xref: /openbsd-src/etc/daily (revision ec5358abcddafaed3741ece5f6f35eb7b747ce16) 
1df930be7Sderaadt#
2*ec5358abSbket#	$OpenBSD: daily,v 1.100 2024/07/04 05:06:58 bket Exp $
35da8c588Smillert#	From: @(#)daily	8.2 (Berkeley) 1/25/94
4df930be7Sderaadt#
558a1e7f8Sschwarze# For local additions, create the file /etc/daily.local.
658a1e7f8Sschwarze# To get section headers, use the function next_part in daily.local.
758a1e7f8Sschwarze#
86e67fba8Sajacoutotumask 022
96e67fba8Sajacoutot
1003446679SschwarzePARTOUT=/var/log/daily.part
1103446679SschwarzeMAINOUT=/var/log/daily.out
1203446679Sschwarzeinstall -o 0 -g 0 -m 600    /dev/null $PARTOUT
1303446679Sschwarzeinstall -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
1403446679Sschwarze
1503446679Sschwarzestart_part() {
1603446679Sschwarze	TITLE=$1
1703446679Sschwarze	exec > $PARTOUT 2>&1
182ee02be1Spvalchev}
19ee34f0e1Smillert
2003446679Sschwarzeend_part() {
2103446679Sschwarze	exec >> $MAINOUT 2>&1
2203446679Sschwarze	test -s $PARTOUT || return
23df930be7Sderaadt	echo ""
2403446679Sschwarze	echo "$TITLE"
2503446679Sschwarze	cat $PARTOUT
2603446679Sschwarze}
2703446679Sschwarze
2803446679Sschwarzenext_part() {
2903446679Sschwarze	end_part
3003446679Sschwarze	start_part "$1"
3103446679Sschwarze}
3203446679Sschwarze
3303446679Sschwarzerun_script() {
3403446679Sschwarze	f=/etc/$1
3503446679Sschwarze	test -e $f || return
3603446679Sschwarze	if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
3703446679Sschwarze		echo "$f has insecure permissions, skipping:"
3803446679Sschwarze		ls -l $f
3903446679Sschwarze		return
4003446679Sschwarze	fi
4103446679Sschwarze	. $f
4203446679Sschwarze}
4303446679Sschwarze
4404bf5079Sschwarzestart_part "Running daily.local:"
4503446679Sschwarzerun_script "daily.local"
4603446679Sschwarze
4703446679Sschwarzenext_part "Removing scratch and junk files:"
48ca96e990Saaronif [ -d /tmp -a ! -L /tmp ]; then
495da8c588Smillert	cd /tmp && {
5055691cd9Smillert	find -x . \
51643f1609Sespie	    \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
52ca6cf7e7Ssthen		-o -path './tmux-*' \) -prune -o \
53ae8ed1c1Ssthen	    -type f -and ! -path './*.s[eh]m' -atime +7 -delete 2>/dev/null
54eaf32bc6Smillert	find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
559386ff05Srpe	    ! -path ./.ICE-unix ! -name . \
56f87fab9dSmillert	    -delete >/dev/null 2>&1; }
575da8c588Smillertfi
58df930be7Sderaadt
594844ae79Sderaadt# Additional junk directory cleanup would go like this:
60ca96e990Saaron#if [ -d /scratch -a ! -L /scratch ]; then
614844ae79Sderaadt#	cd /scratch && {
62f87fab9dSmillert#	find . ! -name . -atime +1 -delete
63f87fab9dSmillert#	find . ! -name . -type d -mtime +1 -delete \
644844ae79Sderaadt#	    >/dev/null 2>&1; }
654844ae79Sderaadt#fi
66df930be7Sderaadt
6703446679Sschwarzenext_part "Purging accounting records:"
68df930be7Sderaadtif [ -f /var/account/acct ]; then
696c69a1daSbluhm	test -f /var/account/acct.2 && \
709fad55d1Smickey		mv -f /var/account/acct.2 /var/account/acct.3
716c69a1daSbluhm	test -f /var/account/acct.1 && \
729fad55d1Smickey		mv -f /var/account/acct.1 /var/account/acct.2
736c69a1daSbluhm	test -f /var/account/acct.0 && \
749fad55d1Smickey		mv -f /var/account/acct.0 /var/account/acct.1
759fad55d1Smickey	cp -f /var/account/acct /var/account/acct.0
765da8c588Smillert	sa -sq
77693dc5e1Sbluhm	lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[EMPTU]'
78df930be7Sderaadtfi
79df930be7Sderaadt
805da8c588Smillert# If ROOTBACKUP is set to 1 in the environment, and
8189a0c572Skrw# if filesystem named /altroot is type ffs and mounted "xx",
825da8c588Smillert# use it as a backup root filesystem to be updated daily.
8303446679Sschwarzenext_part "Backing up root filesystem:"
842a0180a9Sschwarzewhile [ "X$ROOTBACKUP" = X1 ]; do
855d5582c6Skrw	rootbak=`awk '$1 !~ /^#/ && $2 == "/altroot" && $3 == "ffs" && \
865d5582c6Skrw		$4 ~ /xx/ { print $1 }' < /etc/fstab`
872a0180a9Sschwarze	if [ -z "$rootbak" ]; then
882a0180a9Sschwarze		echo "No xx ffs /altroot device found in the fstab(5)."
