_status_chkmounts_ignore +security_daily_compat_var security_status_noamd + +ignore="${security_status_chkmounts_ignore}" +rc=0 + +if check_yesno_period security_status_chkmounts_enable +then + case "$security_status_noamd" in + [Yy][Ee][Ss]) + ignore="${ignore}|^amd:" + esac + [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat + if ! [ -f /etc/fstab ]; then + export PATH_FSTAB=/dev/null + fi + mount -p | sort | ${cmd} | + check_diff mount - "${host} changes in mounted filesystems:" + rc=$? +fi + +exit "$rc" Index: head/usr.sbin/periodic/etc/security/300.chkuid0 =================================================================== --- head/usr.sbin/periodic/etc/security/300.chkuid0 +++ head/usr.sbin/periodic/etc/security/300.chkuid0 @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_chkuid0_enable + +rc=0 + +if check_yesno_period security_status_chkuid0_enable +then + echo "" + echo 'Checking for uids of 0:' + n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | + tee /dev/stderr | + sed -e '/^root 0$/d' -e '/^toor 0$/d' | + wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" Index: head/usr.sbin/periodic/etc/security/400.passwdless =================================================================== --- head/usr.sbin/periodic/etc/security/400.passwdless +++ head/usr.sbin/periodic/etc/security/400.passwdless @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_passwdless_enable + +rc=0 + +if check_yesno_period security_status_passwdless_enable +then + echo "" + echo 'Checking for passwordless accounts:' + n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" Index: head/usr.sbin/periodic/etc/security/410.logincheck =================================================================== --- head/usr.sbin/periodic/etc/security/410.logincheck +++ head/usr.sbin/periodic/etc/security/410.logincheck @@ -0,0 +1,55 @@ +#!/bin/sh - +# +# Copyright (c) 2006 Tom Rhodes +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_logincheck_enable + +rc=0 + +if check_yesno_period security_status_logincheck_enable +then + echo "" + echo 'Checking login.conf permissions:' + if [ -G /etc/login.conf -a -O /etc/login.conf ]; then + n=0 + else + echo "Bad ownership of /etc/login.conf" + n=1 + fi + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit "$rc" Index: head/usr.sbin/periodic/etc/security/500.ipfwdenied =================================================================== --- head/usr.sbin/periodic/etc/security/500.ipfwdenied +++ head/usr.sbin/periodic/etc/security/500.ipfwdenied @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_ipfwdenied_enable + +rc=0 + +if check_yesno_period security_status_ipfwdenied_enable +then + TMP=`mktemp -t security` + if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then + check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/510.ipfdenied =================================================================== --- head/usr.sbin/periodic/etc/security/510.ipfdenied +++ head/usr.sbin/periodic/etc/security/510.ipfdenied @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_ipfdenied_enable + +rc=0 + +if check_yesno_period security_status_ipfdenied_enable +then + TMP=`mktemp -t security` + if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then + check_diff new_only ipf ${TMP} "${host} ipf denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/520.pfdenied =================================================================== --- head/usr.sbin/periodic/etc/security/520.pfdenied +++ head/usr.sbin/periodic/etc/security/520.pfdenied @@ -0,0 +1,59 @@ +#!/bin/sh - +# +# Copyright (c) 2004 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_pfdenied_enable + +rc=0 + +if check_yesno_period security_status_pfdenied_enable +then + TMP=`mktemp -t security` + for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) + do + pfctl -a ${_a} -sr -v -z 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} + done + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/550.ipfwlimit =================================================================== --- head/usr.sbin/periodic/etc/security/550.ipfwlimit +++ head/usr.sbin/periodic/etc/security/550.ipfwlimit @@ -0,0 +1,69 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show ipfw rules which have reached the log limit +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_ipfwlimit_enable + +rc=0 + +if check_yesno_period security_status_ipfwlimit_enable +then + IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` + if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then + exit 0 + fi + TMP=`mktemp -t security` + ipfw -a list | grep " log " | \ + grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ + awk \ + '{if ($6 == "logamount") { + if ($2 > $7) + {print $0}} + }' > ${TMP} + + if [ -s "${TMP}" ]; then + rc=1 + echo "" + echo 'ipfw log limit reached:' + cat ${TMP} + fi + rm -f ${TMP} +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/610.ipf6denied =================================================================== --- head/usr.sbin/periodic/etc/security/610.ipf6denied +++ head/usr.sbin/periodic/etc/security/610.ipf6denied @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_ipf6denied_enable + +rc=0 + +if check_yesno_period security_status_ipf6denied_enable +then + TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` + if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then + check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" + fi + rc=$? + rm -f ${TMP} +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/700.kernelmsg =================================================================== --- head/usr.sbin/periodic/etc/security/700.kernelmsg +++ head/usr.sbin/periodic/etc/security/700.kernelmsg @@ -0,0 +1,54 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show kernel log messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +. /etc/periodic/security/security.functions + +security_daily_compat_var security_status_kernelmsg_enable + +rc=0 + +if check_yesno_period security_status_kernelmsg_enable +then + dmesg 2>/dev/null | + check_diff new_only dmesg - "${host} kernel log messages:" + rc=$? +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/800.loginfail =================================================================== --- head/usr.sbin/periodic/etc/security/800.loginfail +++ head/usr.sbin/periodic/etc/security/800.loginfail @@ -0,0 +1,72 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show login failures +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_loginfail_enable + +LOG="${security_status_logdir}" + +yesterday=`date -v-1d "+%b %e "` + +catmsgs() { + find ${LOG} -name 'auth.log.*' -mtime -2 | + sort -t. -r -n -k 2,2 | + while read f + do + case $f in + *.gz) zcat -f $f;; + *.bz2) bzcat -f $f;; + esac + done + [ -f ${LOG}/auth.log ] && cat $LOG/auth.log +} + +rc=0 + +if check_yesno_period security_status_loginfail_enable +then + echo "" + echo "${host} login failures:" + n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/900.tcpwrap =================================================================== --- head/usr.sbin/periodic/etc/security/900.tcpwrap +++ head/usr.sbin/periodic/etc/security/900.tcpwrap @@ -0,0 +1,72 @@ +#!/bin/sh - +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# Show tcp_wrapper warning messages +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_tcpwrap_enable + +LOG="${security_status_logdir}" + +yesterday=`date -v-1d "+%b %e "` + +catmsgs() { + find ${LOG} -name 'messages.*' -mtime -2 | + sort -t. -r -n -k 2,2 | + while read f + do + case $f in + *.gz) zcat -f $f;; + *.bz2) bzcat -f $f;; + esac + done + [ -f ${LOG}/messages ] && cat $LOG/messages +} + +rc=0 + +if check_yesno_period security_status_tcpwrap_enable +then + echo "" + echo "${host} refused connections:" + n=$(catmsgs | grep -i "^$yesterday.*refused connect" | + tee /dev/stderr | wc -l) + [ $n -gt 0 ] && rc=1 || rc=0 +fi + +exit $rc Index: head/usr.sbin/periodic/etc/security/Makefile =================================================================== --- head/usr.sbin/periodic/etc/security/Makefile +++ head/usr.sbin/periodic/etc/security/Makefile @@ -0,0 +1,38 @@ +# $FreeBSD$ + +.include + +CONFGROUPS= CONFS DATA + +CONFS= 100.chksetuid \ + 110.neggrpperm \ + 200.chkmounts \ + 300.chkuid0 \ + 400.passwdless \ + 410.logincheck \ + 700.kernelmsg \ + 800.loginfail +DATA= security.functions +DATAMODE= 444 + +# NB: keep these sorted by MK_* knobs + +.if ${MK_IPFILTER} != "no" +CONFS+= 510.ipfdenied +CONFS+= 610.ipf6denied +.endif + +.if ${MK_IPFW} != "no" +CONFS+= 500.ipfwdenied \ + 550.ipfwlimit +.endif + +.if ${MK_PF} != "no" +CONFS+= 520.pfdenied +.endif + +.if ${MK_INETD} != "no" && ${MK_TCP_WRAPPERS} != "no" +CONFS+= 900.tcpwrap +.endif + +.include Index: head/usr.sbin/periodic/etc/security/security.functions =================================================================== --- head/usr.sbin/periodic/etc/security/security.functions +++ head/usr.sbin/periodic/etc/security/security.functions @@ -0,0 +1,87 @@ +#!