etc/daily
author jmmv <jmmv@NetBSD.org>
Tue, 19 Jan 2010 22:08:11 +0000
branchtrunk
changeset 187278 d62d0c2b4476
parent 179146 c9b58a4f6479
child 187325 3865bd7585cd
permissions -rw-r--r--
Add the fetch_pkg_vulnerabilities option to the daily script to keep the packages vulnerability database up to date. This will only fetch the file from the server if it has changed since the last run. Add the check_pkg_vulnerabilities and check_pkg_signatures options to the security script to check that the installed packages are sane. All of these options are enabled by default but they will only run if there is, at least, one installed package.

#!/bin/sh -
#
#	$NetBSD: daily,v 1.73 2010/01/19 22:08:11 jmmv Exp $
#	@(#)daily	8.2 (Berkeley) 1/25/94
#

export PATH=/bin:/usr/bin:/sbin:/usr/sbin
umask 077

if [ -s /etc/daily.conf ]; then
	. /etc/daily.conf
fi

host=`hostname`
date=`date`
rcvar_manpage='daily.conf(5)'

echo "To: ${MAILTO:-root}"
echo "Subject: $host daily output for $date"
echo ""

if [ -f /etc/rc.subr ]; then
	. /etc/rc.subr
else
	echo "Can't read /etc/rc.subr; aborting."
	exit 1;
fi

if [ -z "$MAILTO" -o "$USER" != "root" ]; then
	MAILTO=root
fi

echo ""
echo "Uptime: " `uptime`

# Uncommenting any of the finds below would open up a race condition attack
# based on symlinks, potentially allowing removal of any file on the system.
#
#echo ""
#echo "Removing scratch and junk files:"
#if [ -d /tmp -a ! -h /tmp ]; then
#	cd /tmp && {
#	find . -type f -atime +3 -exec rm -f -- {} \;
#	find . ! -name . -type d -mtime +1 -exec rmdir -- {} \; \
#	    >/dev/null 2>&1; }
#fi

#if [ -d /var/tmp -a ! -h /var/tmp ]; then
#	cd /var/tmp && {
#	find . ! -name . -atime +7 -exec rm -f -- {} \;
#	find . ! \( -name . -o -name vi.recover \) -type d \
#		-mtime +1 -exec rmdir -- {} \; \
#	    >/dev/null 2>&1; }
#fi

# Additional junk directory cleanup would go like this:
#if [ -d /scratch -a ! -h /scratch ]; then
#	cd /scratch && {
#	find . ! -name . -atime +1 -exec rm -f -- {} \;
#	find . ! -name . -type d -mtime +1 -exec rmdir -- {} \; \
#	    >/dev/null 2>&1; }
#fi

#if [ -d /var/rwho -a ! -h /var/rwho ] ; then
#	cd /var/rwho && {
#	find . ! -name . -mtime +7 -exec rm -f -- {} \; ; }
#fi

DAILYDIR=$(mktemp -d -t _daily) || exit 1

trap "/bin/rm -rf $DAILYDIR ; exit 0" EXIT INT QUIT

if ! cd "$DAILYDIR"; then
	echo "Can not cd to $DAILYDIR".
	exit 1
fi

TMP=daily.$$
TMP2=daily2.$$

if checkyesno find_core; then
	# Turn "foo !bar bax" into "-fstype foo -o ! -fstype bar -o -fstype bax"
	ignfstypes=`echo $find_core_ignore_fstypes | \
		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' \
		    -e's/^-o //'`
	find / \( $ignfstypes \) -prune -o \
		-name 'lost+found' -prune -o \
		\( -name '*.core' -o -name 'core' \) -type f -print > $TMP
#		\( -name '[#,]*' -o -name '.#*' -o -name a.out \
#		   -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \
#			-a -atime +3 -exec rm -f -- {} \; -a -print > $TMP

	egrep '\.core$|^core$' $TMP > $TMP2
	if [ -s $TMP2 ]; then
		echo ""
		echo "Possible core dumps:"
		cat $TMP2
	fi

#	egrep -v '\.core' $TMP > $TMP2
#	if [ -s $TMP2 ]; then
#		echo ""
#		echo "Deleted files:"
#		cat $TMP2
#	fi

	rm -f $TMP $TMP2
fi

if checkyesno run_msgs; then
	msgs -c
fi

if checkyesno expire_news && [ -f /etc/news.expire ]; then
	/etc/news.expire
fi

if checkyesno purge_accounting && [ -f /var/account/acct ]; then
	echo ""
	echo "Purging accounting records:"
	if [ -f /var/account/acct.0.gz ]; then
		mv /var/account/acct.2.gz /var/account/acct.3.gz 2>/dev/null
		mv /var/account/acct.1.gz /var/account/acct.2.gz 2>/dev/null
		mv /var/account/acct.0.gz /var/account/acct.1.gz 2>/dev/null
	else
		mv /var/account/acct.2 /var/account/acct.3 2>/dev/null
		mv /var/account/acct.1 /var/account/acct.2 2>/dev/null
		mv /var/account/acct.0 /var/account/acct.1 2>/dev/null
	fi
	cp /var/account/acct /var/account/acct.0
	sa -sq
	if [ -f /var/account/acct.1.gz ]; then
		gzip /var/account/acct.0
	fi
fi

