openntpd-openbsd/src/etc/daily

#
#	$OpenBSD: daily,v 1.80 2014/04/24 19:04:54 tedu Exp $
#	From: @(#)daily	8.2 (Berkeley) 1/25/94
#
# For local additions, create the file /etc/daily.local.
# To get section headers, use the function next_part in daily.local.
#
umask 022

PARTOUT=/var/log/daily.part
MAINOUT=/var/log/daily.out
install -o 0 -g 0 -m 600    /dev/null $PARTOUT
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT

start_part() {
	TITLE=$1
	exec > $PARTOUT 2>&1
}

end_part() {
	exec >> $MAINOUT 2>&1
	test -s $PARTOUT || return
	echo ""
	echo "$TITLE"
	cat $PARTOUT
}

next_part() {
	end_part
	start_part "$1"
}

run_script() {
	f=/etc/$1
	test -e $f || return
	if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
		echo "$f has insecure permissions, skipping:"
		ls -l $f
		return
	fi
	. $f
}

start_part "Running daily.local:"
run_script "daily.local"

next_part "Removing scratch and junk files:"
if [ -d /tmp -a ! -L /tmp ]; then
	cd /tmp && {
	find -x . \
	    \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
		-o -path ./portslocks \) \
	    -prune -o -type f -atime +3 -execdir rm -f -- {} \; 2>/dev/null
	find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
	    ! -path ./.ICE-unix ! -path ./portslocks ! -name . \
	    -execdir rmdir -- {} \; >/dev/null 2>&1; }
fi

if [ -d /var/tmp -a ! -L /var/tmp ]; then
	cd /var/tmp && {
	find -x . \
	    \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
		-o -path ./portslocks \) \
	    -prune -o ! -type d -atime +7 -execdir rm -f -- {} \; 2>/dev/null
	find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
	    ! -path ./.ICE-unix ! -path ./portslocks ! -name . \
	    -execdir rmdir -- {} \; >/dev/null 2>&1; }
fi

# Additional junk directory cleanup would go like this:
#if [ -d /scratch -a ! -L /scratch ]; then
#	cd /scratch && {
#	find . ! -name . -atime +1 -execdir rm -f -- {} \;
#	find . ! -name . -type d -mtime +1 -execdir rmdir -- {} \; \
#	    >/dev/null 2>&1; }
#fi

next_part "Purging accounting records:"
if [ -f /var/account/acct ]; then
	mv -f /var/account/acct.2 /var/account/acct.3
	mv -f /var/account/acct.1 /var/account/acct.2
	mv -f /var/account/acct.0 /var/account/acct.1
	cp -f /var/account/acct /var/account/acct.0
	sa -sq
fi

# If ROOTBACKUP is set to 1 in the environment, and
# if filesystem named /altroot is type ffs and mounted "xx",
# use it as a backup root filesystem to be updated daily.
next_part "Backing up root filesystem:"
while [ "X$ROOTBACKUP" = X1 ]; do
	rootbak=`awk '$1 !~ /^#/ && $2 == "/altroot" && $3 == "ffs" && \
		$4 ~ /xx/ { print $1 }' < /etc/fstab`
	if [ -z "$rootbak" ]; then
		echo "No xx ffs /altroot device found in the fstab(5)."
		break
	fi
	rootbak=${rootbak#/dev/}
	bakdisk=${rootbak%%?(.)[a-p]}
	sysctl -n hw.disknames | grep -Fqw $bakdisk || break
	bakpart=${rootbak##$bakdisk?(.)}
	OLDIFS=$IFS
	IFS=,
	for d in `sysctl -n hw.disknames`; do
		# If the provided disk name is a duid, substitute the device.
		if [ X$bakdisk = X${d#*:} ]; then
			bakdisk=${d%:*}
			rootbak=$bakdisk$bakpart
		fi
	done
	IFS=$OLDIFS
	baksize=`disklabel $bakdisk 2>/dev/null | \
		awk -v "part=$bakpart:" '$1 == part { print $2 }'`
	rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \
		{ print substr($1, 6) }'`
	if [ -z "$rootdev" ]; then
		echo "The root filesystem is not local or not ffs."
		break
	fi
	if [ X$rootdev = X$rootbak ]; then
		echo "The device $rootdev holds both root and /altroot."
		break
	fi
	rootdisk=${rootdev%[a-p]}
	rootpart=${rootdev#$rootdisk}
	rootsize=`disklabel $rootdisk 2>/dev/null | \
		awk -v "part=$rootpart:" '$1 == part { print $2 }'`
	if [ $rootsize -gt $baksize ]; then
		echo "Root ($rootsize) is larger than /altroot ($baksize)."
		break
	fi
	next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:"
	sync
	dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
		conv=noerror
	fsck -y /dev/r$rootbak
	break
done

next_part "Checking subsystem status:"
if [ "X$VERBOSESTATUS" != X0 ]; then
	echo ""
	echo "disks:"
	df -ikl
	echo ""
	dump W
fi

# The first two regular expressions handle sendmail, the third postfix.
# When the queue is empty, smtpd(8) and exim -bp keep silent.
next_part "mail:"
mailq | grep -v -e "^/var/spool/mqueue is empty$" \
		-e "^[[:blank:]]*Total requests: 0$" \
		-e "^Mail queue is empty$"

next_part "network:"
if [ "X$VERBOSESTATUS" != X0 ]; then
	netstat -ivn
fi

next_part "Running calendar in the background:"
if [ "X$CALENDAR" != X0 -a \
     \( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then
	calendar -a &
fi

# If CHECKFILESYSTEMS is set to 1 in the environment, run fsck
# with the no-write flag.
next_part "Checking filesystems:"
[ "X$CHECKFILESYSTEMS" = X1 ] && {
	fsck -n | grep -v '^\*\* Phase'
}

next_part "Running rdist:"
if [ -f /etc/Distfile ]; then
	if [ -d /var/log/rdist ]; then
		rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F`
	else
		rdist -f /etc/Distfile
	fi
fi

end_part
[ -s $MAINOUT ] && {
	sysctl -n kern.version
	uptime
	cat $MAINOUT
} 2>&1 | mail -s "`hostname` daily output" root


MAINOUT=/var/log/security.out
install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT

start_part "Running security(8):"
export SUIDSKIP
/usr/libexec/security
end_part
rm -f $PARTOUT

[ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT