Edit

IABSD.fr/src/etc/daily

Branch :

  • Show log

    Commit

  • Author : bluhm
    Date : 2019-09-09 20:02:26
    Hash : dd06cfbc
    Message : Inform about system call memory write protection and stack mapping violations in system accounting. This will help to find missbehaving programs and possible attacks. The flags bit field is full, so recycle the PDP-11 compatibility on VAX. lastcomm(1) prints the AMAP flag as 'M'. daily(8) prints a list of affected processes. OK deraadt@

  • etc/daily
  • #
    #	$OpenBSD: daily,v 1.93 2019/09/09 20:02:26 bluhm Exp $
    #	From: @(#)daily	8.2 (Berkeley) 1/25/94
    #
    # For local additions, create the file /etc/daily.local.
    # To get section headers, use the function next_part in daily.local.
    #
    umask 022
    
    PARTOUT=/var/log/daily.part
    MAINOUT=/var/log/daily.out
    install -o 0 -g 0 -m 600    /dev/null $PARTOUT
    install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
    
    start_part() {
    	TITLE=$1
    	exec > $PARTOUT 2>&1
    }
    
    end_part() {
    	exec >> $MAINOUT 2>&1
    	test -s $PARTOUT || return
    	echo ""
    	echo "$TITLE"
    	cat $PARTOUT
    }
    
    next_part() {
    	end_part
    	start_part "$1"
    }
    
    run_script() {
    	f=/etc/$1
    	test -e $f || return
    	if [ `stat -f '%Sp%u' $f | cut -b1,6,9,11-` != '---0' ]; then
    		echo "$f has insecure permissions, skipping:"
    		ls -l $f
    		return
    	fi
    	. $f
    }
    
    start_part "Running daily.local:"
    run_script "daily.local"
    
    next_part "Removing scratch and junk files:"
    if [ -d /tmp -a ! -L /tmp ]; then
    	cd /tmp && {
    	find -x . \
    	    \( -path './ssh-*' -o -path ./.X11-unix -o -path ./.ICE-unix \
    		-o -path './tmux-*' \) \
    	    -prune -o -type f -atime +7 -execdir rm -f -- {} \; 2>/dev/null
    	find -x . -type d -mtime +1 ! -path ./vi.recover ! -path ./.X11-unix \
    	    ! -path ./.ICE-unix ! -name . \
    	    -execdir rmdir -- {} \; >/dev/null 2>&1; }
    fi
    
    # Additional junk directory cleanup would go like this:
    #if [ -d /scratch -a ! -L /scratch ]; then
    #	cd /scratch && {
    #	find . ! -name . -atime +1 -execdir rm -f -- {} \;
    #	find . ! -name . -type d -mtime +1 -execdir rmdir -- {} \; \
    #	    >/dev/null 2>&1; }
    #fi
    
    next_part "Purging accounting records:"
    if [ -f /var/account/acct ]; then
    	test -f /var/account/acct.2 && \
    		mv -f /var/account/acct.2 /var/account/acct.3
    	test -f /var/account/acct.1 && \
    		mv -f /var/account/acct.1 /var/account/acct.2
    	test -f /var/account/acct.0 && \
    		mv -f /var/account/acct.0 /var/account/acct.1
    	cp -f /var/account/acct /var/account/acct.0
    	sa -sq
    	lastcomm -f /var/account/acct.0 | grep -e ' -[A-Z]*[MPTU]'
    fi
    