if checkyesno run_calendar; then
	calendar -a > $TMP 2>&1
	if [ -s $TMP ]; then
		echo ""
		echo "Running calendar:"
		cat $TMP
	fi
	rm -f $TMP
fi

if checkyesno check_disks; then
	if checkyesno show_remote_fs; then
		df -hi -t nokernfs,procfs,ptyfs,null,fdesc > $TMP
	else
		df -hil -t nokernfs,procfs,ptyfs,null,fdesc > $TMP
	fi
	if [ -s /etc/dumpdates ] ; then
		dump -W > $TMP2
	fi
	if [ -s $TMP -o -s $TMP2 ]; then
		echo ""
		echo "Checking subsystem status:"
		echo ""
		echo "disks:"
		if [ -s $TMP ]; then
			cat $TMP | sed 's/Mounted on/Mount/'
			echo ""
		fi
		if [ -s $TMP2 ]; then
			cat $TMP2
			echo ""
		fi
		echo ""
	fi
	rm -f $TMP $TMP2
	touch $TMP2
	for dev in `iostat -x | awk '/^raid/ { print $1 }'`; do
		raidctl -s $dev | awk '/^.*: failed$/ {print $0}' > $TMP
		if [ -s $TMP ]; then
			echo "$dev:" >> $TMP2
			cat $TMP >> $TMP2
		fi
		rm -f $TMP
	done
	if [ -s $TMP2 ]; then
		echo "failed RAIDframe component(s):"
			cat $TMP2
	fi
	rm -f $TMP2
fi

if checkyesno check_mailq; then
	mailq > $TMP
	if ! grep -q "queue is empty$" $TMP; then
		echo ""
		echo "mail:"
		cat $TMP
	fi
fi

rm -f $TMP

if checkyesno check_network; then
	echo ""
	echo "network:"
	if checkyesno full_netstat; then
		netstat -inv
	else
		netstat -inv | awk 'BEGIN {
			ifs[""] = 0;
		}
		/^[^\*]* / {
			if (NR == 1) {
				printf("%-8s %12s %6s %12s %6s %6s\n",
				  $1, $(NF-4), $(NF-3), $(NF-2), $(NF-1), $NF);
				next;
			}
			if (!($1 in ifs)) {
				printf("%-8s %12s %6s %12s %6s %6s\n",
				  $1, $(NF-4), $(NF-3), $(NF-2), $(NF-1), $NF);
				ifs[$1] = 1;
			}
		}'
	fi
	echo ""
	t=/var/rwho/*
	if [ "$t" != '/var/rwho/*' ]; then
		ruptime
	fi
fi

if checkyesno run_fsck; then
	echo ""
	echo "Checking filesystems:"
	fsck -n -f ${run_fsck_flags} | grep -v '^\*\* Phase'
fi

echo ""
if checkyesno run_rdist && [ -f /etc/Distfile ]; then
	echo "Running rdist:"
	if [ -d /var/log/rdist ]; then
		logf=`date +%Y.%b.%d`
		rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/$logf
	else
		rdist -f /etc/Distfile 
	fi
fi

: ${pkgdb_dir:=/var/db/pkg}

if pkg_info -K ${pkgdb_dir} -q -E '*'; then
	if checkyesno fetch_pkg_vulnerabilities; then
		echo ""
		echo "Fetching package vulnerabilities database:"
		pkg_admin -K ${pkgdb_dir} fetch-pkg-vulnerabilities -u
	fi
fi

if checkyesno run_security; then
	SECOUT="$DAILYDIR/sec"
	sh /etc/security > "$SECOUT" 2>&1
	if [ ! -s "$SECOUT" ]; then
		if checkyesno send_empty_security; then
			echo "Nothing to report on $date" > "$SECOUT"
		else
			echo ""
			echo "Suppressing empty security report."
		fi
	fi
	if [ -s "$SECOUT" ]; then
		mail -s "$host daily insecurity output for $date" \
		    "$MAILTO" < "$SECOUT"
	fi
fi

if checkyesno run_skeyaudit; then
	if [ -s /etc/skeykeys ]; then
		echo ""
		echo "Checking remaining s/key OTPs:"
		skeyaudit
	fi
fi

if [ -f /etc/daily.local ]; then
	( . /etc/daily.local ) > $TMP 2>&1
	if [ -s $TMP ] ; then
		printf "\nRunning /etc/daily.local:\n"
		cat $TMP
	fi
	rm -f $TMP
fi