d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2b519b1707
freebsd-dev/usr.sbin/periodic/periodic.conf

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

429 lines
13 KiB
Plaintext
Raw Normal View History

Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
#!/bin/sh
#
# This is defaults/periodic.conf - a file full of useful variables that
# you can set to change the default behaviour of periodic jobs on your
# system. You should not edit this file! Put any overrides into one of the
# $periodic_conf_files instead and you will be able to update these defaults
# later without spamming your local configuration information.
#
# The $periodic_conf_files files should only contain values which override
# values set in this file. This eases the upgrade path when defaults
# are changed and new features are added.
#
Add a reference to the periodic.conf(5) manual page. Suggested by: simon
2005-01-24 22:21:13 +00:00
# For a more detailed explanation of all the periodic.conf variables, please
# refer to the periodic.conf(5) manual page.
#
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# $FreeBSD$
#
# What files override these defaults ?
periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local"
# periodic script dirs
Now that a separate /usr/X11R6 directory is no longer in fashion, stop looking there for things like rc.d and periodic. This avoids duplicating effort when /usr/X11R6 is a symlink to /usr/local, which it is by default now. It is not anticipated at this time that we will MFC this change, since we'd like to avoid breaking legacy systems. However, there is a fix for /etc/rc.subr in the works to avoid running any rc.d scripts twice which we should be able to MFC.
2007-05-29 06:22:14 +00:00
local_periodic="/usr/local/etc/periodic"
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
Consolidate random sleeps in periodic scripts Multiple periodic scripts sleep for a random amount of time in order to mitigate the thundering herd problem. This is bad, because the sum of multiple uniformly distributed random variables approaches a normal distribution, so the problem isn't mitigated as effectively as it would be with a single sleep. This change creates a single configurable anticongestion sleep. periodic will only sleep if at least one script requires it, and it will never sleep more than once per invocation. It also won't sleep if periodic was run interactively, fixing an unrelated longstanding bug. PR: 217055 PR: 210188 Reviewed by: cy MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D10211
2017-04-01 04:42:35 +00:00
# Max time to sleep to avoid causing congestion on download servers
anticongestion_sleeptime=3600
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# Daily options
Another overhaul of the periodic stuff. All periodic sub-scripts <larf> now have their return codes interpreted by periodic(8). Output may be masked based on variable values in periodic.conf. It's also now possible to email periodic output to arbitrary addresses, or to send it to a log file, examples of which can be found in newsyslog.conf. The upshot of it all should be no discernable changes to the default behaviour of periodic(8). PR: 21250
2000-09-14 17:19:15 +00:00
# These options are used by periodic(8) itself to determine what to do
# with the output of the sub-programs that are run, and where to send
# that output. $daily_output might be set to /var/log/daily.log if you
# wish to log the daily output and have the files rotated by newsyslog(8)
#
daily_output="root" # user or /file
daily_show_success="YES" # scripts returning 0
daily_show_info="YES" # scripts returning 1
daily_show_badconfig="NO" # scripts returning 2
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 100.clean-disks
daily_clean_disks_enable="NO" # Delete files daily
daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*"
daily_clean_disks_days=3 # If older than this
daily_clean_disks_verbose="YES" # Mention files deleted
# 110.clean-tmps
daily_clean_tmps_enable="NO" # Delete stuff daily
daily_clean_tmps_dirs="/tmp" # Delete under here
daily_clean_tmps_days="3" # If not accessed for
Don't delete files in the X11 socket directories under /tmp (.X11-unix, .ICE-unix, .font-unix, .XIM-unix) when purging files from /tmp via the daily 100.clean-tmps job. If you are logged into an X session longer than the timeout period (default of 3 days), then this job can delete the X11 sockets out from under the session without this fix. MFC after: 3 days
2007-11-28 17:31:11 +00:00
daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix"
Add .snap to daily_clean_tmps_ignore; /tmp/.snap ist not supposed to be auto-removed (and /tmp is a filesystem of its own now by default). MFC after: 3 days
2010-03-23 06:19:44 +00:00
daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap"