    # If ROOTBACKUP is set to 1 in the environment, and
    # if filesystem named /altroot is type ffs and mounted "xx",
    # use it as a backup root filesystem to be updated daily.
    next_part "Backing up root filesystem:"
    while [ "X$ROOTBACKUP" = X1 ]; do
    	rootbak=`awk '$1 !~ /^#/ && $2 == "/altroot" && $3 == "ffs" && \
    		$4 ~ /xx/ { print $1 }' < /etc/fstab`
    	if [ -z "$rootbak" ]; then
    		echo "No xx ffs /altroot device found in the fstab(5)."
    		break
    	fi
    	rootbak=${rootbak#/dev/}
    	bakdisk=${rootbak%%?(.)[a-p]}
    	if ! sysctl -n hw.disknames | grep -Fqw $bakdisk; then
    		echo "Backup disk '$bakdisk' not present in hw.disknames."
    		break
    	fi
    	bakpart=${rootbak##$bakdisk?(.)}
    	OLDIFS=$IFS
    	IFS=,
    	for d in `sysctl -n hw.disknames`; do
    		# If the provided disk name is a duid, substitute the device.
    		if [ X$bakdisk = X${d#*:} ]; then
    			bakdisk=${d%:*}
    			rootbak=$bakdisk$bakpart
    		fi
    	done
    	IFS=$OLDIFS
    	baksize=`disklabel $bakdisk 2>/dev/null | \
    		awk -v "part=$bakpart:" '$1 == part { print $2 }'`
    	rootdev=`mount | awk '$3 == "/" && $1 ~ /^\/dev\// && $5 == "ffs" \
    		{ print substr($1, 6) }'`
    	if [ -z "$rootdev" ]; then
    		echo "The root filesystem is not local or not ffs."
    		break
    	fi
    	if [ X$rootdev = X$rootbak ]; then
    		echo "The device $rootdev holds both root and /altroot."
    		break
    	fi
    	rootdisk=${rootdev%[a-p]}
    	rootpart=${rootdev#$rootdisk}
    	rootsize=`disklabel $rootdisk 2>/dev/null | \
    		awk -v "part=$rootpart:" '$1 == part { print $2 }'`
    	if [ $rootsize -gt $baksize ]; then
    		echo "Root ($rootsize) is larger than /altroot ($baksize)."
    		break
    	fi
    	next_part "Backing up root=/dev/r$rootdev to /dev/r$rootbak:"
    	sync
    	dd if=/dev/r$rootdev of=/dev/r$rootbak bs=16b seek=1 skip=1 \
    		conv=noerror
    	fsck -y /dev/r$rootbak
    	break
    done
    
    next_part "Services that should be running but aren't:"
    rcctl ls failed
    
    next_part "Checking subsystem status:"
    if [ "X$VERBOSESTATUS" != X0 ]; then
    	echo ""
    	echo "disks:"
    	df -ikl
    	echo ""
    	dump W
    else
    	dump w | grep -vB1 ^Dump
    fi
    
    next_part "network:"
    if [ "X$VERBOSESTATUS" != X0 ]; then
    	netstat -ivn
    fi
    
    next_part "Running calendar in the background:"
    if [ "X$CALENDAR" != X0 -a \
         \( -d /var/yp/`domainname` -o ! -d /var/yp/binding \) ]; then
    	calendar -a &
    fi
    
    # If CHECKFILESYSTEMS is set to 1 in the environment, run fsck
    # with the no-write flag.
    next_part "Checking filesystems:"
    [ "X$CHECKFILESYSTEMS" = X1 ] && {
    	fsck -n | grep -v '^\*\* Phase'
    }
    
    next_part "Running rdist:"
    if [ -f /etc/Distfile ]; then
    	if [ -d /var/log/rdist ]; then
    		rdist -f /etc/Distfile 2>&1 | tee /var/log/rdist/`date +%F`
    	else
    		rdist -f /etc/Distfile
    	fi
    fi
    
    end_part
    [ -s $MAINOUT ] && {
    	sysctl -n kern.version
    	uptime
    	cat $MAINOUT
    } 2>&1 | mail -s "`hostname` daily output" root
    
    
    MAINOUT=/var/log/security.out
    install -o 0 -g 0 -m 600 -b /dev/null $MAINOUT
    
    start_part "Running security(8):"
    export SUIDSKIP
    /usr/libexec/security
    end_part
    rm -f $PARTOUT
    
    [ -s $MAINOUT ] && mail -s "`hostname` daily insecurity output" root < $MAINOUT