xref: /openbsd/etc/daily (revision 8932bfb7) 
1#
2#	$OpenBSD: daily,v 1.71 2011/04/23 19:35:53 schwarze Exp $
3#	From: @(#)daily	8.2 (Berkeley) 1/25/94
4#
5# For local additions, create the file /etc/daily.local.
6# To get section headers, use the function next_part in daily.local.
7#
8umask 022
9
10PARTOUT=/var/log/daily.part
11MAINOUT=/var/log/daily.out
12install -o 0 -g 0 -m 600    /dev/null $PARTOUT
13install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
14
15start_part() {
16	TITLE=$1
17	exec > $PARTOUT 2>&1
18}
19
20end_part() {
21	exec >> $MAINOUT 2>&1
22	test -s $PARTOUT || return
23	echo ""
24	echo "$TITLE"
25	cat $PARTOUT
26}
27
28next_part() {
29	end_part
30	start_part "$1"
31}
32
33run_script() {
34	f=/etc/$1
35	test -e $f || return
36	if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
37		echo "$f has insecure permissions, skipping:"
38		ls -l $f
39		return
40	fi
41	. $f
42}
43
44start_part "Running daily.local:"
45run_script "daily.local"
46
47next_part "Removing scratch and junk files:"
48if [ -d /tmp -a ! -L /tmp ]; then
49	cd /tmp && {
50	find -x . \
51	    \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
52	    	-o -path ./portslocks \) \
53	    -prune -o -type f -atime +3 -execdir rm -f -- {} \; 2>&-
54	find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
55	    ! -path ./.ICE-unix ! -path ./portslocks ! -name . \
56	    -execdir rmdir -- {} \; >/dev/null 2>&1; }
57fi
58
59if [ -d /var/tmp -a ! -L /var/tmp ]; then
60	cd /var/tmp && {
61	find -x . \
62	    \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
63	    	-o -path ./portslocks \) \
64	    -prune -o ! -type d -atime +7 -execdir rm -f -- {} \; 2>&-
65	find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
66	    ! -path ./.ICE-unix ! -path ./portslocks ! -name . \
67	    -execdir rmdir -- {} \; >/dev/null 2>&1; }
68fi
69
70# Additional junk directory cleanup would go like this:
71#if [ -d /scratch -a ! -L /scratch ]; then
72#	cd /scratch && {
73#	find . ! -name . -atime +1 -execdir rm -f -- {} \;
74#	find . ! -name . -type d -mtime +1 -execdir rmdir -- {} \; \
75#	    >/dev/null 2>&1; }
76#fi
77
78if [ -d /var/rwho -a ! -L /var/rwho ] ; then
79	cd /var/rwho && {
80	find . ! -name . -mtime +7 -execdir rm -f -- {} \; ; }
81fi
82
83next_part "Purging accounting records:"
84if [ -f /var/account/acct ]; then
85	mv -f /var/account/acct.2 /var/account/acct.3
86	mv -f /var/account/acct.1 /var/account/acct.2
87	mv -f /var/account/acct.0 /var/account/acct.1
88	cp -f /var/account/acct /var/account/acct.0
89	sa -sq
90fi
91
92# If ROOTBACKUP is set to 1 in the environment, and
93# if filesystem named /altroot is type ffs, on /dev/* and mounted "xx",
94# use it as a backup root filesystem to be updated daily.
95next_part "Backing up root filesystem:"
96while [ "X$ROOTBACKUP" = X1 ]; do
97	rootbak=`awk '$2 == "/altroot" && $1 ~ /^\/dev\// && $3 == "ffs" && \
98	    $4 ~ /xx/ \
99		{ print substr($1, 6) }' < /etc/fstab`
100	if [ -z "$rootbak" ]; then
101		echo "No xx ffs /altroot device found in the fstab(5)."
102		break
103	fi
104	bakdisk=${rootbak%[a-p]}
105	sysctl -n hw.disknames | grep -Fqw $bakdisk || break
106	bakpart=${rootbak#$bakdisk}
107	baksize=`disklabel $bakdisk 2>/dev/null | \
108		awk -v "part=$bakpart:" '$1 == part { print $2 }'`
109	rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \
110		{ print substr($1, 6) }'`
111	if [ -z "$rootdev" ]; then
112		echo "The root filesystem is not local or not ffs."
113		break
114	fi
115	if [ X$rootdev = X$rootbak ]; then
116		echo "The device $rootdev holds both root and /altroot."
117		break
118	fi
119	rootdisk=${rootdev%[a-p]}
120	rootpart=${rootdev#$rootdisk}
121	rootsize=`disklabel $rootdisk 2>/dev/null | \
122		awk -v "part=$rootpart:" '$1 == part { print $2 }'`
123	if [ $rootsize -gt $baksize ]; then
124		echo "Root ($rootsize) is larger than /altroot ($baksize)."
125		break
126	fi
127	next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:"
128	sync
129	dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
130		conv=noerror
131	fsck -y /dev/r$rootbak
132	break
133done
134
135next_part "Checking subsystem status:"
136if [ "X$VERBOSESTATUS" != X0 ]; then
137	echo ""
138	echo "disks:"
139	df -kl
140	echo ""
141	dump W
142fi
143
144# The first two regular expressions handle sendmail, the third postfix.
145# When the queue is empty, smtpd(8) and exim -bp keep silent.
146next_part "mail:"
147mailq | grep -v -e "^/var/spool/mqueue is empty$" \
148		-e "^[[:blank:]]*Total requests: 0$" \
149		-e "^Mail queue is empty$"
150
151next_part "network:"
152if [ "X$VERBOSESTATUS" != X0 ]; then
153	netstat -ivn
154
155	t=/var/rwho/*
156	if [ "$t" != '/var/rwho/*' ]; then
157		echo ""
158		ruptime
159	fi
160fi
161
162next_part "Running calendar in the background:"
163if [ "X$CALENDAR" != X0 -a \
164     \( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then
165	calendar -a &
166fi
167
168# If CHECKFILESYSTEMS is set to 1 in the environment, run fsck
169# with the no-write flag.
170next_part "Checking filesystems:"
171[ "X$CHECKFILESYSTEMS" = X1 ] && {
172	fsck -n | grep -v '^\*\* Phase'
173}
174
175next_part "Running rdist:"
176if [ -f /etc/Distfile ]; then
177	if [ -d /var/log/rdist ]; then
178		rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F`
179	else
180		rdist -f /etc/Distfile
181	fi
182fi
183
184end_part
185[ -s $MAINOUT ] && {
186	sysctl -n kern.version
187	uptime
188	cat $MAINOUT
189} 2>&1 | mail -s "`hostname` daily output" root
190
191
192MAINOUT=/var/log/security.out
193install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
194
195start_part "Running security(8):"
196export SUIDSKIP
197/usr/libexec/security
198end_part
199rm -f $PARTOUT
200
201[ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT
202