Don't attempt to delete .sujournal in /tmp PR: conf/163828 Submitted by: Tatsuki Makino <tatsuki_makino@hotmail.com> Approved by: cperciva MFC after: 1 week
2012-05-30 03:51:46 +00:00
daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal"
Don't delete files in the X11 socket directories under /tmp (.X11-unix, .ICE-unix, .font-unix, .XIM-unix) when purging files from /tmp via the daily 100.clean-tmps job. If you are logged into an X session longer than the timeout period (default of 3 days), then this job can delete the X11 sockets out from under the session without this fix. MFC after: 3 days
2007-11-28 17:31:11 +00:00
# Don't delete these
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
daily_clean_tmps_verbose="YES" # Mention files deleted
# 120.clean-preserve
daily_clean_preserve_enable="YES" # Delete files daily
daily_clean_preserve_days=7 # If not modified for
daily_clean_preserve_verbose="YES" # Mention files deleted
# 130.clean-msgs
daily_clean_msgs_enable="YES" # Delete msgs daily
daily_clean_msgs_days= # If not modified for
# 140.clean-rwho
daily_clean_rwho_enable="YES" # Delete rwho daily
daily_clean_rwho_days=7 # If not modified for
daily_clean_rwho_verbose="YES" # Mention files deleted
# 150.clean-hoststat
Tighten wording of comment. Suggested by: gshapiro
2003-01-08 18:52:32 +00:00
daily_clean_hoststat_enable="YES" # Purge sendmail host
# status cache daily
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 200.backup-passwd
daily_backup_passwd_enable="YES" # Backup passwd & group
# 210.backup-aliases
daily_backup_aliases_enable="YES" # Backup mail aliases
Add a periodic script to backup the partition table and boot code Optionally, alert you if the contents change from the previous backup PR: 86388 Submitted by: Rob Fairbanks <rob.fx907@gmail.com>, Miroslav Lachman <000.fbsd@quip.cz> (Original Version) MFC after: 4 weeks Relnotes: yes Sponsored by: Klara Inc. Event: July 2020 Bugathon Differential Revision: https://reviews.freebsd.org/D25628
2020-07-11 20:53:31 +00:00
# 221.backup-gpart
periodic: by default, skip 221.backup-gpart in jails It can still be enabled as usual in /etc/periodic.conf PR: 256253 Reported by: delphij Submitted by: Miroslav Lachman <000.fbsd@quip.cz> MFC after: 2 weeks
2021-06-18 14:33:08 +00:00
if [ $(sysctl -n security.jail.jailed) = 0 ]; then
# Backup partition table/boot partition/MBR
daily_backup_gpart_enable="YES"
else
daily_backup_gpart_enable="NO"
fi
Add a periodic script to backup output generated from `gmirror list`. Disabled by default. PR: 86388 Submitted by: Miroslav Lachman <000.fbsd@quip.cz> Reviewed by: allanjude, gbe Approved by: allanjude (mentor) MFC after: 4 weeks Event: July 2020 Bugathon Differential Revision: https://reviews.freebsd.org/D25631
2020-11-07 04:15:24 +00:00
daily_backup_gpart_verbose="NO" # Be verbose if new backup differs from the old one
Add a periodic script to backup the partition table and boot code Optionally, alert you if the contents change from the previous backup PR: 86388 Submitted by: Rob Fairbanks <rob.fx907@gmail.com>, Miroslav Lachman <000.fbsd@quip.cz> (Original Version) MFC after: 4 weeks Relnotes: yes Sponsored by: Klara Inc. Event: July 2020 Bugathon Differential Revision: https://reviews.freebsd.org/D25628
2020-07-11 20:53:31 +00:00
daily_backup_efi_enable="NO" # Backup EFI system partition (ESP)
Add a periodic script to backup output generated from `gmirror list`. Disabled by default. PR: 86388 Submitted by: Miroslav Lachman <000.fbsd@quip.cz> Reviewed by: allanjude, gbe Approved by: allanjude (mentor) MFC after: 4 weeks Event: July 2020 Bugathon Differential Revision: https://reviews.freebsd.org/D25631
2020-11-07 04:15:24 +00:00
# 222.backup-gmirror
daily_backup_gmirror_enable="NO" # Backup of gmirror info (i.e., output of `gmirror list`)
daily_backup_gmirror_verbose="NO" # Log diff if new backup differs from the old one
Add a periodic script to backup output generated from `zfs list`, `zfs get`, `zpool list`, and `zpool get` commands. Disabled by default. PR: 86388 Submitted by: Miroslav Lachman <000.fbsd@quip.cz> Reviewed by: allanjude, 0mp Approved by: allanjude (mentor) MFC after: 4 weeks Event: July 2020 Bugathon Differential Revision: https://reviews.freebsd.org/D25638
2020-11-06 22:58:31 +00:00
# 223.backup-zfs
daily_backup_zfs_enable="NO" # Backup output from zpool/zfs list
daily_backup_zfs_props_enable="NO" # Backup zpool/zfs filesystem properties
daily_backup_zfs_get_flags="all" # flags passed to `zfs get`
daily_backup_zfs_list_flags="" # flags passed to `zfs list`
daily_backup_zpool_get_flags="all" # flags passed to `zpool get`
daily_backup_zpool_list_flags="-v" # flags passed to `zpool list`
daily_backup_zfs_verbose="NO" # Report diff between the old and new backups.