/bin/sh +# +# Copyright (c) 2001 The FreeBSD Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a library file, so we only try to do something when sourced. +case "$0" in +*/security.functions) exit 0 ;; +esac + +security_daily_compat_var security_status_logdir +security_daily_compat_var security_status_diff_flags + +# +# Show differences in the output of an audit command +# + +LOG="${security_status_logdir}" +rc=0 + +# Usage: COMMAND | check_diff [new_only] LABEL - MSG +# COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG +# if $1 is new_only, show only the 'new' part of the diff. +# LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files. + +check_diff() { + unset IFS + rc=0 + if [ "$1" = "new_only" ]; then + shift + filter="grep '^[>+][^+]'" + else + filter="cat" + fi + label="$1"; shift + tmpf="$1"; shift + msg="$1"; shift + + if [ "${tmpf}" = "-" ]; then + tmpf=`mktemp -t security` + cat > ${tmpf} + fi + + if [ ! -f ${LOG}/${label}.today ]; then + rc=1 + echo "" + echo "No ${LOG}/${label}.today" + cp ${tmpf} ${LOG}/${label}.today || rc=3 + fi + + if ! cmp -s ${LOG}/${label}.today ${tmpf} >/dev/null; then + [ $rc -lt 1 ] && rc=1 + echo "" + echo "${msg}" + diff ${security_status_diff_flags} ${LOG}/${label}.today \ + ${tmpf} | eval "${filter}" + mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 + mv ${tmpf} ${LOG}/${label}.today || rc=3 + fi + + rm -f ${tmpf} + exit ${rc} +} Index: head/usr.sbin/periodic/etc/weekly/310.locate =================================================================== --- head/usr.sbin/periodic/etc/weekly/310.locate +++ head/usr.sbin/periodic/etc/weekly/310.locate @@ -0,0 +1,32 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_locate_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Rebuilding locate database:" + + locdb=/var/db/locate.database + + touch $locdb && rc=0 || rc=3 + chown nobody $locdb || rc=3 + chmod 644 $locdb || rc=3 + + cd / + echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 + chmod 444 $locdb || rc=3;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/weekly/320.whatis =================================================================== --- head/usr.sbin/periodic/etc/weekly/320.whatis +++ head/usr.sbin/periodic/etc/weekly/320.whatis @@ -0,0 +1,51 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_whatis_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Rebuilding whatis database:" + + MANPATH=`/usr/bin/manpath -q` + if [ $? = 0 ] + then + if [ -z "${MANPATH}" ] + then + echo "manpath failed to find any manpage directories" + rc=3 + else + man_locales=`/usr/bin/manpath -qL` + rc=0 + + # Build whatis(1) database(s) for original, non-localized + # manpages. + /usr/libexec/makewhatis.local "${MANPATH}" || rc=3 + + # Build whatis(1) database(s) for localized manpages. + if [ X"${man_locales}" != X ] + then + for i in ${man_locales} + do + LC_ALL=$i /usr/libexec/makewhatis.local -a \ + -L "${MANPATH}" || rc=3 + done + fi + fi + else + rc=3 + fi;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/weekly/340.noid =================================================================== --- head/usr.sbin/periodic/etc/weekly/340.noid +++ head/usr.sbin/periodic/etc/weekly/340.noid @@ -0,0 +1,29 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_noid_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Check for files with an unknown user or group:" + + rc=$(find -H ${weekly_noid_dirs:-/} \ + \( ! -fstype local -prune -or -name \* \) -and \ + \( -nogroup -o -nouser \) -print | sed 's/^/ /' | + tee /dev/stderr | wc -l) + [ $rc -gt 1 ] && rc=1 + ;; + + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/weekly/450.status-security =================================================================== --- head/usr.sbin/periodic/etc/weekly/450.status-security +++ head/usr.sbin/periodic/etc/weekly/450.status-security @@ -0,0 +1,47 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$weekly_status_security_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Security check:" + + case "$weekly_status_security_inline" in + [Yy][Ee][Ss]) + weekly_status_security_output="";; + esac + + export security_output="${weekly_status_security_output}" + rc=0 + case "${weekly_status_security_output}" in + "") + if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` + then + periodic security > $tempfile || rc=3 + if [ -s "$tempfile" ]; then + cat "$tempfile" + rc=3 + fi + rm -f "$tempfile" + fi;; + /*) + echo " (output logged separately)" + periodic security || rc=3;; + *) + echo " (output mailed separately)" + periodic security || rc=3;; + esac;; + *) rc=0;; +esac + +exit $rc Index: head/usr.sbin/periodic/etc/weekly/999.local =================================================================== --- head/usr.sbin/periodic/etc/weekly/999.local +++ head/usr.sbin/periodic/etc/weekly/999.local @@ -0,0 +1,40 @@ +#!