892a0180a9Sschwarze		break
902a0180a9Sschwarze	fi
9189a0c572Skrw	rootbak=${rootbak#/dev/}
9289a0c572Skrw	bakdisk=${rootbak%%?(.)[a-p]}
939b1733a3Stb	if ! sysctl -n hw.disknames | grep -Fqw $bakdisk; then
949b1733a3Stb		echo "Backup disk '$bakdisk' not present in hw.disknames."
959b1733a3Stb		break
969b1733a3Stb	fi
9789a0c572Skrw	bakpart=${rootbak##$bakdisk?(.)}
985d5582c6Skrw	OLDIFS=$IFS
995d5582c6Skrw	IFS=,
1005d5582c6Skrw	for d in `sysctl -n hw.disknames`; do
1015d5582c6Skrw		# If the provided disk name is a duid, substitute the device.
1025d5582c6Skrw		if [ X$bakdisk = X${d#*:} ]; then
1035d5582c6Skrw			bakdisk=${d%:*}
1045d5582c6Skrw			rootbak=$bakdisk$bakpart
1055d5582c6Skrw		fi
1065d5582c6Skrw	done
1075d5582c6Skrw	IFS=$OLDIFS
1082a0180a9Sschwarze	baksize=`disklabel $bakdisk 2>/dev/null | \
1092a0180a9Sschwarze		awk -v "part=$bakpart:" '$1 == part { print $2 }'`
1102a0180a9Sschwarze	rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \
1112a0180a9Sschwarze		{ print substr($1, 6) }'`
1122a0180a9Sschwarze	if [ -z "$rootdev" ]; then
1132a0180a9Sschwarze		echo "The root filesystem is not local or not ffs."
1142a0180a9Sschwarze		break
1152a0180a9Sschwarze	fi
1162a0180a9Sschwarze	if [ X$rootdev = X$rootbak ]; then
1172a0180a9Sschwarze		echo "The device $rootdev holds both root and /altroot."
1182a0180a9Sschwarze		break
1192a0180a9Sschwarze	fi
1202a0180a9Sschwarze	rootdisk=${rootdev%[a-p]}
1212a0180a9Sschwarze	rootpart=${rootdev#$rootdisk}
1222a0180a9Sschwarze	rootsize=`disklabel $rootdisk 2>/dev/null | \
1232a0180a9Sschwarze		awk -v "part=$rootpart:" '$1 == part { print $2 }'`
1242a0180a9Sschwarze	if [ $rootsize -gt $baksize ]; then
1252a0180a9Sschwarze		echo "Root ($rootsize) is larger than /altroot ($baksize)."
1262a0180a9Sschwarze		break
1272a0180a9Sschwarze	fi
12803446679Sschwarze	next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:"
1295da8c588Smillert	sync
1305da8c588Smillert	dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
131867ed639Smickey		conv=noerror
1325da8c588Smillert	fsck -y /dev/r$rootbak
1332a0180a9Sschwarze	break
1342a0180a9Sschwarzedone
1355da8c588Smillert
1367b1e74d8Sajacoutotnext_part "Services that should be running but aren't:"
13798a0419bSajacoutotrcctl ls failed
138446b8f79Sschwarze
13943edb082Sdanjnext_part "Filesystems which need to be dumped:"
1407b7912d5Shalexdump w | grep -vB1 ^Dump
141df930be7Sderaadt
14203446679Sschwarzenext_part "Running calendar in the background:"
14303446679Sschwarzeif [ "X$CALENDAR" != X0 -a \
14403446679Sschwarze     \( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then
14519ca049bSmillert	calendar -a &
14619ca049bSmillertfi
14719ca049bSmillert
1485da8c588Smillert# If CHECKFILESYSTEMS is set to 1 in the environment, run fsck
1495da8c588Smillert# with the no-write flag.
15003446679Sschwarzenext_part "Checking filesystems:"
1515da8c588Smillert[ "X$CHECKFILESYSTEMS" = X1 ] && {
1525da8c588Smillert	fsck -n | grep -v '^\*\* Phase'
1535da8c588Smillert}
154df930be7Sderaadt
15503446679Sschwarzenext_part "Running rdist:"
156df930be7Sderaadtif [ -f /etc/Distfile ]; then
1575da8c588Smillert	if [ -d /var/log/rdist ]; then
15834f18964Sschwarze		rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F`
1595da8c588Smillert	else
160df930be7Sderaadt		rdist -f /etc/Distfile
161df930be7Sderaadt	fi
1625da8c588Smillertfi
163df930be7Sderaadt
16403446679Sschwarzeend_part
165afcde573Sschwarze[ -s $MAINOUT ] && {
166afcde573Sschwarze	sysctl -n kern.version
167afcde573Sschwarze	uptime
168afcde573Sschwarze	cat $MAINOUT
169afcde573Sschwarze} 2>&1 | mail -s "`hostname` daily output" root
17003446679Sschwarze
17103446679Sschwarze
17203446679SschwarzeMAINOUT=/var/log/security.out
17303446679Sschwarzeinstall -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
17403446679Sschwarze
175a8bd122bSschwarzestart_part "Running security(8):"
176d3266719Sschwarzeexport SUIDSKIP
177a8bd122bSschwarze/usr/libexec/security
17803446679Sschwarzeend_part
17903446679Sschwarzerm -f $PARTOUT
18003446679Sschwarze
18103446679Sschwarze[ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT
182