Add extremely useful calendar(1) application to FreeBSD It does extremely useful things like execute sendmail and spew dubiously accurate factoids. From the feedback, it seems like it is an essential utility in a modern unix and not at all a useless bikeshed. How do those Linux people live without it? Reverts r358561.
2020-03-03 00:20:08 +00:00
# 300.calendar
daily_calendar_enable="NO" # Run calendar -a
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 310.accounting
daily_accounting_enable="YES" # Rotate acct files
Allow compressed acct files PR: 19483 Submitted by: Ben Smithurst <ben@scientia.demon.co.uk>
2000-06-25 08:59:26 +00:00
daily_accounting_compress="NO" # Gzip rotated files
Default daily_accounting_flags to -q. I thought this was a typo in the originally submitted patch (oops!). Also check for an empty $daily_accounting_save. Submitted by: Udo Schweigert <Udo.Schweigert@cert.siemens.de>
2001-05-30 20:23:43 +00:00
daily_accounting_flags=-q # Flags to /usr/sbin/sa
Add $daily_accounting_save and $daily_accounting_flags Submitted by: Udo Schweigert <Udo.Schweigert@cert.siemens.de> MFC after: 2 weeks
2001-05-30 16:46:53 +00:00
daily_accounting_save=3 # How many files to save
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 400.status-disks
daily_status_disks_enable="YES" # Check disk status
- Align comment for df flags variable in periodic.conf. - Note default value of df flags variable in periodoc.conf(5). MFC after: 1 week
2015-03-13 09:50:29 +00:00
daily_status_disks_df_flags="-l -h" # df(1) flags for check
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
Remove periodic script for ataraid(4) and add instead script for graid(8).
2013-04-04 15:03:12 +00:00
# 401.status-graid
daily_status_graid_enable="NO" # Check graid(8)
Add ZFS periodic scripts that monitors status of ZFS pools. Submitted by: des
2007-04-06 02:33:06 +00:00
# 404.status-zfs
daily_status_zfs_enable="NO" # Check ZFS
Add an option to 404.status-zfs (enabled by default) to list all zfs pools on the system. While here, document daily_status_zfs_enable in periodic.conf(5). Discussed on: -fs [1] Reviewed by: netchild [1] Approved by: jhb MFC after: 1 week [1] - http://lists.freebsd.org/pipermail/freebsd-fs/2011-June/011869.html
2012-02-08 00:08:21 +00:00
daily_status_zfs_zpool_list_enable="YES" # List ZFS pools
Add ZFS periodic scripts that monitors status of ZFS pools. Submitted by: des
2007-04-06 02:33:06 +00:00
Add a daily script to show the status of gmirror(8) devices.
2006-01-13 18:07:52 +00:00
# 406.status-gmirror
daily_status_gmirror_enable="NO" # Check gmirror(8)
Add the graid3(8), gstripe(8) and gconcat(8) status scripts, default is "off". Approved by: rwatson (mentor)
2006-03-02 14:46:00 +00:00
# 407.status-graid3
daily_status_graid3_enable="NO" # Check graid3(8)
# 408.status-gstripe
daily_status_gstripe_enable="NO" # Check gstripe(8)
# 409.status-gconcat
daily_status_gconcat_enable="NO" # Check gconcat(8)
Add 410.status-mfi, a periodic script for mfi(4) arrays PR: 176049 Submitted by: doconnor@gsoft.com.au Reviewed by: scottl, Larry Rosenman <ler@lerctr.org> MFC after: 3 weeks Relnotes: yes
2017-04-14 22:59:14 +00:00
# 410.status-mfi
daily_status_mfi_enable="NO" # Check mfiutil(8)
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 420.status-network
daily_status_network_enable="YES" # Check network status
daily_status_network_usedns="YES" # DNS lookups are ok
periodic.conf(5): don't truncate interface names reported by 420.status-network. The daily periodic script, 420.status-network uses netstat(1) to report interface status. By default, netstat(1) truncates interface names. Add the '-W' flag (avoid truncating interface names) as the default for 'daily_status_network_netstat_flags' in periodic.conf(5). The default 420.status-network command is now 'netstat -i -d -W -n'. PR: 163572 Reported by: kes-kes@yandex.ru Reviewed by: allanjude (mentor) bcr (manpages) Approved by: allanjude (mentor) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D26023
2020-09-09 19:07:34 +00:00
daily_status_network_netstat_flags="-d -W" # netstat(1) flags
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
Rename etc/periodic/daily/430.status-rwho to periodic/daily/430.status-uptime The command was checking local/remote system uptime, so rename the script to match its function and to avoid confusion The controlling variable in /etc/periodic.conf has been renamed from daily_status_rwho_enable to daily_status_uptime_enable. MFC after: 3 days Reported by: Peter Jeremy <peter@rulingia.com> Relnotes: yes Sponsored by: EMC / Isilon Storage Division
2015-11-02 01:05:34 +00:00
# 430.status-uptime
daily_status_uptime_enable="YES" # Check system uptime
