Index: etc/Makefile =================================================================== --- etc/Makefile +++ etc/Makefile @@ -213,7 +213,6 @@ .if ${MK_NTP} != "no" ${_+_}cd ${.CURDIR}/ntp; ${MAKE} install .endif - ${_+_}cd ${.CURDIR}/periodic; ${MAKE} install ${_+_}cd ${SRCTOP}/share/termcap; ${MAKE} etc-termcap ${_+_}cd ${.CURDIR}/syslog.d; ${MAKE} install ${_+_}cd ${SRCTOP}/usr.sbin/rmt; ${MAKE} etc-rmt Index: etc/defaults/Makefile =================================================================== --- etc/defaults/Makefile +++ etc/defaults/Makefile @@ -2,7 +2,7 @@ .include -FILES= devfs.rules periodic.conf +FILES= devfs.rules FILESDIR= /etc/defaults .if ${MK_BLUETOOTH} != "no" Index: etc/defaults/periodic.conf =================================================================== --- etc/defaults/periodic.conf +++ etc/defaults/periodic.conf @@ -1,407 +0,0 @@ -#!/bin/sh -# -# This is defaults/periodic.conf - a file full of useful variables that -# you can set to change the default behaviour of periodic jobs on your -# system. You should not edit this file! Put any overrides into one of the -# $periodic_conf_files instead and you will be able to update these defaults -# later without spamming your local configuration information. -# -# The $periodic_conf_files files should only contain values which override -# values set in this file. This eases the upgrade path when defaults -# are changed and new features are added. -# -# For a more detailed explanation of all the periodic.conf variables, please -# refer to the periodic.conf(5) manual page. -# -# $FreeBSD$ -# - -# What files override these defaults ? -periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local" - -# periodic script dirs -local_periodic="/usr/local/etc/periodic" - -# Max time to sleep to avoid causing congestion on download servers -anticongestion_sleeptime=3600 - -# Daily options - -# These options are used by periodic(8) itself to determine what to do -# with the output of the sub-programs that are run, and where to send -# that output. $daily_output might be set to /var/log/daily.log if you -# wish to log the daily output and have the files rotated by newsyslog(8) -# -daily_output="root" # user or /file -daily_show_success="YES" # scripts returning 0 -daily_show_info="YES" # scripts returning 1 -daily_show_badconfig="NO" # scripts returning 2 - -# 100.clean-disks -daily_clean_disks_enable="NO" # Delete files daily -daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*" -daily_clean_disks_days=3 # If older than this -daily_clean_disks_verbose="YES" # Mention files deleted - -# 110.clean-tmps -daily_clean_tmps_enable="NO" # Delete stuff daily -daily_clean_tmps_dirs="/tmp" # Delete under here -daily_clean_tmps_days="3" # If not accessed for -daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix" -daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap" -daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal" - # Don't delete these -daily_clean_tmps_verbose="YES" # Mention files deleted - -# 120.clean-preserve -daily_clean_preserve_enable="YES" # Delete files daily -daily_clean_preserve_days=7 # If not modified for -daily_clean_preserve_verbose="YES" # Mention files deleted - -# 130.clean-msgs -daily_clean_msgs_enable="YES" # Delete msgs daily -daily_clean_msgs_days= # If not modified for - -# 140.clean-rwho -daily_clean_rwho_enable="YES" # Delete rwho daily -daily_clean_rwho_days=7 # If not modified for -daily_clean_rwho_verbose="YES" # Mention files deleted - -# 150.clean-hoststat -daily_clean_hoststat_enable="YES" # Purge sendmail host - # status cache daily - -# 200.backup-passwd -daily_backup_passwd_enable="YES" # Backup passwd & group - -# 210.backup-aliases -daily_backup_aliases_enable="YES" # Backup mail aliases - -# 300.calendar -daily_calendar_enable="NO" # Run calendar -a - -# 310.accounting -daily_accounting_enable="YES" # Rotate acct files -daily_accounting_compress="NO" # Gzip rotated files -daily_accounting_flags=-q # Flags to /usr/sbin/sa -daily_accounting_save=3 # How many files to save - -# 330.news -daily_news_expire_enable="YES" # Run news.expire - -# 400.status-disks -daily_status_disks_enable="YES" # Check disk status -daily_status_disks_df_flags="-l -h" # df(1) flags for check - -# 401.status-graid -daily_status_graid_enable="NO" # Check graid(8) - -# 404.status-zfs -daily_status_zfs_enable="NO" # Check ZFS -daily_status_zfs_zpool_list_enable="YES" # List ZFS pools - -# 406.status-gmirror -daily_status_gmirror_enable="NO" # Check gmirror(8) - -# 407.status-graid3 -daily_status_graid3_enable="NO" # Check graid3(8) - -# 408.status-gstripe -daily_status_gstripe_enable="NO" # Check gstripe(8) - -# 409.status-gconcat -daily_status_gconcat_enable="NO" # Check gconcat(8) - -# 410.status-mfi -daily_status_mfi_enable="NO" # Check mfiutil(8) - -# 420.status-network -daily_status_network_enable="YES" # Check network status -daily_status_network_usedns="YES" # DNS lookups are ok -daily_status_network_netstat_flags="-d" # netstat(1) flags - -# 430.status-uptime -daily_status_uptime_enable="YES" # Check system uptime - -# 440.status-mailq -daily_status_mailq_enable="YES" # Check mail status -daily_status_mailq_shorten="NO" # Shorten output -daily_status_include_submit_mailq="YES" # Also submit queue - -# 450.status-security -daily_status_security_enable="YES" # Security check -# See also "Security options" below for more options -daily_status_security_inline="NO" # Run inline ? -daily_status_security_output="root" # user or /file - -# 460.status-mail-rejects -daily_status_mail_rejects_enable="YES" # Check mail rejects -daily_status_mail_rejects_logs=3 # How many logs to check -daily_status_mail_rejects_shorten="NO" # Shorten output - -# 480.leapfile-ntpd -daily_ntpd_leapfile_enable="YES" # Fetch NTP leapfile - -# 480.status-ntpd -daily_status_ntpd_enable="NO" # Check NTP status - -# 500.queuerun -daily_queuerun_enable="YES" # Run mail queue -daily_submit_queuerun="YES" # Also submit queue - -# 510.status-world-kernel -daily_status_world_kernel="YES" # Check the running - # userland/kernel version - -# 800.scrub-zfs -daily_scrub_zfs_enable="NO" -daily_scrub_zfs_pools="" # empty string selects all pools -daily_scrub_zfs_default_threshold="35" # days between scrubs -#daily_scrub_zfs_${poolname}_threshold="35" # pool specific threshold - -# 999.local -daily_local="/etc/daily.local" # Local scripts - - -# Weekly options - -# These options are used by periodic(8) itself to determine what to do -# with the output of the sub-programs that are run, and where to send -# that output. $weekly_output might be set to /var/log/weekly.log if you -# wish to log the weekly output and have the files rotated by newsyslog(8) -# -weekly_output="root" # user or /file -weekly_show_success="YES" # scripts returning 0 -weekly_show_info="YES" # scripts returning 1 -weekly_show_badconfig="NO" # scripts returning 2 - -# 310.locate -weekly_locate_enable="YES" # Update locate weekly - -# 320.whatis -weekly_whatis_enable="YES" # Update whatis weekly - -# 340.noid -weekly_noid_enable="NO" # Find unowned files -weekly_noid_dirs="/" # Look here - -# 450.status-security -weekly_status_security_enable="YES" # Security check -# See also "Security options" above for more options -weekly_status_security_inline="NO" # Run inline ? -weekly_status_security_output="root" # user or /file - -# 999.local -weekly_local="/etc/weekly.local" # Local scripts - - -# Monthly options - -# These options are used by periodic(8) itself to determine what to do -# with the output of the sub-programs that are run, and where to send -# that output. $monthly_output might be set to /var/log/monthly.log if you -# wish to log the monthly output and have the files rotated by newsyslog(8) -# -monthly_output="root" # user or /file -monthly_show_success="YES" # scripts returning 0 -monthly_show_info="YES" # scripts returning 1 -monthly_show_badconfig="NO" # scripts returning 2 - -# 200.accounting -monthly_accounting_enable="YES" # Login accounting - -# 450.status-security -monthly_status_security_enable="YES" # Security check -# See also "Security options" above for more options -monthly_status_security_inline="NO" # Run inline ? -monthly_status_security_output="root" # user or /file - -# 999.local -monthly_local="/etc/monthly.local" # Local scripts - - -# Security options - -security_show_success="YES" # scripts returning 0 -security_show_info="YES" # scripts returning 1 -security_show_badconfig="NO" # scripts returning 2 - -# These options are used by the security periodic(8) scripts spawned in -# daily and weekly 450.status-security. -security_status_logdir="/var/log" # Directory for logs -security_status_diff_flags="-b -u" # flags for diff output - -# Each of the security_status_*_period options below can have one of the -# following values: -# - NO: do not run at all -# - daily: only run during the daily security status -# - weekly: only run during the weekly security status -# - monthly: only run during the monthly security status -# Note that if periodic security scripts are run from crontab(5) directly, -# they will be run unless _enable or _period is set to "NO". - -# 100.chksetuid -security_status_chksetuid_enable="YES" -security_status_chksetuid_period="daily" - -# 110.neggrpperm -security_status_neggrpperm_enable="YES" -security_status_neggrpperm_period="daily" - -# 200.chkmounts -security_status_chkmounts_enable="YES" -security_status_chkmounts_period="daily" -#security_status_chkmounts_ignore="^amd:" # Don't check matching - # FS types -security_status_noamd="NO" # Don't check amd mounts - -# 300.chkuid0 -security_status_chkuid0_enable="YES" -security_status_chkuid0_period="daily" - -# 400.passwdless -security_status_passwdless_enable="YES" -security_status_passwdless_period="daily" - -# 410.logincheck -security_status_logincheck_enable="YES" -security_status_logincheck_period="daily" - -# 500.ipfwdenied -security_status_ipfwdenied_enable="YES" -security_status_ipfwdenied_period="daily" - -# 510.ipfdenied -security_status_ipfdenied_enable="YES" -security_status_ipfdenied_period="daily" - -# 520.pfdenied -security_status_pfdenied_enable="YES" -security_status_pfdenied_period="daily" - -# 550.ipfwlimit -security_status_ipfwlimit_enable="YES" -security_status_ipfwlimit_period="daily" - -# 610.ipf6denied -security_status_ipf6denied_enable="YES" -security_status_ipf6denied_period="daily" - -# 700.kernelmsg -security_status_kernelmsg_enable="YES" -security_status_kernelmsg_period="daily" - -# 800.loginfail -security_status_loginfail_enable="YES" -security_status_loginfail_period="daily" - -# 900.tcpwrap -security_status_tcpwrap_enable="YES" -security_status_tcpwrap_period="daily" - - - -# Define source_periodic_confs, the mechanism used by /etc/periodic/*/* -# scripts to source defaults/periodic.conf overrides safely. - -if [ -z "${source_periodic_confs_defined}" ]; then - source_periodic_confs_defined=yes - - # Sleep for a random amount of time in order to mitigate the thundering - # herd problem of multiple hosts running periodic simultaneously. - # Will not sleep when used interactively. - # Will sleep at most once per invocation of periodic - anticongestion() { - [ -n "$PERIODIC_IS_INTERACTIVE" ] && return - if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then - rm -f $PERIODIC_ANTICONGESTION_FILE - sleep `jot -r 1 0 ${anticongestion_sleeptime}` - fi - } - - # Compatibility with old daily variable names. - # They can be removed in stable/11. - security_daily_compat_var() { - local var=$1 dailyvar value - - dailyvar=daily_status_security${var#security_status} - periodvar=${var%enable}period - eval value=\"\$$dailyvar\" - [ -z "$value" ] && return - echo "Warning: Variable \$$dailyvar is deprecated," \ - "use \$$var instead." >&2 - case "$value" in - [Yy][Ee][Ss]) - eval $var=YES - eval $periodvar=daily - ;; - *) - eval $var=\"$value\" - ;; - esac - } - - check_yesno_period() { - local var="$1" periodvar value period - - eval value=\"\$$var\" - case "$value" in - [Yy][Ee][Ss]) ;; - *) return 1 ;; - esac - - periodvar=${var%enable}period - eval period=\"\$$periodvar\" - case "$PERIODIC" in - "security daily") - case "$period" in - [Dd][Aa][Ii][Ll][Yy]) return 0 ;; - *) return 1 ;; - esac - ;; - "security weekly") - case "$period" in - [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;; - *) return 1 ;; - esac - ;; - "security monthly") - case "$period" in - [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;; - *) return 1 ;; - esac - ;; - security) - # Run directly from crontab(5). - case "$period" in - [Nn][Oo]) return 1 ;; - *) return 0 ;; - esac - ;; - '') - # Script run manually. - return 0 - ;; - *) - echo "ASSERTION FAILED: Unexpected value for" \ - "\$PERIODIC: '$PERIODIC'" >&2 - exit 127 - ;; - esac - } - - source_periodic_confs() { - local i sourced_files - - for i in ${periodic_conf_files}; do - case ${sourced_files} in - *:$i:*) - ;; - *) - sourced_files="${sourced_files}:$i:" - [ -r $i ] && . $i - ;; - esac - done - } -fi Index: etc/periodic/Makefile =================================================================== --- etc/periodic/Makefile +++ etc/periodic/Makefile @@ -1,6 +0,0 @@ -# $FreeBSD$ - -SUBDIR= daily security weekly monthly -SUBDIR_PARALLEL= - -.include Index: etc/periodic/Makefile.inc =================================================================== --- etc/periodic/Makefile.inc +++ etc/periodic/Makefile.inc @@ -1,5 +0,0 @@ -# $FreeBSD$ - -BINDIR= /etc/periodic/${.CURDIR:T} -NO_OBJ= -FILESMODE= 755 Index: etc/periodic/daily/100.clean-disks =================================================================== --- etc/periodic/daily/100.clean-disks +++ etc/periodic/daily/100.clean-disks @@ -1,55 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove garbage files more than $daily_clean_disks_days days old -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_disks_enable" in - [Yy][Ee][Ss]) - if [ -z "$daily_clean_disks_days" ] - then - echo '$daily_clean_disks_enable is set but' \ - '$daily_clean_disks_days is not' - rc=2 - elif [ -z "$daily_clean_disks_files" ] - then - echo '$daily_clean_disks_enable is set but' \ - '$daily_clean_disks_files is not' - rc=2 - else - echo "" - echo "Cleaning disks:" - set -f noglob - args="-name "`echo "$daily_clean_disks_files" | - sed -e 's/^[ ]*//' \ - -e 's/[ ]*$//' \ - -e 's/[ ][ ]*/ -o -name /g'` - - case "$daily_clean_disks_verbose" in - [Yy][Ee][Ss]) - print=-print;; - *) - print=;; - esac - - rc=$(find / \( ! -fstype local -o -fstype rdonly \) -prune -o \ - \( $args \) -atime +$daily_clean_disks_days \ - -execdir rm -df {} \; $print | tee /dev/stderr | wc -l) - [ -z "$print" ] && rc=0 - [ $rc -gt 1 ] && rc=1 - set -f glob - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/110.clean-tmps =================================================================== --- etc/periodic/daily/110.clean-tmps +++ etc/periodic/daily/110.clean-tmps @@ -1,60 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Perform temporary directory cleaning so that long-lived systems -# don't end up with excessively old files there. -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_tmps_enable" in - [Yy][Ee][Ss]) - if [ -z "$daily_clean_tmps_days" ] - then - echo '$daily_clean_tmps_enable is set but' \ - '$daily_clean_tmps_days is not' - rc=2 - else - echo "" - echo "Removing old temporary files:" - - set -f noglob - args="-atime +$daily_clean_tmps_days -mtime +$daily_clean_tmps_days" - args="${args} -ctime +$daily_clean_tmps_days" - dargs="-empty -mtime +$daily_clean_tmps_days" - [ -n "$daily_clean_tmps_ignore" ] && { - args="$args "`echo " ${daily_clean_tmps_ignore% }" | - sed 's/[ ][ ]*/ ! -name /g'` - dargs="$dargs "`echo " ${daily_clean_tmps_ignore% }" | - sed 's/[ ][ ]*/ ! -name /g'` - } - case "$daily_clean_tmps_verbose" in - [Yy][Ee][Ss]) - print=-print;; - *) - print=;; - esac - - rc=$(for dir in $daily_clean_tmps_dirs - do - [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && { - find -x -d . -type f $args -delete $print - find -x -d . ! -name . -type d $dargs -delete $print - } | sed "s,^\\., $dir," - done | tee /dev/stderr | wc -l) - [ -z "$print" ] && rc=0 - [ $rc -gt 1 ] && rc=1 - set -f glob - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/120.clean-preserve =================================================================== --- etc/periodic/daily/120.clean-preserve +++ etc/periodic/daily/120.clean-preserve @@ -1,53 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove stale files in /var/preserve -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_preserve_enable" in - [Yy][Ee][Ss]) - if [ -z "$daily_clean_preserve_days" ] - then - echo '$daily_clean_preserve_enable is set but' \ - '$daily_clean_preserve_days is not' - rc=2 - elif [ ! -d /var/preserve ] - then - echo '$daily_clean_preserve_enable is set but /var/preserve' \ - "doesn't exist" - rc=2 - else - echo "" - echo "Removing stale files from /var/preserve:" - - if cd /var/preserve - then - case "$daily_clean_preserve_verbose" in - [Yy][Ee][Ss]) - print=-print;; - *) - print=;; - esac - - rc=$(find . ! -name . -mtime +$daily_clean_preserve_days \ - -delete $print | tee /dev/stderr | wc -l) - [ -z "$print" ] && rc=0 - [ $rc -gt 1 ] && rc=1 - else - rc=3 - fi - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/130.clean-msgs =================================================================== --- etc/periodic/daily/130.clean-msgs +++ etc/periodic/daily/130.clean-msgs @@ -1,35 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove system messages -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_msgs_enable" in - [Yy][Ee][Ss]) - if [ ! -d /var/msgs ] - then - echo '$daily_clean_msgs_enable is set but /var/msgs' \ - "doesn't exist" - rc=2 - else - echo "" - echo "Cleaning out old system announcements:" - - [ -n "$daily_clean_msgs_days" ] && - arg=-${daily_clean_msgs_days#-} || arg= - msgs -c $arg && rc=0 || rc=3 - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/140.clean-rwho =================================================================== --- etc/periodic/daily/140.clean-rwho +++ etc/periodic/daily/140.clean-rwho @@ -1,53 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove stale files in /var/rwho -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_rwho_enable" in - [Yy][Ee][Ss]) - if [ -z "$daily_clean_rwho_days" ] - then - echo '$daily_clean_rwho_enable is enabled but' \ - '$daily_clean_rwho_days is not set' - rc=2 - elif [ ! -d /var/rwho ] - then - echo '$daily_clean_rwho_enable is enabled but /var/rwho' \ - "doesn't exist" - rc=2 - else - echo "" - echo "Removing stale files from /var/rwho:" - - case "$daily_clean_rwho_verbose" in - [Yy][Ee][Ss]) - print=-print;; - *) - print=;; - esac - - if cd /var/rwho - then - rc=$(find . ! -name . -mtime +$daily_clean_rwho_days \ - -delete $print | tee /dev/stderr | wc -l) - [ -z "$print" ] && rc=0 - [ $rc -gt 1 ] && rc=1 - else - rc=3 - fi - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/150.clean-hoststat =================================================================== --- etc/periodic/daily/150.clean-hoststat +++ etc/periodic/daily/150.clean-hoststat @@ -1,29 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Remove stale persistent host status files -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ]; then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_hoststat_enable" in - [Yy][Ee][Ss]) - if [ -z "$(hoststat 2>&1)" ]; then - rc=2 - else - echo "" - echo "Removing stale entries from sendmail host status cache:" - rc=0 - purgestat || rc=1 - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/200.backup-passwd =================================================================== --- etc/periodic/daily/200.backup-passwd +++ etc/periodic/daily/200.backup-passwd @@ -1,77 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_backup_passwd_enable" in - [Yy][Ee][Ss]) - if [ ! -f /etc/master.passwd ] - then - echo '$daily_backup_passwd_enable" is set but /etc/master.passwd' \ - "doesn't exist" - rc=2 - elif [ ! -f /etc/group ] - then - echo '$daily_backup_passwd_enable" is set but /etc/group' \ - "doesn't exist" - rc=2 - else - bak=/var/backups - rc=0 - - echo "" - echo "Backup passwd and group files:" - - if [ ! -f $bak/master.passwd.bak ] - then - rc=1 - echo "no $bak/master.passwd.bak" - cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 - fi - - if ! cmp -s $bak/master.passwd.bak /etc/master.passwd - then - [ $rc -lt 1 ] && rc=1 - echo "$host passwd diffs:" - diff -uI '^#' $bak/master.passwd.bak /etc/master.passwd |\ - sed 's/^\([-+ ][^-+:]*\):[^:]*:/\1:(password):/' - mv $bak/master.passwd.bak $bak/master.passwd.bak2 - cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3 - fi - - if [ ! -f $bak/group.bak ] - then - [ $rc -lt 1 ] && rc=1 - echo "no $bak/group.bak" - cp -p /etc/group $bak/group.bak || rc=3 - fi - - if ! cmp -s $bak/group.bak /etc/group - then - [ $rc -lt 1 ] && rc=1 - echo "$host group diffs:" - diff -u $bak/group.bak /etc/group - mv $bak/group.bak $bak/group.bak2 - cp -p /etc/group $bak/group.bak || rc=3 - fi - - if [ -f /etc/group ] - then - echo "" - echo "Verifying group file syntax:" - chkgrp /etc/group || rc=3 - fi - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/210.backup-aliases =================================================================== --- etc/periodic/daily/210.backup-aliases +++ etc/periodic/daily/210.backup-aliases @@ -1,47 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_backup_aliases_enable" in - [Yy][Ee][Ss]) - if [ ! -f /etc/mail/aliases ] - then - echo '$daily_backup_aliases_enable is enabled but' \ - "/etc/mail/aliases doesn't exist" - rc=2 - else - bak=/var/backups - rc=0 - - echo "" - echo "Backing up mail aliases:" - - if [ ! -f $bak/aliases.bak ] - then - echo "no $bak/aliases.bak" - cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 - fi - - if ! cmp -s $bak/aliases.bak /etc/mail/aliases - then - [ $rc -lt 1 ] && rc=1 - echo "$host aliases diffs:" - diff -u $bak/aliases.bak /etc/mail/aliases - mv $bak/aliases.bak $bak/aliases.bak2 - cp -p /etc/mail/aliases $bak/aliases.bak || rc=3 - fi - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/300.calendar =================================================================== --- etc/periodic/daily/300.calendar +++ etc/periodic/daily/300.calendar @@ -1,29 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# `calendar -a' needs to die. Why? Because it's a bad idea, particular -# with networked home directories, but also in general. If you want the -# output of `calendar' mailed to you, set up a cron job to do it, -# or run it from your ~/.profile or ~/.login. -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_calendar_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Running calendar:" - - calendar -a && rc=0 || rc=3;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/310.accounting =================================================================== --- etc/periodic/daily/310.accounting +++ etc/periodic/daily/310.accounting @@ -1,65 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_accounting_enable" in - [Yy][Ee][Ss]) - if [ ! -f /var/account/acct ] - then - echo '$daily_accounting_enable is set but /var/account/acct' \ - "doesn't exist" - rc=2 - elif [ -z "$daily_accounting_save" ] - then - echo '$daily_accounting_enable is set but ' \ - '$daily_accounting_save is not' - rc=2 - else - echo "" - echo "Rotating accounting logs and gathering statistics:" - - cd /var/account - rc=0 - - n=$(( $daily_accounting_save - 1 )) - for f in acct.*; do - case "$f" in acct.\*) continue ;; esac # No files match - m=${f%.gz} ; m=${m#acct.} - [ $m -ge $n ] && { rm $f || rc=3; } - done - - m=$n - n=$(($n - 1)) - while [ $n -ge 0 ] - do - [ -f acct.$n.gz ] && { mv -f acct.$n.gz acct.$m.gz || rc=3; } - [ -f acct.$n ] && { mv -f acct.$n acct.