/bin/sh - +# +# $FreeBSD$ +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +rc=0 +for script in $weekly_local +do + echo '' + case "$script" in + /*) + if [ -x "$script" ] + then + echo "Running $script:" + + $script || rc=3 + elif [ -f "$script" ] + then + echo "Running $script:" + + sh $script || rc=3 + else + echo "$script: No such file" + [ $rc -lt 2 ] && rc=2 + fi;; + *) + echo "$script: Not an absolute path" + [ $rc -lt 2 ] && rc=2;; + esac +done + +exit $rc Index: head/usr.sbin/periodic/etc/weekly/Makefile =================================================================== --- head/usr.sbin/periodic/etc/weekly/Makefile +++ head/usr.sbin/periodic/etc/weekly/Makefile @@ -0,0 +1,19 @@ +# $FreeBSD$ + +.include + +CONFS= 340.noid \ + 450.status-security \ + 999.local + +# NB: keep these sorted by MK_* knobs + +.if ${MK_LOCATE} != "no" +CONFS+= 310.locate +.endif + +.if ${MK_MAN_UTILS} != "no" +CONFS+= 320.whatis +.endif + +.include Index: head/usr.sbin/periodic/periodic.conf =================================================================== --- head/usr.sbin/periodic/periodic.conf +++ head/usr.sbin/periodic/periodic.conf @@ -0,0 +1,407 @@ +#!/bin/sh +# +# This is defaults/periodic.conf - a file full of useful variables that +# you can set to change the default behaviour of periodic jobs on your +# system. You should not edit this file! Put any overrides into one of the +# $periodic_conf_files instead and you will be able to update these defaults +# later without spamming your local configuration information. +# +# The $periodic_conf_files files should only contain values which override +# values set in this file. This eases the upgrade path when defaults +# are changed and new features are added. +# +# For a more detailed explanation of all the periodic.conf variables, please +# refer to the periodic.conf(5) manual page. +# +# $FreeBSD$ +# + +# What files override these defaults ? +periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local" + +# periodic script dirs +local_periodic="/usr/local/etc/periodic" + +# Max time to sleep to avoid causing congestion on download servers +anticongestion_sleeptime=3600 + +# Daily options + +# These options are used by periodic(8) itself to determine what to do +# with the output of the sub-programs that are run, and where to send +# that output. $daily_output might be set to /var/log/daily.log if you +# wish to log the daily output and have the files rotated by newsyslog(8) +# +daily_output="root" # user or /file +daily_show_success="YES" # scripts returning 0 +daily_show_info="YES" # scripts returning 1 +daily_show_badconfig="NO" # scripts returning 2 + +# 100.clean-disks +daily_clean_disks_enable="NO" # Delete files daily +daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*" +daily_clean_disks_days=3 # If older than this +daily_clean_disks_verbose="YES" # Mention files deleted + +# 110.clean-tmps +daily_clean_tmps_enable="NO" # Delete stuff daily +daily_clean_tmps_dirs="/tmp" # Delete under here +daily_clean_tmps_days="3" # If not accessed for +daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix" +daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap" +daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal" + # Don't delete these +daily_clean_tmps_verbose="YES" # Mention files deleted + +# 120.clean-preserve +daily_clean_preserve_enable="YES" # Delete files daily +daily_clean_preserve_days=7 # If not modified for +daily_clean_preserve_verbose="YES" # Mention files deleted + +# 130.clean-msgs +daily_clean_msgs_enable="YES" # Delete msgs daily +daily_clean_msgs_days= # If not modified for + +# 140.clean-rwho +daily_clean_rwho_enable="YES" # Delete rwho daily +daily_clean_rwho_days=7 # If not modified for +daily_clean_rwho_verbose="YES" # Mention files deleted + +# 150.clean-hoststat +daily_clean_hoststat_enable="YES" # Purge sendmail host + # status cache daily + +# 200.backup-passwd +daily_backup_passwd_enable="YES" # Backup passwd & group + +# 210.backup-aliases +daily_backup_aliases_enable="YES" # Backup mail aliases + +# 300.calendar +daily_calendar_enable="NO" # Run calendar -a + +# 310.accounting +daily_accounting_enable="YES" # Rotate acct files +daily_accounting_compress="NO" # Gzip rotated files +daily_accounting_flags=-q # Flags to /usr/sbin/sa +daily_accounting_save=3 # How many files to save + +# 330.news +daily_news_expire_enable="YES" # Run news.expire + +# 400.status-disks +daily_status_disks_enable="YES" # Check disk status +daily_status_disks_df_flags="-l -h" # df(1) flags for check + +# 401.status-graid +daily_status_graid_enable="NO" # Check graid(8) + +# 404.status-zfs +daily_status_zfs_enable="NO" # Check ZFS +daily_status_zfs_zpool_list_enable="YES" # List ZFS pools + +# 406.status-gmirror +daily_status_gmirror_enable="NO" # Check gmirror(8) + +# 407.status-graid3 +daily_status_graid3_enable="NO" # Check graid3(8) + +# 408.status-gstripe +daily_status_gstripe_enable="NO" # Check gstripe(8) + +# 409.status-gconcat +daily_status_gconcat_enable="NO" # Check gconcat(8) + +# 410.status-mfi +daily_status_mfi_enable="NO" # Check mfiutil(8) + +# 420.status-network +daily_status_network_enable="YES" # Check network status +daily_status_network_usedns="YES" # DNS lookups are ok +daily_status_network_netstat_flags="-d" # netstat(1) flags + +# 430.status-uptime +daily_status_uptime_enable="YES" # Check system uptime + +# 440.status-mailq +daily_status_mailq_enable="YES" # Check mail status +daily_status_mailq_shorten="NO" # Shorten output +daily_status_include_submit_mailq="YES" # Also submit queue + +# 450.status-security +daily_status_security_enable="YES" # Security check +# See also "Security options" below for more options +daily_status_security_inline="NO" # Run inline ? +daily_status_security_output="root" # user or /file + +# 460.status-mail-rejects +daily_status_mail_rejects_enable="YES" # Check mail rejects +daily_status_mail_rejects_logs=3 # How many logs to check +daily_status_mail_rejects_shorten="NO" # Shorten output + +# 480.leapfile-ntpd +daily_ntpd_leapfile_enable="YES" # Fetch NTP leapfile + +# 480.status-ntpd +daily_status_ntpd_enable="NO" # Check NTP status + +# 500.queuerun +daily_queuerun_enable="YES" # Run mail queue +daily_submit_queuerun="YES" # Also submit queue + +# 510.status-world-kernel +daily_status_world_kernel="YES" # Check the running + # userland/kernel version + +# 800.scrub-zfs +daily_scrub_zfs_enable="NO" +daily_scrub_zfs_pools="" # empty string selects all pools +daily_scrub_zfs_default_threshold="35" # days between scrubs +#daily_scrub_zfs_${poolname}_threshold="35" # pool specific threshold + +# 999.local +daily_local="/etc/daily.local" # Local scripts + + +# Weekly options + +# These options are used by periodic(8) itself to determine what to do +# with the output of the sub-programs that are run, and where to send +# that output. $weekly_output might be set to /var/log/weekly.log if you +# wish to log the weekly output and have the files rotated by newsyslog(8) +# +weekly_output="root" # user or /file +weekly_show_success="YES" # scripts returning 0 +weekly_show_info="YES" # scripts returning 1 +weekly_show_badconfig="NO" # scripts returning 2 + +# 310.locate +weekly_locate_enable="YES" # Update locate weekly + +# 320.whatis +weekly_whatis_enable="YES" # Update whatis weekly + +# 340.noid +weekly_noid_enable="NO" # Find unowned files +weekly_noid_dirs="/" # Look here + +# 450.status-security +weekly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +weekly_status_security_inline="NO" # Run inline ? +weekly_status_security_output="root" # user or /file + +# 999.local +weekly_local="/etc/weekly.local" # Local scripts + + +# Monthly options + +# These options are used by periodic(8) itself to determine what to do +# with the output of the sub-programs that are run, and where to send +# that output. $monthly_output might be set to /var/log/monthly.log if you +# wish to log the monthly output and have the files rotated by newsyslog(8) +# +monthly_output="root" # user or /file +monthly_show_success="YES" # scripts returning 0 +monthly_show_info="YES" # scripts returning 1 +monthly_show_badconfig="NO" # scripts returning 2 + +# 200.accounting +monthly_accounting_enable="YES" # Login accounting + +# 450.status-security +monthly_status_security_enable="YES" # Security check +# See also "Security options" above for more options +monthly_status_security_inline="NO" # Run inline ? +monthly_status_security_output="root" # user or /file + +# 999.local +monthly_local="/etc/monthly.local" # Local scripts + + +# Security options + +security_show_success="YES" # scripts returning 0 +security_show_info="YES" # scripts returning 1 +security_show_badconfig="NO" # scripts