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 440.status-mailq
daily_status_mailq_enable="YES" # Check mail status
daily_status_mailq_shorten="NO" # Shorten output
Update mail queue related periodic scripts to account for sendmail 8.12's clientmqueue (submit mail queue). The new mailq display is only active if both the old daily_status_mailq_enable is set to "YES" and the new daily_status_include_submit_mailq is set to "YES" so people who disabled 440.status-mailq won't have any surprises. Likewise, the new queue run is only active if both the old daily_queuerun_enable is set to "YES" and the new daily_submit_queuerun is set to "YES" so people who disabled 500.queuerun won't have any surprises. While I am here, remove the [ ! -d /var/spool/mqueue ] checks from both scripts as the queue directory isn't always /var/spool/mqueue for the main daemon -- it can be set to anything in the sendmail.cf file. MFC after: 1 week
2002-04-10 03:58:40 +00:00
daily_status_include_submit_mailq="YES" # Also submit queue
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 450.status-security
daily_status_security_enable="YES" # Security check
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
# See also "Security options" below for more options
daily_status_security_inline="NO" # Run inline ?
daily_status_security_output="root" # user or /file
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 460.status-mail-rejects
daily_status_mail_rejects_enable="YES" # Check mail rejects
Add $daily_status_mail_rejects_logs, defaulting to 3 to control how many /var/log/maillog* files to check PR: 19587
2000-06-30 09:41:16 +00:00
daily_status_mail_rejects_logs=3 # How many logs to check
A new configuration variable, daily_status_mail_rejects_shorten, allows the rejected mail reports to tally the rejects per blacklist without providing details about individual sender hosts. The default configuration keeps the reports in their original form. MFC after: 1 week
2008-01-08 07:22:43 +00:00
daily_status_mail_rejects_shorten="NO" # Shorten output
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
Add support for automatic leap-second file updates. The working copy of leapfile resides in /var/dbntpd.leap-seconds.list. /etc/ntp/leap-seconds (periodically updated from ftp://time.nist.gov/pub/ or ftp://tycho.usno.navy.mil/pub/ntp/) contains the master copy should automatic leapfile updates be disabled (default). Automatic leapfile updates are fetched from $ntp_leapfile_sources, defaulting to https://www.ietf.org/timezones/data/leap-seconds.list, within $ntp_leapfile_expiry_days (default 30 days) from leap-seconds file expiry. Automatic updates can be enabled by setting $daily_ntpd_leapfile_enable="YES" in periodic.conf. To avoid congesting the ntp leapfile source the automatic update randomized by default but can be disabled through daily_ntpd_avoid_congestion="NO" in periodic.conf. Suggested by: des Reviewed by: des, roberto, dwmalone, ian, cperciva, glebius, gjb MFC after: 1 week X-MFC with: r289421, r293037
2016-01-26 07:06:44 +00:00
# 480.leapfile-ntpd
Enable daily_ntpd_leapfile_enable by default. Otherwise an expired leapfile will be ignored and ntpd will behave as if it has no leapfile. While here, remove an extraneous blank line. Suggested by: ache MFC after: 1 week
2016-06-04 01:01:46 +00:00
daily_ntpd_leapfile_enable="YES" # Fetch NTP leapfile
Add support for automatic leap-second file updates. The working copy of leapfile resides in /var/dbntpd.leap-seconds.list. /etc/ntp/leap-seconds (periodically updated from ftp://time.nist.gov/pub/ or ftp://tycho.usno.navy.mil/pub/ntp/) contains the master copy should automatic leapfile updates be disabled (default). Automatic leapfile updates are fetched from $ntp_leapfile_sources, defaulting to https://www.ietf.org/timezones/data/leap-seconds.list, within $ntp_leapfile_expiry_days (default 30 days) from leap-seconds file expiry. Automatic updates can be enabled by setting $daily_ntpd_leapfile_enable="YES" in periodic.conf. To avoid congesting the ntp leapfile source the automatic update randomized by default but can be disabled through daily_ntpd_avoid_congestion="NO" in periodic.conf. Suggested by: des Reviewed by: des, roberto, dwmalone, ian, cperciva, glebius, gjb MFC after: 1 week X-MFC with: r289421, r293037
2016-01-26 07:06:44 +00:00
o Add a script to check ntpd(8) state. Default is off. PR: conf/112604 Submitted by: Oliver Fromme MFC after: 1 month
2007-05-13 09:33:35 +00:00
# 480.status-ntpd
daily_status_ntpd_enable="NO" # Check NTP status
Move the sendmail -q from cron to periodic, as suggested by a few people. This has the benefit of adding a random start time element as daily processing takes a different amount of time on different machines.