$m || rc=3; } - m=$n - n=$(($n - 1)) - done - - /etc/rc.d/accounting rotate_log || rc=3 - - rm -f acct.merge && cp acct.0 acct.merge || rc=3 - sa -s $daily_accounting_flags /var/account/acct.merge || rc=3 - rm acct.merge - - case "$daily_accounting_compress" in - [Yy][Ee][Ss]) - gzip -f acct.0 || rc=3;; - esac - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/330.news =================================================================== --- etc/periodic/daily/330.news +++ etc/periodic/daily/330.news @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Expire news articles -# (This is present only for backwards compatibility, usually the news -# system handles this on its own). - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_news_expire_enable" in - [Yy][Ee][Ss]) - if [ ! -f /etc/news.expire ] - then - echo '$daily_news_expire_enable is set but /etc/news.expire' \ - "doesn't exist" - rc=2 - else - echo "" - echo "Running news.expire:" - - /etc/news.expire && rc=0 || rc=3 - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/400.status-disks =================================================================== --- etc/periodic/daily/400.status-disks +++ etc/periodic/daily/400.status-disks @@ -1,40 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_disks_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Disk status:" - - if [ -n "${daily_status_disks_ignore}" ] ; then - ignore="egrep -v ${daily_status_disks_ignore}" - else - ignore="cat" - fi - (df $daily_status_disks_df_flags | ${ignore}) && rc=1 || rc=3 - - # display which filesystems need backing up - if [ -s /etc/dumpdates ]; then - if ! [ -f /etc/fstab ]; then - export PATH_FSTAB=/dev/null - fi - - echo "" - dump W || rc=3 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/401.status-graid =================================================================== --- etc/periodic/daily/401.status-graid +++ etc/periodic/daily/401.status-graid @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_graid_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of graid(8) devices:' - - if graid status; then - components="$(graid status -s | fgrep -v OPTIMAL)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/404.status-zfs =================================================================== --- etc/periodic/daily/404.status-zfs +++ etc/periodic/daily/404.status-zfs @@ -1,45 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_zfs_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of zfs pools:' - - case "$daily_status_zfs_zpool_list_enable" in - [Yy][Ee][Ss]) - lout=`zpool list` - echo "$lout" - echo - ;; - *) - ;; - esac - sout=`zpool status -x` - echo "$sout" - # zpool status -x always exits with 0, so we have to interpret its - # output to see what's going on. - if [ "$sout" = "all pools are healthy" \ - -o "$sout" = "no pools available" ]; then - rc=0 - else - rc=1 - fi - ;; - - *) - rc=0 - ;; -esac - -exit $rc Index: etc/periodic/daily/406.status-gmirror =================================================================== --- etc/periodic/daily/406.status-gmirror +++ etc/periodic/daily/406.status-gmirror @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_gmirror_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of gmirror(8) devices:' - - if gmirror status; then - components="$(gmirror status -s | fgrep -v COMPLETE)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/407.status-graid3 =================================================================== --- etc/periodic/daily/407.status-graid3 +++ etc/periodic/daily/407.status-graid3 @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_graid3_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of graid3(8) devices:' - - if graid3 status; then - components="$(graid3 status -s | fgrep -v COMPLETE)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/408.status-gstripe =================================================================== --- etc/periodic/daily/408.status-gstripe +++ etc/periodic/daily/408.status-gstripe @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_gstripe_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of gstripe(8) devices:' - - if gstripe status; then - components="$(gstripe status -s | fgrep -v UP)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/409.status-gconcat =================================================================== --- etc/periodic/daily/409.status-gconcat +++ etc/periodic/daily/409.status-gconcat @@ -1,34 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_gconcat_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of gconcat(8) devices:' - - if gconcat status; then - components="$(gconcat status -s | fgrep -v UP)" - if [ "${components}" ]; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/410.status-mfi =================================================================== --- etc/periodic/daily/410.status-mfi +++ etc/periodic/daily/410.status-mfi @@ -1,33 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_mfi_enable" in - [Yy][Ee][Ss]) - echo - echo 'Checking status of mfi(4) devices:' - - if mfiutil show volumes; then - if mfiutil show volumes | grep -q DEGRADED; then - rc=3 - else - rc=0 - fi - else - rc=2 - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/420.status-network =================================================================== --- etc/periodic/daily/420.status-network +++ etc/periodic/daily/420.status-network @@ -1,31 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_network_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Network interface status:" - - flags="${daily_status_network_netstat_flags}" - case "$daily_status_network_usedns" in - [Yy][Ee][Ss]) - ;; - *) - flags="${flags} -n";; - esac - netstat -i ${flags} && rc=0 || rc=3;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/430.status-uptime =================================================================== --- etc/periodic/daily/430.status-uptime +++ etc/periodic/daily/430.status-uptime @@ -1,38 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_uptime_enable" in - [Yy][Ee][Ss]) - rwho=$(echo /var/rwho/*) - if [ -f "${rwho%% *}" ] - then - echo "" - echo "Local network system status:" - prog=ruptime - else - echo "" - echo "Local system status:" - prog=uptime - fi - rc=$($prog | tee /dev/stderr | wc -l) - if [ $? -eq 0 ] - then - [ $rc -gt 1 ] && rc=1 - else - rc=3 - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/440.status-mailq =================================================================== --- etc/periodic/daily/440.status-mailq +++ etc/periodic/daily/440.status-mailq @@ -1,66 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_mailq_enable" in - [Yy][Ee][Ss]) - if [ ! -x /usr/bin/mailq ] - then - echo '$daily_status_mailq_enable is set but /usr/bin/mailq' \ - "isn't executable" - rc=2 - else - echo "" - echo "Mail in local queue:" - - rc=$(case "$daily_status_mailq_shorten" in - [Yy][Ee][Ss]) - mailq | - egrep -e '^[[:space:]]+[^[:space:]]+@' | - sort | - uniq -c | - sort -nr | - awk '$1 >= 1 {print $1, $2}';; - *) - mailq;; - esac | tee /dev/stderr | - egrep -v '(mqueue is empty|Total requests)' | wc -l) - [ $rc -gt 0 ] && rc=1 || rc=0 - - case "$daily_status_include_submit_mailq" in - [Yy][Ee][Ss]) - if [ -f /etc/mail/submit.cf ] - then - echo "" - echo "Mail in submit queue:" - - rc_submit=$(case "$daily_status_mailq_shorten" in - [Yy][Ee][Ss]) - mailq -Ac | - egrep -e '^[[:space:]]+[^[:space:]]+@' | - sort | - uniq -c | - sort -nr | - awk '$1 >= 1 {print $1, $2}';; - *) - mailq -Ac;; - esac | tee /dev/stderr | - egrep -v '(mqueue is empty|Total requests)' | wc -l) - [ $rc_submit -gt 0 ] && rc=1 - fi;; - esac - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/450.status-security =================================================================== --- etc/periodic/daily/450.status-security +++ etc/periodic/daily/450.status-security @@ -1,47 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_security_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Security check:" - - case "$daily_status_security_inline" in - [Yy][Ee][Ss]) - daily_status_security_output="";; - esac - - export security_output="${daily_status_security_output}" - rc=0 - case "${daily_status_security_output}" in - "") - if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` - then - periodic security > $tempfile || rc=3 - if [ -s "$tempfile" ]; then - cat "$tempfile" - rc=3 - fi - rm -f "$tempfile" - fi;; - /*) - echo " (output logged separately)" - periodic security || rc=3;; - *) - echo " (output mailed separately)" - periodic security || rc=3;; - esac;; - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/460.status-mail-rejects =================================================================== --- etc/periodic/daily/460.status-mail-rejects +++ etc/periodic/daily/460.status-mail-rejects @@ -1,73 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_mail_rejects_shorten" in -[Yy][Ee][Ss]) shorten='cut -d" " -f2,3';; -*) shorten=cat;; -esac - -case "$daily_status_mail_rejects_enable" in - [Yy][Ee][Ss]) - if [ ! -d /etc/mail ] - then - echo '$daily_status_mail_rejects_enable is set but /etc/mail' \ - "doesn't exist" - rc=2 - elif [ ! -f /var/log/maillog ] - then - echo '$daily_status_mail_rejects_enable is set but ' \ - "/var/log/maillog doesn't exist" - rc=2 - elif [ "$daily_status_mail_rejects_logs" -le 0 ] - then - echo '$daily_status_mail_rejects_enable is set but ' \ - '$daily_status_mail_rejects_logs is not greater than zero' - rc=2 - else - echo - echo Checking for rejected mail hosts: - - yesterday=$(date -v-1d '+%b %e') - today=$(date '+%b %e') - n=$(($daily_status_mail_rejects_logs - 2)) - rc=$({ - while [ $n -ge 0 ] - do - if [ -f /var/log/maillog.