mirror of
https://github.com/openbsd/src.git
synced 2025-01-10 06:47:55 -08:00
693dc5e1c0
of pinsyscall(2) policy. Report such findings in daily mail like other security violations. User has to turn on accounting=YES in rc.conf.local to utilize this feature. OK deraadt@
182 lines
4.6 KiB
Plaintext
182 lines
4.6 KiB
Plaintext
#
|
|
# $OpenBSD: daily,v 1.97 2023/03/03 16:22:57 bluhm Exp $
|
|
# From: @(#)daily 8.2 (Berkeley) 1/25/94
|
|
#
|
|
# For local additions, create the file /etc/daily.local.
|
|
# To get section headers, use the function next_part in daily.local.
|
|
#
|
|
umask 022
|
|
|
|
PARTOUT=/var/log/daily.part
|
|
MAINOUT=/var/log/daily.out
|
|
install -o 0 -g 0 -m 600 /dev/null $PARTOUT
|
|
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
|
|
|
|
start_part() {
|
|
TITLE=$1
|
|
exec > $PARTOUT 2>&1
|
|
}
|
|
|
|
end_part() {
|
|
exec >> $MAINOUT 2>&1
|
|
test -s $PARTOUT || return
|
|
echo ""
|
|
echo "$TITLE"
|
|
cat $PARTOUT
|
|
}
|
|
|
|
next_part() {
|
|
end_part
|
|
start_part "$1"
|
|
}
|
|
|
|
run_script() {
|
|
f=/etc/$1
|
|
test -e $f || return
|
|
if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
|
|
echo "$f has insecure permissions, skipping:"
|
|
ls -l $f
|
|
return
|
|
fi
|
|
. $f
|
|
}
|
|
|
|
start_part "Running daily.local:"
|
|
run_script "daily.local"
|
|
|
|
next_part "Removing scratch and junk files:"
|
|
if [ -d /tmp -a ! -L /tmp ]; then
|
|
cd /tmp && {
|
|
find -x . \
|
|
\( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
|
|
-o -path './tmux-*' \) -prune -o \
|
|
-type f -and ! -path './*.shm' -atime +7 -delete 2>/dev/null
|
|
find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
|
|
! -path ./.ICE-unix ! -name . \
|
|
-delete >/dev/null 2>&1; }
|
|
fi
|
|
|
|
# Additional junk directory cleanup would go like this:
|
|
#if [ -d /scratch -a ! -L /scratch ]; then
|
|
# cd /scratch && {
|
|
# find . ! -name . -atime +1 -delete
|
|
# find . ! -name . -type d -mtime +1 -delete \
|
|
# >/dev/null 2>&1; }
|
|
#fi
|
|
|
|
next_part "Purging accounting records:"
|
|
if [ -f /var/account/acct ]; then
|
|
test -f /var/account/acct.2 && \
|
|
mv -f /var/account/acct.2 /var/account/acct.3
|
|
test -f /var/account/acct.1 && \
|
|
mv -f /var/account/acct.1 /var/account/acct.2
|
|
test -f /var/account/acct.0 && \
|
|
mv -f /var/account/acct.0 /var/account/acct.1
|
|
cp -f /var/account/acct /var/account/acct.0
|
|
sa -sq
|
|
lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[EMPTU]'
|
|
fi
|
|
|
|
# If ROOTBACKUP is set to 1 in the environment, and
|
|
# if filesystem named /altroot is type ffs and mounted "xx",
|
|
# use it as a backup root filesystem to be updated daily.
|
|
next_part "Backing up root filesystem:"
|
|
while [ "X$ROOTBACKUP" = X1 ]; do
|
|
rootbak=`awk '$1 !~ /^#/ && $2 == "/altroot" && $3 == "ffs" && \
|
|
$4 ~ /xx/ { print $1 }' < /etc/fstab`
|
|
if [ -z "$rootbak" ]; then
|
|
echo "No xx ffs /altroot device found in the fstab(5)."
|
|
break
|
|
fi
|
|
rootbak=${rootbak#/dev/}
|
|
bakdisk=${rootbak%%?(.)[a-p]}
|
|
if ! sysctl -n hw.disknames | grep -Fqw $bakdisk; then
|
|
echo "Backup disk '$bakdisk' not present in hw.disknames."
|
|
break
|
|
fi
|
|
bakpart=${rootbak##$bakdisk?(.)}
|
|
OLDIFS=$IFS
|
|
IFS=,
|
|
for d in `sysctl -n hw.disknames`; do
|
|
# If the provided disk name is a duid, substitute the device.
|
|
if [ X$bakdisk = X${d#*:} ]; then
|
|
bakdisk=${d%:*}
|
|
rootbak=$bakdisk$bakpart
|
|
fi
|
|
done
|
|
IFS=$OLDIFS
|
|
baksize=`disklabel $bakdisk 2>/dev/null | \
|
|
awk -v "part=$bakpart:" '$1 == part { print $2 }'`
|
|
rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \
|
|
{ print substr($1, 6) }'`
|
|
if [ -z "$rootdev" ]; then
|
|
echo "The root filesystem is not local or not ffs."
|
|
break
|
|
fi
|
|
if [ X$rootdev = X$rootbak ]; then
|
|
echo "The device $rootdev holds both root and /altroot."
|
|
break
|
|
fi
|
|
rootdisk=${rootdev%[a-p]}
|
|
rootpart=${rootdev#$rootdisk}
|
|
rootsize=`disklabel $rootdisk 2>/dev/null | \
|
|
awk -v "part=$rootpart:" '$1 == part { print $2 }'`
|
|
if [ $rootsize -gt $baksize ]; then
|
|
echo "Root ($rootsize) is larger than /altroot ($baksize)."
|
|
break
|
|
fi
|
|
next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:"
|
|
sync
|
|
dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
|
|
conv=noerror
|
|
fsck -y /dev/r$rootbak
|
|
break
|
|
done
|
|
|
|
next_part "Services that should be running but aren't:"
|
|
rcctl ls failed
|
|
|
|
next_part "Filesystems which need to be dumped:"
|
|
dump w | grep -vB1 ^Dump
|
|
|
|
next_part "Running calendar in the background:"
|
|
if [ "X$CALENDAR" != X0 -a \
|
|
\( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then
|
|
calendar -a &
|
|
fi
|
|
|
|
# If CHECKFILESYSTEMS is set to 1 in the environment, run fsck
|
|
# with the no-write flag.
|
|
next_part "Checking filesystems:"
|
|
[ "X$CHECKFILESYSTEMS" = X1 ] && {
|
|
fsck -n | grep -v '^\*\* Phase'
|
|
}
|
|
|
|
next_part "Running rdist:"
|
|
if [ -f /etc/Distfile ]; then
|
|
if [ -d /var/log/rdist ]; then
|
|
rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F`
|
|
else
|
|
rdist -f /etc/Distfile
|
|
fi
|
|
fi
|
|
|
|
end_part
|
|
[ -s $MAINOUT ] && {
|
|
sysctl -n kern.version
|
|
uptime
|
|
cat $MAINOUT
|
|
} 2>&1 | mail -s "`hostname` daily output" root
|
|
|
|
|
|
MAINOUT=/var/log/security.out
|
|
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
|
|
|
|
start_part "Running security(8):"
|
|
export SUIDSKIP
|
|
/usr/libexec/security
|
|
end_part
|
|
rm -f $PARTOUT
|
|
|
|
[ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT
|