returning 2 + +# These options are used by the security periodic(8) scripts spawned in +# daily and weekly 450.status-security. +security_status_logdir="/var/log" # Directory for logs +security_status_diff_flags="-b -u" # flags for diff output + +# Each of the security_status_*_period options below can have one of the +# following values: +# - NO: do not run at all +# - daily: only run during the daily security status +# - weekly: only run during the weekly security status +# - monthly: only run during the monthly security status +# Note that if periodic security scripts are run from crontab(5) directly, +# they will be run unless _enable or _period is set to "NO". + +# 100.chksetuid +security_status_chksetuid_enable="YES" +security_status_chksetuid_period="daily" + +# 110.neggrpperm +security_status_neggrpperm_enable="YES" +security_status_neggrpperm_period="daily" + +# 200.chkmounts +security_status_chkmounts_enable="YES" +security_status_chkmounts_period="daily" +#security_status_chkmounts_ignore="^amd:" # Don't check matching + # FS types +security_status_noamd="NO" # Don't check amd mounts + +# 300.chkuid0 +security_status_chkuid0_enable="YES" +security_status_chkuid0_period="daily" + +# 400.passwdless +security_status_passwdless_enable="YES" +security_status_passwdless_period="daily" + +# 410.logincheck +security_status_logincheck_enable="YES" +security_status_logincheck_period="daily" + +# 500.ipfwdenied +security_status_ipfwdenied_enable="YES" +security_status_ipfwdenied_period="daily" + +# 510.ipfdenied +security_status_ipfdenied_enable="YES" +security_status_ipfdenied_period="daily" + +# 520.pfdenied +security_status_pfdenied_enable="YES" +security_status_pfdenied_period="daily" + +# 550.ipfwlimit +security_status_ipfwlimit_enable="YES" +security_status_ipfwlimit_period="daily" + +# 610.ipf6denied +security_status_ipf6denied_enable="YES" +security_status_ipf6denied_period="daily" + +# 700.kernelmsg +security_status_kernelmsg_enable="YES" +security_status_kernelmsg_period="daily" + +# 800.loginfail +security_status_loginfail_enable="YES" +security_status_loginfail_period="daily" + +# 900.tcpwrap +security_status_tcpwrap_enable="YES" +security_status_tcpwrap_period="daily" + + + +# Define source_periodic_confs, the mechanism used by /etc/periodic/*/* +# scripts to source defaults/periodic.conf overrides safely. + +if [ -z "${source_periodic_confs_defined}" ]; then + source_periodic_confs_defined=yes + + # Sleep for a random amount of time in order to mitigate the thundering + # herd problem of multiple hosts running periodic simultaneously. + # Will not sleep when used interactively. + # Will sleep at most once per invocation of periodic + anticongestion() { + [ -n "$PERIODIC_IS_INTERACTIVE" ] && return + if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then + rm -f $PERIODIC_ANTICONGESTION_FILE + sleep `jot -r 1 0 ${anticongestion_sleeptime}` + fi + } + + # Compatibility with old daily variable names. + # They can be removed in stable/11. + security_daily_compat_var() { + local var=$1 dailyvar value + + dailyvar=daily_status_security${var#security_status} + periodvar=${var%enable}period + eval value=\"\$$dailyvar\" + [ -z "$value" ] && return + echo "Warning: Variable \$$dailyvar is deprecated," \ + "use \$$var instead." >&2 + case "$value" in + [Yy][Ee][Ss]) + eval $var=YES + eval $periodvar=daily + ;; + *) + eval $var=\"$value\" + ;; + esac + } + + check_yesno_period() { + local var="$1" periodvar value period + + eval value=\"\$$var\" + case "$value" in + [Yy][Ee][Ss]) ;; + *) return 1 ;; + esac + + periodvar=${var%enable}period + eval period=\"\$$periodvar\" + case "$PERIODIC" in + "security daily") + case "$period" in + [Dd][Aa][Ii][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security weekly") + case "$period" in + [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + "security monthly") + case "$period" in + [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; + *) return 1 ;; + esac + ;; + security) + # Run directly from crontab(5). + case "$period" in + [Nn][Oo]) return 1 ;; + *) return 0 ;; + esac + ;; + '') + # Script run manually. + return 0 + ;; + *) + echo "ASSERTION FAILED: Unexpected value for" \ + "\$PERIODIC: '$PERIODIC'" >&2 + exit 127 + ;; + esac + } + + source_periodic_confs() { + local i sourced_files + + for i in ${periodic_conf_files}; do + case ${sourced_files} in + *:$i:*) + ;; + *) + sourced_files="${sourced_files}:$i:" + [ -r $i ] && . $i + ;; + esac + done + } +fi