2001-02-19 02:47:42 +00:00
# 500.queuerun
daily_queuerun_enable="YES" # Run mail queue
Update mail queue related periodic scripts to account for sendmail 8.12's clientmqueue (submit mail queue). The new mailq display is only active if both the old daily_status_mailq_enable is set to "YES" and the new daily_status_include_submit_mailq is set to "YES" so people who disabled 440.status-mailq won't have any surprises. Likewise, the new queue run is only active if both the old daily_queuerun_enable is set to "YES" and the new daily_submit_queuerun is set to "YES" so people who disabled 500.queuerun won't have any surprises. While I am here, remove the [ ! -d /var/spool/mqueue ] checks from both scripts as the queue directory isn't always /var/spool/mqueue for the main daemon -- it can be set to anything in the sendmail.cf file. MFC after: 1 week
2002-04-10 03:58:40 +00:00
daily_submit_queuerun="YES" # Also submit queue
Move the sendmail -q from cron to periodic, as suggested by a few people. This has the benefit of adding a random start time element as daily processing takes a different amount of time on different machines.
2001-02-19 02:47:42 +00:00
Evaluate running userland/kernel version in daily periodic(8) run, taken from uname(1) '-U' and '-K' flags. Reviewed by: allanjude, dvl Differential Revision: https://reviews.freebsd.org/D1541 MFC after: 1 week Sponsored by: The FreeBSD Foundation
2015-01-15 19:52:19 +00:00
# 510.status-world-kernel
daily_status_world_kernel="YES" # Check the running
# userland/kernel version
Add missing default values for daily/800.scrub-zfs for documentation purposes. No functional change, since all parameters are set to their default values. MFC after: 1 week
2011-10-17 14:37:24 +00:00
# 800.scrub-zfs
daily_scrub_zfs_enable="NO"
daily_scrub_zfs_pools="" # empty string selects all pools
Increase default scrub threshold from 30 days to 5 weeks. Using whole weeks makes it easier to predicate when the scrub would happen. MFC after: 1 week
2011-10-27 21:25:41 +00:00
daily_scrub_zfs_default_threshold="35" # days between scrubs
#daily_scrub_zfs_${poolname}_threshold="35" # pool specific threshold
Add missing default values for daily/800.scrub-zfs for documentation purposes. No functional change, since all parameters are set to their default values. MFC after: 1 week
2011-10-17 14:37:24 +00:00
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# 999.local
daily_local="/etc/daily.local" # Local scripts
Since r254974, periodic scripts' period can be configured independently. There is no reason to leave their options with the daily ones, so move them to their own section. Move periodic scripts' options into their own section. Since r254974,
2013-09-03 07:47:53 +00:00
# Weekly options
# These options are used by periodic(8) itself to determine what to do
# with the output of the sub-programs that are run, and where to send
# that output. $weekly_output might be set to /var/log/weekly.log if you
# wish to log the weekly output and have the files rotated by newsyslog(8)
#
weekly_output="root" # user or /file
weekly_show_success="YES" # scripts returning 0
weekly_show_info="YES" # scripts returning 1
weekly_show_badconfig="NO" # scripts returning 2
# 310.locate
weekly_locate_enable="YES" # Update locate weekly
# 320.whatis
weekly_whatis_enable="YES" # Update whatis weekly
# 340.noid
weekly_noid_enable="NO" # Find unowned files
weekly_noid_dirs="/" # Look here
# 450.status-security
weekly_status_security_enable="YES" # Security check
# See also "Security options" above for more options
weekly_status_security_inline="NO" # Run inline ?