$n ] - then - cat /var/log/maillog.$n - elif [ -f /var/log/maillog.$n.gz ] - then - zcat -fc /var/log/maillog.$n.gz - elif [ -f /var/log/maillog.$n.bz2 ] - then - bzcat -fc /var/log/maillog.$n.bz2 - fi - n=$(($n - 1)) - done - cat /var/log/maillog - } | sed -Ene "/^$today/q" -e "/^$yesterday/{"' - s/.*ruleset=check_relay,.* relay=([^,]+), reject=([^ ]*).*/\2 check_relay \1/p - t end - s/.*ruleset=check_rcpt,.* arg1=,]+).* reject=([^ ]+) .* ([^ ]+)/\2 check_rcpt \1 \3/p - t end - s/.*ruleset=check_([^,]+),.* arg1=,]+).* reject=([^ ]+) .* ([^ ]+)/\4 check_\1 \3 \5/p - :end - }' | eval $shorten | sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l) - [ $rc -gt 0 ] && rc=1 - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/480.leapfile-ntpd =================================================================== --- etc/periodic/daily/480.leapfile-ntpd +++ etc/periodic/daily/480.leapfile-ntpd @@ -1,23 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_ntpd_leapfile_enable" in - [Yy][Ee][Ss]) - if service ntpd oneneedfetch; then - anticongestion - service ntpd onefetch - fi - ;; -esac - -exit $rc Index: etc/periodic/daily/480.status-ntpd =================================================================== --- etc/periodic/daily/480.status-ntpd +++ etc/periodic/daily/480.status-ntpd @@ -1,28 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 - -case "$daily_status_ntpd_enable" in - [Yy][Ee][Ss]) - echo "" - echo "NTP status:" - - synchronized=$(ntpq -pn | tee /dev/stderr | grep '^\*') - if [ -z "$synchronized" ]; then - rc=1 - fi - ;; -esac - -exit $rc Index: etc/periodic/daily/500.queuerun =================================================================== --- etc/periodic/daily/500.queuerun +++ etc/periodic/daily/500.queuerun @@ -1,36 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_queuerun_enable" in - [Yy][Ee][Ss]) - if [ ! -x /usr/sbin/sendmail ] - then - echo '$daily_queuerun_enable is set but /usr/sbin/sendmail' \ - "isn't executable" - rc=2 - else - /usr/sbin/sendmail -q >/dev/null 2>&1 & - case "$daily_submit_queuerun" in - [Yy][Ee][Ss]) - if [ -f /etc/mail/submit.cf ] - then - /usr/sbin/sendmail -q -Ac >/dev/null 2>&1 & - fi;; - esac - rc=0 - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/510.status-world-kernel =================================================================== --- etc/periodic/daily/510.status-world-kernel +++ etc/periodic/daily/510.status-world-kernel @@ -1,36 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Check that the running userland and kernel versions are in sync. - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_status_world_kernel" in - [Yy][Ee][Ss]) - rc=0 - _U=$(/usr/bin/uname -U 2>/dev/null) - _K=$(/usr/bin/uname -K 2>/dev/null) - [ -z "${_U}" -o -z "${_K}" ] && exit 0 - echo "" - echo "Checking userland and kernel versions:" - if [ "${_U}" != "${_K}" ]; then - echo "Userland and kernel are not in sync" - echo "Userland version: ${_U}" - echo "Kernel version: ${_K}" - rc=1 - else - echo "Userland and kernel are in sync." - fi - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/daily/800.scrub-zfs =================================================================== --- etc/periodic/daily/800.scrub-zfs +++ etc/periodic/daily/800.scrub-zfs @@ -1,110 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# - -newline=" -" # A single newline - -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -: ${daily_scrub_zfs_default_threshold=35} - -case "$daily_scrub_zfs_enable" in - [Yy][Ee][Ss]) - echo - echo 'Scrubbing of zfs pools:' - - if [ -z "${daily_scrub_zfs_pools}" ]; then - daily_scrub_zfs_pools="$(zpool list -H -o name)" - fi - - rc=0 - for pool in ${daily_scrub_zfs_pools}; do - # sanity check - _status=$(zpool list "${pool}" 2> /dev/null) - if [ $? -ne 0 ]; then - rc=2 - echo " WARNING: pool '${pool}' specified in" - echo " '/etc/periodic.conf:daily_scrub_zfs_pools'" - echo " does not exist" - continue - fi - _status=${_status##*$newline} - case ${_status} in - *FAULTED*) - rc=3 - echo "Skipping faulted pool: ${pool}" - continue ;; - *UNAVAIL*) - rc=4 - echo "Skipping unavailable pool: ${pool}" - continue ;; - esac - - # determine how many days shall be between scrubs - eval _pool_threshold=\${daily_scrub_zfs_$(echo "${pool}"|tr ".:-" "_")_threshold} - if [ -z "${_pool_threshold}" ];then - _pool_threshold=${daily_scrub_zfs_default_threshold} - fi - - _last_scrub=$(zpool history ${pool} | \ - egrep "^[0-9\.\:\-]{19} zpool scrub ${pool}\$" | tail -1 |\ - cut -d ' ' -f 1) - if [ -z "${_last_scrub}" ]; then - # creation time of the pool if no scrub was done - _last_scrub=$(zpool history ${pool} | \ - sed -ne '2s/ .*$//p') - fi - if [ -z "${_last_scrub}" ]; then - echo " skipping scrubbing of pool '${pool}':" - echo " can't get last scrubbing date" - continue - fi - - # Now minus last scrub (both in seconds) converted to days. - _scrub_diff=$(expr -e \( $(date +%s) - \ - $(date -j -v -70M -f %F.%T ${_last_scrub} +%s) \) / 60 / 60 / 24) - if [ ${_scrub_diff} -lt ${_pool_threshold} ]; then - echo " skipping scrubbing of pool '${pool}':" - echo " last scrubbing is ${_scrub_diff} days ago, threshold is set to ${_pool_threshold} days" - continue - fi - - _status="$(zpool status ${pool} | grep scan:)" - case "${_status}" in - *"scrub in progress"*) - echo " scrubbing of pool '${pool}' already in progress, skipping:" - ;; - *"resilver in progress"*) - echo " resilvering of pool '${pool}' is in progress, skipping:" - ;; - *"none requested"*) - echo " starting first scrub (since reboot) of pool '${pool}':" - zpool scrub ${pool} - [ $rc -eq 0 ] && rc=1 - ;; - *) - echo " starting scrub of pool '${pool}':" - zpool scrub ${pool} - [ $rc -eq 0 ] && rc=1 - ;; - esac - - echo " consult 'zpool status ${pool}' for the result" - done - ;; - - *) - rc=0 - ;; -esac - -exit $rc Index: etc/periodic/daily/999.local =================================================================== --- etc/periodic/daily/999.local +++ etc/periodic/daily/999.local @@ -1,43 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# -# Run the old /etc/daily.local script. This is really for backwards -# compatibility more than anything else. -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 -for script in $daily_local -do - echo '' - case "$script" in - /*) - if [ -x "$script" ] - then - echo "Running $script:" - - $script || rc=3 - elif [ -f "$script" ] - then - echo "Running $script:" - - sh $script || rc=3 - else - echo "$script: No such file" - [ $rc -lt 2 ] && rc=2 - fi;; - *) - echo "$script: Not an absolute path" - [ $rc -lt 2 ] && rc=2;; - esac -done - -exit $rc Index: etc/periodic/daily/Makefile =================================================================== --- etc/periodic/daily/Makefile +++ etc/periodic/daily/Makefile @@ -1,62 +0,0 @@ -# $FreeBSD$ - -.include - -FILESGROUPS=FILES - -FILES= 100.clean-disks \ - 110.clean-tmps \ - 120.clean-preserve \ - 140.clean-rwho \ - 200.backup-passwd \ - 210.backup-aliases \ - 330.news \ - 400.status-disks \ - 401.status-graid \ - 406.status-gmirror \ - 407.status-graid3 \ - 408.status-gstripe \ - 409.status-gconcat \ - 410.status-mfi \ - 420.status-network \ - 430.status-uptime \ - 450.status-security \ - 510.status-world-kernel \ - 999.local - -# NB: keep these sorted by MK_* knobs - -.if ${MK_ACCT} != "no" -FILESGROUPS+= ACCT -ACCT+= 310.accounting -.endif -ACCTDIR= /etc/periodic/daily -ACCTMODE= ${BINMODE} -ACCTPACKAGE= acct - -.if ${MK_CALENDAR} != "no" -FILES+= 300.calendar -.endif - -.if ${MK_MAIL} != "no" -FILES+= 130.clean-msgs -.endif - -.if ${MK_NTP} != "no" -FILES+= 480.status-ntpd \ - 480.leapfile-ntpd -.endif - -.if ${MK_SENDMAIL} != "no" -FILES+= 150.clean-hoststat \ - 440.status-mailq \ - 460.status-mail-rejects \ - 500.queuerun -.endif - -.if ${MK_ZFS} != "no" -FILES+= 404.status-zfs \ - 800.scrub-zfs -.endif - -.include Index: etc/periodic/monthly/200.accounting =================================================================== --- etc/periodic/monthly/200.accounting +++ etc/periodic/monthly/200.accounting @@ -1,51 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -oldmask=$(umask) -umask 066 -case "$monthly_accounting_enable" in - [Yy][Ee][Ss]) - W=/var/log/utx.log - rc=0 - remove=NO - if [ ! -f $W.0 ] - then - if [ -f $W.0.gz ] - then - remove=YES - zcat $W.0.gz > $W.0 || rc=1 - elif [ -f $W.0.bz2 ] - then - remove=YES - bzcat $W.0.bz2 > $W.0 || rc=1 - else - echo '$monthly_accounting_enable is set but' \ - "$W.0 doesn't exist" - rc=2 - fi - fi - if [ $rc -eq 0 ] - then - echo "" - echo "Doing login accounting:" - - rc=$(ac -p -w $W.0 | sort -nr -k 2 | tee /dev/stderr | wc -l) - [ $rc -gt 0 ] && rc=1 - fi - [ $remove = YES ] && rm -f $W.0;; - - *) rc=0;; -esac - -umask $oldmask -exit $rc Index: etc/periodic/monthly/450.status-security =================================================================== --- etc/periodic/monthly/450.status-security +++ etc/periodic/monthly/450.status-security @@ -1,47 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$monthly_status_security_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Security check:" - - case "$monthly_status_security_inline" in - [Yy][Ee][Ss]) - monthly_status_security_output="";; - esac - - export security_output="${monthly_status_security_output}" - rc=0 - case "${monthly_status_security_output}" in - "") - if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` - then - periodic security > $tempfile || rc=3 - if [ -s "$tempfile" ]; then - cat "$tempfile" - rc=3 - fi - rm -f "$tempfile" - fi;; - /*) - echo " (output logged separately)" - periodic security || rc=3;; - *) - echo " (output mailed separately)" - periodic security || rc=3;; - esac;; - *) rc=0;; -esac - -exit $rc Index: etc/periodic/monthly/999.local =================================================================== --- etc/periodic/monthly/999.local +++ etc/periodic/monthly/999.local @@ -1,40 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 -for script in $monthly_local -do - echo '' - case "$script" in - /*) - if [ -x "$script" ] - then - echo "Running $script:" - - $script || rc=3 - elif [ -f "$script" ] - then - echo "Running $script:" - - sh $script || rc=3 - else - echo "$script: No such file" - [ $rc -lt 2 ] && rc=2 - fi;; - *) - echo "$script: Not an absolute path" - [ $rc -lt 2 ] && rc=2;; - esac -done - -exit $rc Index: etc/periodic/monthly/Makefile =================================================================== --- etc/periodic/monthly/Makefile +++ etc/periodic/monthly/Makefile @@ -1,20 +0,0 @@ -# $FreeBSD$ - -.include - -FILESGROUPS=FILES - -FILES= 450.status-security \ - 999.local - -# NB: keep these sorted by MK_* knobs - -.if ${MK_UTMPX} != "no" -FILESGROUPS+= ACCT -ACCT+= 200.accounting -.endif -ACCTDIR= /etc/periodic/monthly -ACCTMODE= ${BINMODE} -ACCTPACKAGE= acct - -.include Index: etc/periodic/security/100.chksetuid =================================================================== --- etc/periodic/security/100.chksetuid +++ etc/periodic/security/100.chksetuid @@ -1,62 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_chksetuid_enable - -rc=0 - -if check_yesno_period security_status_chksetuid_enable -then - echo "" - echo 'Checking setuid files and devices:' - IFS=$'\n' # Don't split mount points with spaces or tabs - MP=`mount -t ufs,zfs | awk ' - $0 !~ /no(suid|exec)/ { - sub(/^.* on \//, "/"); - sub(/ \(.*\)/, ""); - print $0 - }'` - find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ - \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \ - \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ | - check_diff setuid - "${host} setuid diffs:" - rc=$? -fi - -exit $rc Index: etc/periodic/security/110.neggrpperm =================================================================== --- etc/periodic/security/110.neggrpperm +++ etc/periodic/security/110.neggrpperm @@ -1,61 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_neggrpperm_enable - -rc=0 - -if check_yesno_period security_status_neggrpperm_enable -then - echo "" - echo 'Checking negative group permissions:' - IFS=$'\n' # Don't split mount points with spaces or tabs - MP=`mount -t ufs,zfs | awk ' - $0 !~ /no(suid|exec)/ { - sub(/^.* on \//, "/"); - sub(/ \(.*\)/, ""); - print $0 - }'` - n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \ - \( \( ! -perm +010 -and -perm +001 \) -or \ - \( ! -perm +020 -and -perm +002 \) -or \ - \( ! -perm +040 -and -perm +004 \) \) \ - -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit $rc Index: etc/periodic/security/200.chkmounts =================================================================== --- etc/periodic/security/200.chkmounts +++ etc/periodic/security/200.chkmounts @@ -1,65 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show changes in the way filesystems are mounted -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_chkmounts_enable -security_daily_compat_var security_status_chkmounts_ignore -security_daily_compat_var security_status_noamd - -ignore="${security_status_chkmounts_ignore}" -rc=0 - -if check_yesno_period security_status_chkmounts_enable -then - case "$security_status_noamd" in - [Yy][Ee][Ss]) - ignore="${ignore}|^amd:" - esac - [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat - if ! [ -f /etc/fstab ]; then - export PATH_FSTAB=/dev/null - fi - mount -p | sort | ${cmd} | - check_diff mount - "${host} changes in mounted filesystems:" - rc=$? -fi - -exit "$rc" Index: etc/periodic/security/300.chkuid0 =================================================================== --- etc/periodic/security/300.chkuid0 +++ etc/periodic/security/300.chkuid0 @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_chkuid0_enable - -rc=0 - -if check_yesno_period security_status_chkuid0_enable -then - echo "" - echo 'Checking for uids of 0:' - n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd | - tee /dev/stderr | - sed -e '/^root 0$/d' -e '/^toor 0$/d' | - wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit "$rc" Index: etc/periodic/security/400.passwdless =================================================================== --- etc/periodic/security/400.passwdless +++ etc/periodic/security/400.passwdless @@ -1,51 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_passwdless_enable - -rc=0 - -if check_yesno_period security_status_passwdless_enable -then - echo "" - echo 'Checking for passwordless accounts:' - n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd | - tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit "$rc" Index: etc/periodic/security/410.logincheck =================================================================== --- etc/periodic/security/410.logincheck +++ etc/periodic/security/410.logincheck @@ -1,55 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2006 Tom Rhodes -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_logincheck_enable - -rc=0 - -if check_yesno_period security_status_logincheck_enable -then - echo "" - echo 'Checking login.conf permissions:' - if [ -G /etc/login.conf -a -O /etc/login.conf ]; then - n=0 - else - echo "Bad ownership of /etc/login.conf" - n=1 - fi - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit "$rc" Index: etc/periodic/security/500.ipfwdenied =================================================================== --- etc/periodic/security/500.ipfwdenied +++ etc/periodic/security/500.ipfwdenied @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_ipfwdenied_enable - -rc=0 - -if check_yesno_period security_status_ipfwdenied_enable -then - TMP=`mktemp -t security` - if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then - check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:" - fi - rc=$? - rm -f ${TMP} -fi - -exit $rc Index: etc/periodic/security/510.ipfdenied =================================================================== --- etc/periodic/security/510.ipfdenied +++ etc/periodic/security/510.ipfdenied @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_ipfdenied_enable - -rc=0 - -if check_yesno_period security_status_ipfdenied_enable -then - TMP=`mktemp -t security` - if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then - check_diff new_only ipf ${TMP} "${host} ipf denied packets:" - fi - rc=$? - rm -f ${TMP} -fi - -exit $rc Index: etc/periodic/security/520.pfdenied =================================================================== --- etc/periodic/security/520.pfdenied +++ etc/periodic/security/520.pfdenied @@ -1,59 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2004 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_pfdenied_enable - -rc=0 - -if check_yesno_period security_status_pfdenied_enable -then - TMP=`mktemp -t security` - for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) - do - pfctl -a ${_a} -sr -v -z 2>/dev/null | \ - nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} - done - if [ -s ${TMP} ]; then - check_diff new_only pf ${TMP} "${host} pf denied packets:" - fi - rc=$? - rm -f ${TMP} -fi - -exit $rc Index: etc/periodic/security/550.ipfwlimit =================================================================== --- etc/periodic/security/550.ipfwlimit +++ etc/periodic/security/550.ipfwlimit @@ -1,69 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show ipfw rules which have reached the log limit -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_ipfwlimit_enable - -rc=0 - -if check_yesno_period security_status_ipfwlimit_enable -then - IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null` - if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then - exit 0 - fi - TMP=`mktemp -t security` - ipfw -a list | grep " log " | \ - grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \ - awk \ - '{if ($6 == "logamount") { - if ($2 > $7) - {print $0}} - }' > ${TMP} - - if [ -s "${TMP}" ]; then - rc=1 - echo "" - echo 'ipfw log limit reached:' - cat ${TMP} - fi - rm -f ${TMP} -fi - -exit $rc Index: etc/periodic/security/610.ipf6denied =================================================================== --- etc/periodic/security/610.ipf6denied +++ etc/periodic/security/610.ipf6denied @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_ipf6denied_enable - -rc=0 - -if check_yesno_period security_status_ipf6denied_enable -then - TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX` - if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then - check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:" - fi - rc=$? - rm -f ${TMP} -fi - -exit $rc Index: etc/periodic/security/700.kernelmsg =================================================================== --- etc/periodic/security/700.kernelmsg +++ etc/periodic/security/700.kernelmsg @@ -1,54 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show kernel log messages -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -. /etc/periodic/security/security.functions - -security_daily_compat_var security_status_kernelmsg_enable - -rc=0 - -if check_yesno_period security_status_kernelmsg_enable -then - dmesg 2>/dev/null | - check_diff new_only dmesg - "${host} kernel log messages:" - rc=$? -fi - -exit $rc Index: etc/periodic/security/800.loginfail =================================================================== --- etc/periodic/security/800.loginfail +++ etc/periodic/security/800.loginfail @@ -1,72 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show login failures -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_loginfail_enable - -LOG="${security_status_logdir}" - -yesterday=`date -v-1d "+%b %e "` - -catmsgs() { - find ${LOG} -name 'auth.log.*' -mtime -2 | - sort -t. -r -n -k 2,2 | - while read f - do - case $f in - *.gz) zcat -f $f;; - *.bz2) bzcat -f $f;; - esac - done - [ -f ${LOG}/auth.log ] && cat $LOG/auth.log -} - -rc=0 - -if check_yesno_period security_status_loginfail_enable -then - echo "" - echo "${host} login failures:" - n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" | - tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit $rc Index: etc/periodic/security/900.tcpwrap =================================================================== --- etc/periodic/security/900.tcpwrap +++ etc/periodic/security/900.tcpwrap @@ -1,72 +0,0 @@ -#!/bin/sh - -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# Show tcp_wrapper warning messages -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_tcpwrap_enable - -LOG="${security_status_logdir}" - -yesterday=`date -v-1d "+%b %e "` - -catmsgs() { - find ${LOG} -name 'messages.*' -mtime -2 | - sort -t. -r -n -k 2,2 | - while read f - do - case $f in - *.gz) zcat -f $f;; - *.bz2) bzcat -f $f;; - esac - done - [ -f ${LOG}/messages ] && cat $LOG/messages -} - -rc=0 - -if check_yesno_period security_status_tcpwrap_enable -then - echo "" - echo "${host} refused connections:" - n=$(catmsgs | grep -i "^$yesterday.*refused connect" | - tee /dev/stderr | wc -l) - [ $n -gt 0 ] && rc=1 || rc=0 -fi - -exit $rc Index: etc/periodic/security/Makefile =================================================================== --- etc/periodic/security/Makefile +++ etc/periodic/security/Makefile @@ -1,37 +0,0 @@ -# $FreeBSD$ - -.include - -FILESGROUPS= FILES DATA - -FILES= 100.chksetuid \ - 110.neggrpperm \ - 200.chkmounts \ - 300.chkuid0 \ - 400.passwdless \ - 410.logincheck \ - 700.kernelmsg \ - 800.loginfail -DATA= security.functions - -# NB: keep these sorted by MK_* knobs - -.if ${MK_IPFILTER} != "no" -FILES+= 510.ipfdenied -FILES+= 610.ipf6denied -.endif - -.if ${MK_IPFW} != "no" -FILES+= 500.ipfwdenied \ - 550.ipfwlimit -.endif - -.if ${MK_PF} != "no" -FILES+= 520.pfdenied -.endif - -.if ${MK_INETD} != "no" && ${MK_TCP_WRAPPERS} != "no" -FILES+= 900.tcpwrap -.endif - -.include Index: etc/periodic/security/security.functions =================================================================== --- etc/periodic/security/security.functions +++ etc/periodic/security/security.functions @@ -1,87 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2001 The FreeBSD Project -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a library file, so we only try to do something when sourced. -case "$0" in -*/security.functions) exit 0 ;; -esac - -security_daily_compat_var security_status_logdir -security_daily_compat_var security_status_diff_flags - -# -# Show differences in the output of an audit command -# - -LOG="${security_status_logdir}" -rc=0 - -# Usage: COMMAND | check_diff [new_only] LABEL - MSG -# COMMAND > TMPFILE; check_diff [new_only] LABEL TMPFILE MSG -# if $1 is new_only, show only the 'new' part of the diff. -# LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files. - -check_diff() { - unset IFS - rc=0 - if [ "$1" = "new_only" ]; then - shift - filter="grep '^[>+][^+]'" - else - filter="cat" - fi - label="$1"; shift - tmpf="$1"; shift - msg="$1"; shift - - if [ "${tmpf}" = "-" ]; then - tmpf=`mktemp -t security` - cat > ${tmpf} - fi - - if [ ! -f ${LOG}/${label}.today ]; then - rc=1 - echo "" - echo "No ${LOG}/${label}.today" - cp ${tmpf} ${LOG}/${label}.today || rc=3 - fi - - if ! cmp -s ${LOG}/${label}.today ${tmpf} >/dev/null; then - [ $rc -lt 1 ] && rc=1 - echo "" - echo "${msg}" - diff ${security_status_diff_flags} ${LOG}/${label}.today \ - ${tmpf} | eval "${filter}" - mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3 - mv ${tmpf} ${LOG}/${label}.today || rc=3 - fi - - rm -f ${tmpf} - exit ${rc} -} Index: etc/periodic/weekly/310.locate =================================================================== --- etc/periodic/weekly/310.locate +++ etc/periodic/weekly/310.locate @@ -1,32 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$weekly_locate_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Rebuilding locate database:" - - locdb=/var/db/locate.database - - touch $locdb && rc=0 || rc=3 - chown nobody $locdb || rc=3 - chmod 644 $locdb || rc=3 - - cd / - echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3 - chmod 444 $locdb || rc=3;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/weekly/320.whatis =================================================================== --- etc/periodic/weekly/320.whatis +++ etc/periodic/weekly/320.whatis @@ -1,51 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$weekly_whatis_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Rebuilding whatis database:" - - MANPATH=`/usr/bin/manpath -q` - if [ $? = 0 ] - then - if [ -z "${MANPATH}" ] - then - echo "manpath failed to find any manpage directories" - rc=3 - else - man_locales=`/usr/bin/manpath -qL` - rc=0 - - # Build whatis(1) database(s) for original, non-localized - # manpages. - /usr/libexec/makewhatis.local "${MANPATH}" || rc=3 - - # Build whatis(1) database(s) for localized manpages. - if [ X"${man_locales}" != X ] - then - for i in ${man_locales} - do - LC_ALL=$i /usr/libexec/makewhatis.local -a \ - -L "${MANPATH}" || rc=3 - done - fi - fi - else - rc=3 - fi;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/weekly/340.noid =================================================================== --- etc/periodic/weekly/340.noid +++ etc/periodic/weekly/340.noid @@ -1,29 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$weekly_noid_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Check for files with an unknown user or group:" - - rc=$(find -H ${weekly_noid_dirs:-/} \ - \( ! -fstype local -prune -or -name \* \) -and \ - \( -nogroup -o -nouser \) -print | sed 's/^/ /' | - tee /dev/stderr | wc -l) - [ $rc -gt 1 ] && rc=1 - ;; - - *) rc=0;; -esac - -exit $rc Index: etc/periodic/weekly/450.status-security =================================================================== --- etc/periodic/weekly/450.status-security +++ etc/periodic/weekly/450.status-security @@ -1,47 +0,0 @@ -#!/bin/sh -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$weekly_status_security_enable" in - [Yy][Ee][Ss]) - echo "" - echo "Security check:" - - case "$weekly_status_security_inline" in - [Yy][Ee][Ss]) - weekly_status_security_output="";; - esac - - export security_output="${weekly_status_security_output}" - rc=0 - case "${weekly_status_security_output}" in - "") - if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX` - then - periodic security > $tempfile || rc=3 - if [ -s "$tempfile" ]; then - cat "$tempfile" - rc=3 - fi - rm -f "$tempfile" - fi;; - /*) - echo " (output logged separately)" - periodic security || rc=3;; - *) - echo " (output mailed separately)" - periodic security || rc=3;; - esac;; - *) rc=0;; -esac - -exit $rc Index: etc/periodic/weekly/999.local =================================================================== --- etc/periodic/weekly/999.local +++ etc/periodic/weekly/999.local @@ -1,40 +0,0 @@ -#!/bin/sh - -# -# $FreeBSD$ -# - -# If there is a global system configuration file, suck it in. -# -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -rc=0 -for script in $weekly_local -do - echo '' - case "$script" in - /*) - if [ -x "$script" ] - then - echo "Running $script:" - - $script || rc=3 - elif [ -f "$script" ] - then - echo "Running $script:" - - sh $script || rc=3 - else - echo "$script: No such file" - [ $rc -lt 2 ] && rc=2 - fi;; - *) - echo "$script: Not an absolute path" - [ $rc -lt 2 ] && rc=2;; - esac -done - -exit $rc Index: etc/periodic/weekly/Makefile =================================================================== --- etc/periodic/weekly/Makefile +++ etc/periodic/weekly/Makefile @@ -1,19 +0,0 @@ -# $FreeBSD$ - -.include - -FILES= 340.noid \ - 450.status-security \ - 999.local - -# NB: keep these sorted by MK_* knobs - -.if ${MK_LOCATE} != "no" -FILES+= 310.locate -.endif - -.if ${MK_MAN_UTILS} != "no" -FILES+= 320.whatis -.endif - -.include Index: usr.sbin/periodic/Makefile =================================================================== --- usr.sbin/periodic/Makefile +++ usr.sbin/periodic/Makefile @@ -3,4 +3,9 @@ SCRIPTS=periodic.sh MAN= periodic.8 +CONFS= periodic.conf +CONFSDIR= /etc/defaults + +SUBDIR= etc + .include Index: usr.sbin/periodic/etc/Makefile.inc =================================================================== --- usr.sbin/periodic/etc/Makefile.inc +++ usr.sbin/periodic/etc/Makefile.inc @@ -1,5 +1,6 @@ # $FreeBSD$ -BINDIR= /etc/periodic/${.CURDIR:T} +CONFMODE= 755 +CONFDIR= ETC_PERIODIC_${.CURDIR:T:U} +ETC_PERIODIC_${.CURDIR:T:U}= /etc/periodic/${.CURDIR:T} NO_OBJ= -FILESMODE= 755 Index: usr.sbin/periodic/etc/daily/Makefile =================================================================== --- usr.sbin/periodic/etc/daily/Makefile +++ usr.sbin/periodic/etc/daily/Makefile @@ -2,9 +2,9 @@ .include -FILESGROUPS=FILES +CONFGROUPS=CONFS -FILES= 100.clean-disks \ +CONFS= 100.clean-disks \ 110.clean-tmps \ 120.clean-preserve \ 140.clean-rwho \ @@ -27,35 +27,34 @@ # NB: keep these sorted by MK_* knobs .if ${MK_ACCT} != "no" -FILESGROUPS+= ACCT +CONFGROUPS+= ACCT ACCT+= 310.accounting -.endif -ACCTDIR= /etc/periodic/daily ACCTMODE= ${BINMODE} ACCTPACKAGE= acct +.endif .if ${MK_CALENDAR} != "no" -FILES+= 300.calendar +CONFS+= 300.calendar .endif .if ${MK_MAIL} != "no" -FILES+= 130.clean-msgs +CONFS+= 130.clean-msgs .endif .if ${MK_NTP} != "no" -FILES+= 480.status-ntpd \ +CONFS+= 480.status-ntpd \ 480.leapfile-ntpd .endif .if ${MK_SENDMAIL} != "no" -FILES+= 150.clean-hoststat \ +CONFS+= 150.clean-hoststat \ 440.status-mailq \ 460.status-mail-rejects \ 500.queuerun .endif .if ${MK_ZFS} != "no" -FILES+= 404.status-zfs \ +CONFS+= 404.status-zfs \ 800.scrub-zfs .endif Index: usr.sbin/periodic/etc/monthly/Makefile =================================================================== --- usr.sbin/periodic/etc/monthly/Makefile +++ usr.sbin/periodic/etc/monthly/Makefile @@ -2,19 +2,18 @@ .include -FILESGROUPS=FILES +CONFGROUPS= CONFS -FILES= 450.status-security \ +CONFS= 450.status-security \ 999.local # NB: keep these sorted by MK_* knobs .if ${MK_UTMPX} != "no" -FILESGROUPS+= ACCT +CONFGROUPS+= ACCT ACCT+= 200.accounting -.endif -ACCTDIR= /etc/periodic/monthly ACCTMODE= ${BINMODE} ACCTPACKAGE= acct +.endif .include Index: usr.sbin/periodic/etc/security/Makefile =================================================================== --- usr.sbin/periodic/etc/security/Makefile +++ usr.sbin/periodic/etc/security/Makefile @@ -2,9 +2,9 @@ .include -FILESGROUPS= FILES DATA +CONFGROUPS= CONFS DATA -FILES= 100.chksetuid \ +CONFS= 100.chksetuid \ 110.neggrpperm \ 200.chkmounts \ 300.chkuid0 \ @@ -13,25 +13,28 @@ 700.kernelmsg \ 800.loginfail DATA= security.functions +DATAMODE= 444 + +CONFDIR= /etc/periodic/security # NB: keep these sorted by MK_* knobs .if ${MK_IPFILTER} != "no" -FILES+= 510.ipfdenied -FILES+= 610.ipf6denied +CONFS+= 510.ipfdenied +CONFS+= 610.ipf6denied .endif .if ${MK_IPFW} != "no" -FILES+= 500.ipfwdenied \ +CONFS+= 500.ipfwdenied \ 550.ipfwlimit .endif .if ${MK_PF} != "no" -FILES+= 520.pfdenied +CONFS+= 520.pfdenied .endif .if ${MK_INETD} != "no" && ${MK_TCP_WRAPPERS} != "no" -FILES+= 900.tcpwrap +CONFS+= 900.tcpwrap .endif .include Index: usr.sbin/periodic/etc/weekly/Makefile =================================================================== --- usr.sbin/periodic/etc/weekly/Makefile +++ usr.sbin/periodic/etc/weekly/Makefile @@ -2,18 +2,18 @@ .include -FILES= 340.noid \ +CONFS= 340.noid \ 450.status-security \ 999.local # NB: keep these sorted by MK_* knobs .if ${MK_LOCATE} != "no" -FILES+= 310.locate +CONFS+= 310.locate .endif .if ${MK_MAN_UTILS} != "no" -FILES+= 320.whatis +CONFS+= 320.whatis .endif .include