weekly_status_security_output="root" # user or /file
# 999.local
weekly_local="/etc/weekly.local" # Local scripts
# Monthly options
# These options are used by periodic(8) itself to determine what to do
# with the output of the sub-programs that are run, and where to send
# that output. $monthly_output might be set to /var/log/monthly.log if you
# wish to log the monthly output and have the files rotated by newsyslog(8)
#
monthly_output="root" # user or /file
monthly_show_success="YES" # scripts returning 0
monthly_show_info="YES" # scripts returning 1
monthly_show_badconfig="NO" # scripts returning 2
# 200.accounting
monthly_accounting_enable="YES" # Login accounting
# 450.status-security
monthly_status_security_enable="YES" # Security check
# See also "Security options" above for more options
monthly_status_security_inline="NO" # Run inline ?
monthly_status_security_output="root" # user or /file
# 999.local
monthly_local="/etc/monthly.local" # Local scripts
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# Security options
Better document security_show_{success,info,badconfig} in /etc/periodic.conf periodic(8) already handles the security_show_{success,info,badconfig} variables correctly. However, those variables aren't explicitly set in /etc/defaults/periodic.conf or anywhere else, which suggests to the user that they shouldn't be used. etc/defaults/periodic.conf Explicitly set defaults for security_show_{success,info,badconfig} usr.sbin/periodic/periodic.sh Update usage string usr.sbin/periodic/periodic.8 Minor man page updates One thing I'm _not_ doing is recommending setting security_output to /var/log/security.log or adding that file to /etc/newsyslog.conf, because periodic(8) would create it with default permissions, usually 644, and that's probably a bad idea. Reviewed by: brd MFC after: 4 weeks Sponsored by: Spectra Logic Corp Differential Revision: https://reviews.freebsd.org/D6477
2016-05-21 02:14:11 +00:00
security_show_success="YES" # scripts returning 0
security_show_info="YES" # scripts returning 1
security_show_badconfig="NO" # scripts returning 2
Remove trailing whitespace.
2002-08-09 20:58:54 +00:00
# These options are used by the security periodic(8) scripts spawned in
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
# daily and weekly 450.status-security.
security_status_logdir="/var/log" # Directory for logs
security_status_diff_flags="-b -u" # flags for diff output
Since r254974, periodic scripts' period can be configured independently. There is no reason to leave their options with the daily ones, so move them to their own section. Move periodic scripts' options into their own section. Since r254974,
2013-09-03 07:47:53 +00:00
# Each of the security_status_*_period options below can have one of the
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
# following values:
Since r254974, periodic scripts' period can be configured independently. There is no reason to leave their options with the daily ones, so move them to their own section. Move periodic scripts' options into their own section. Since r254974,
2013-09-03 07:47:53 +00:00
# - NO: do not run at all
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
# - daily: only run during the daily security status
# - weekly: only run during the weekly security status
Since r254974, periodic scripts' period can be configured independently. There is no reason to leave their options with the daily ones, so move them to their own section. Move periodic scripts' options into their own section. Since r254974,
2013-09-03 07:47:53 +00:00
# - monthly: only run during the monthly security status
# Note that if periodic security scripts are run from crontab(5) directly,
# they will be run unless _enable or _period is set to "NO".
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 100.chksetuid
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_chksetuid_enable="YES"
security_status_chksetuid_period="daily"
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean. MFC after: 1 week
2010-11-13 00:40:43 +00:00
# 110.neggrpperm
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_neggrpperm_enable="YES"
security_status_neggrpperm_period="daily"
Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean. MFC after: 1 week
2010-11-13 00:40:43 +00:00
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 200.chkmounts
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_chkmounts_enable="YES"
security_status_chkmounts_period="daily"
#security_status_chkmounts_ignore="^amd:" # Don't check matching
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# FS types
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_noamd="NO" # Don't check amd mounts
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 300.chkuid0
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_chkuid0_enable="YES"
security_status_chkuid0_period="daily"
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 400.passwdless
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_passwdless_enable="YES"
security_status_passwdless_period="daily"
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
Add login.conf checking to periodic security scripts. If the login.conf file is not UID/GID 0, limits will be ignored and a strange error sent to auth.log. Head nod: ru, rwatson
2006-08-25 07:34:36 +00:00
# 410.logincheck
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_logincheck_enable="YES"
security_status_logincheck_period="daily"
Add login.conf checking to periodic security scripts. If the login.conf file is not UID/GID 0, limits will be ignored and a strange error sent to auth.log. Head nod: ru, rwatson
2006-08-25 07:34:36 +00:00
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 500.ipfwdenied
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_ipfwdenied_enable="YES"
security_status_ipfwdenied_period="daily"
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
Add a new /etc/periodic/security script to check for packets rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf knob (daily_status_security_ipfdenied_enable). Reviewed by: roberto Approved by: re@
2002-10-25 15:16:54 +00:00
# 510.ipfdenied
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_ipfdenied_enable="YES"
security_status_ipfdenied_period="daily"
Add a new /etc/periodic/security script to check for packets rejected by ipfilter (510.ipfdenied), and a corresponding periodic.conf knob (daily_status_security_ipfdenied_enable). Reviewed by: roberto Approved by: re@
2002-10-25 15:16:54 +00:00
Teach periodic(8) security output to display information about blocked packet counts by pf(4). This adds a ``daily_status_security_pfdenied_enable'' variable to periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions. The output will look like this (line wrapped): pf denied packets: > block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0 Bytes: 0 States: 0 ] > block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578 States: 0 ] Submitted by: clive (thanks a lot!) MFC after: 2 weeks
2004-11-24 18:41:53 +00:00
# 520.pfdenied
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_pfdenied_enable="YES"
security_status_pfdenied_period="daily"
pfdenied: support reporting on additional anchors The security/520-pfdenied script only reports blocked packets from the main ruleset or any blocklistd(8) anchor. Add an option to periodic.conf(5) to make it possible to specify additional anchors to report. PR: 262446 Reviewed by: kp
2022-03-09 14:02:11 +00:00
security_status_pfdenied_additionalanchors=""
Teach periodic(8) security output to display information about blocked packet counts by pf(4). This adds a ``daily_status_security_pfdenied_enable'' variable to periodic.conf, which defaults to ``YES'' as the matching IPF(W) versions. The output will look like this (line wrapped): pf denied packets: > block drop log on rl0 proto tcp all [ Evaluations: 504986 Packets: 0 Bytes: 0 States: 0 ] > block drop log on rl0 all [ Evaluations: 18559 Packets: 427 Bytes: 140578 States: 0 ] Submitted by: clive (thanks a lot!) MFC after: 2 weeks
2004-11-24 18:41:53 +00:00
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 550.ipfwlimit
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_ipfwlimit_enable="YES"
security_status_ipfwlimit_period="daily"
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
Add script for checking ipv6 blocked packets from PR. PR: misc/50154 Submitted by: Kimura Fuyuki <fuyuki@hadaly.org>
2004-04-20 13:44:57 +00:00
# 610.ipf6denied
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_ipf6denied_enable="YES"
security_status_ipf6denied_period="daily"
Add script for checking ipv6 blocked packets from PR. PR: misc/50154 Submitted by: Kimura Fuyuki <fuyuki@hadaly.org>
2004-04-20 13:44:57 +00:00
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 700.kernelmsg
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_kernelmsg_enable="YES"
security_status_kernelmsg_period="daily"
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 800.loginfail
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_loginfail_enable="YES"
security_status_loginfail_period="daily"
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
# 900.tcpwrap
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
security_status_tcpwrap_enable="YES"
security_status_tcpwrap_period="daily"
Long ago, there was just /etc/daily. Then /etc/security was split out of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
2001-12-07 23:57:39 +00:00
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
# Define source_periodic_confs, the mechanism used by /etc/periodic/*/*
# scripts to source defaults/periodic.conf overrides safely.
if [ -z "${source_periodic_confs_defined}" ]; then
source_periodic_confs_defined=yes
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
Consolidate random sleeps in periodic scripts Multiple periodic scripts sleep for a random amount of time in order to mitigate the thundering herd problem. This is bad, because the sum of multiple uniformly distributed random variables approaches a normal distribution, so the problem isn't mitigated as effectively as it would be with a single sleep. This change creates a single configurable anticongestion sleep. periodic will only sleep if at least one script requires it, and it will never sleep more than once per invocation. It also won't sleep if periodic was run interactively, fixing an unrelated longstanding bug. PR: 217055 PR: 210188 Reviewed by: cy MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D10211
2017-04-01 04:42:35 +00:00
# Sleep for a random amount of time in order to mitigate the thundering
# herd problem of multiple hosts running periodic simultaneously.
# Will not sleep when used interactively.
# Will sleep at most once per invocation of periodic
anticongestion() {
[ -n "$PERIODIC_IS_INTERACTIVE" ] && return
if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then
rm -f $PERIODIC_ANTICONGESTION_FILE
sleep `jot -r 1 0 ${anticongestion_sleeptime}`
fi
}
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
# Compatibility with old daily variable names.
# They can be removed in stable/11.
security_daily_compat_var() {
local var=$1 dailyvar value
Fix compatibility function for old daily_status_security_${name}_enable variable PR: conf/183137 Reported by: Adam McDougall <mcdouga9 at egr msu edu> MFC after: 3 days
2013-10-29 20:35:35 +00:00
dailyvar=daily_status_security${var#security_status}
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
periodvar=${var%enable}period
eval value=\"\$$dailyvar\"
[ -z "$value" ] && return
echo "Warning: Variable \$$dailyvar is deprecated," \
"use \$$var instead." >&2
case "$value" in
[Yy][Ee][Ss])
periodic: Fix backwards compatibility for daily_status_security_* vars. Most daily_status_security_* variables in periodic.conf were changed to security_status_* in SVN r254974. The compatibility code for the old names did not work. PR: 204331 Submitted by: martin at lispworks.com MFC after: 1 week
2015-11-07 22:06:49 +00:00
eval $var=YES
eval $periodvar=daily
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
;;
*)
Fix indentation. MFC after: 4 days
2013-10-29 20:38:19 +00:00
eval $var=\"$value\"
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
;;
esac
}
check_yesno_period() {
local var="$1" periodvar value period
eval value=\"\$$var\"
case "$value" in
[Yy][Ee][Ss]) ;;
*) return 1 ;;
esac
periodvar=${var%enable}period
eval period=\"\$$periodvar\"
case "$PERIODIC" in
"security daily")
case "$period" in
[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
*) return 1 ;;
esac
;;
"security weekly")
case "$period" in
[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
*) return 1 ;;
esac
;;
"security monthly")
case "$period" in
[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
*) return 1 ;;
esac
;;
security)
# Run directly from crontab(5).
case "$period" in
[Nn][Oo]) return 1 ;;
*) return 0 ;;
esac
;;
Allow again periodic scripts to be run from command-line. PR: 188109 Submitted by: Jason Unovitch MFC after: 1 week
2015-07-13 10:15:01 +00:00
'')
# Script run manually.
return 0
;;
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
*)
Allow again periodic scripts to be run from command-line. PR: 188109 Submitted by: Jason Unovitch MFC after: 1 week
2015-07-13 10:15:01 +00:00
echo "ASSERTION FAILED: Unexpected value for" \
Make the period of each periodic security script configurable. There are now six additional variables weekly_status_security_enable weekly_status_security_inline weekly_status_security_output monthly_status_security_enable monthly_status_security_inline monthly_status_security_output alongside their existing daily counterparts. They all have the same default values. All other "daily_status_security_${scriptname}_${whatever}" variables have been renamed to "security_status_${name}_${whatever}". A compatibility shim has been introduced for the old variable names, which we will be able to remove in 11.0-RELEASE. "security_status_${name}_enable" is still a boolean but a new "security_status_${name}_period" allows to define the period of each script. The value is one of "daily" (the default for backward compatibility), "weekly", "monthly" and "NO". Note that when the security periodic scripts are run directly from crontab(5) (as opposed to being called by daily or weekly periodic scripts), they will run unless the test is explicitely disabled with a "NO", either for in the "_enable" or the "_period" variable. When the security output is not inlined, the mail subject has been changed from "$host $arg run output" to "$host $arg $period run output". For instance: myfbsd security run output -> myfbsd security daily run output I don't think this is considered as a stable API, but feel free to correct me if I'm wrong. Finally, I will rearrange periodic.conf(5) and default/periodic.conf to put the security options in their own section. I left them in place for this commit to make reviewing easier. Reviewed by: hackers@
2013-08-27 21:20:28 +00:00
"\$PERIODIC: '$PERIODIC'" >&2
exit 127
;;
esac
}
Whitespace nit
2012-07-13 06:46:09 +00:00
source_periodic_confs() {
Introduce /etc/defaults/periodic.conf, similar in concept to rc.conf. The only change in the default functionality should be that the output reports are slightly more verbose WRT files deleted. Not objected to by: freebsd-arch
2000-06-23 01:18:31 +00:00
local i sourced_files
for i in ${periodic_conf_files}; do
case ${sourced_files} in
*:$i:*)
;;
*)
sourced_files="${sourced_files}:$i:"
[ -r $i ] && . $i
;;
esac
done
}
fi
Reference in New Issue Copy Permalink