mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-09 16:01:19 +01:00
f5491fc795
diff output, and replace them with "(password)". The diffs get mailed to root, which in many cases is forwarded across the Internet. A patient sniffer could acquire the entire "master.passwd" file by saving all the diffs. With this fix, you still see that the password changed, but you don't see the details. Unless somebody talks me out of it, I am going to merge this into -2.2 in 48 hours.
174 lines
4.0 KiB
Bash
174 lines
4.0 KiB
Bash
#!/bin/sh -
|
|
#
|
|
# @(#)daily 5.12 (Berkeley) 5/24/91
|
|
#
|
|
PATH=/bin:/usr/bin:/sbin:/usr/sbin
|
|
host=`hostname -s`
|
|
echo "Subject: $host daily run output"
|
|
bak=/var/backups
|
|
|
|
echo ""
|
|
echo "Removing scratch and junk files:"
|
|
if [ -d /var/preserve ]; then
|
|
cd /var/preserve && {
|
|
find . ! -name . -mtime +7 -exec rm -f -- {} \; ; }
|
|
fi
|
|
|
|
if [ -d /var/rwho ] ; then
|
|
cd /var/rwho && {
|
|
find . ! -name . -mtime +7 -exec rm -f -- {} \; ; }
|
|
fi
|
|
|
|
cd /tmp
|
|
|
|
# This is a security hole, never use 'find' on a public directory
|
|
# with -exec rm -f as root. This can be exploited to delete any file
|
|
# on the system.
|
|
#
|
|
#find / ! -fstype local -a -prune -o \
|
|
# \( -name '[#,]*' -o -name '.#*' -o -name a.out -o -name *.core \
|
|
# -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \
|
|
# -a -atime +3 -exec rm -f -- {} \;
|
|
#
|
|
#
|
|
# The same security hole. Purge the temp directories from unused stuff.
|
|
# Note that we must not accidentally clean the X11 lock files.
|
|
#
|
|
# Use at your own risk, but for a long-living system, this might come
|
|
# more useful than the boot-time cleaning of /tmp. If /var/tmp and
|
|
# /tmp are symlinked together, only one of the below will actually
|
|
# run.
|
|
#
|
|
# if [ -d /tmp ]; then
|
|
# cd /tmp && {
|
|
# find . -type f -atime +3 -ctime +3 ! -name '.X*-lock' -exec rm -f -- {} \;
|
|
# find -d . ! -name . -type d -mtime +1 -exec rmdir -- {} \; \
|
|
# >/dev/null 2>&1; }
|
|
# fi
|
|
#
|
|
# if [ -d /var/tmp ]; then
|
|
# cd /var/tmp && {
|
|
# find . ! -name . -atime +7 -ctime +3 -exec rm -f -- {} \;
|
|
# find -d . ! -name . -type d -mtime +1 -exec rmdir -- {} \; \
|
|
# >/dev/null 2>&1; }
|
|
# fi
|
|
#
|
|
#
|
|
|
|
# remove system messages older than 21 days
|
|
msgs -c
|
|
|
|
if [ -f /etc/news.expire ]; then
|
|
/etc/news.expire
|
|
fi
|
|
|
|
if [ -f /var/account/acct ] ; then
|
|
echo ""
|
|
echo "Gathering accounting statistics:"
|
|
cd /var/account
|
|
if [ -f acct.2 ] ; then mv -f acct.2 acct.3 ; fi
|
|
if [ -f acct.1 ] ; then mv -f acct.1 acct.2 ; fi
|
|
if [ -f acct.0 ] ; then mv -f acct.0 acct.1 ; fi
|
|
cp -pf acct acct.0
|
|
sa -s > /dev/null
|
|
fi
|
|
|
|
echo ""
|
|
echo "Backup passwd and group files:"
|
|
if [ ! -f $bak/master.passwd.bak ] ; then
|
|
echo "no $bak/master.passwd.bak"
|
|
cp -p /etc/master.passwd $bak/master.passwd.bak
|
|
fi
|
|
if cmp -s $bak/master.passwd.bak /etc/master.passwd; then :; else
|
|
echo "$host passwd diffs:"
|
|
diff $bak/master.passwd.bak /etc/master.passwd |\
|
|
sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/'
|
|
mv $bak/master.passwd.bak $bak/master.passwd.bak2
|
|
cp -p /etc/master.passwd $bak/master.passwd.bak
|
|
fi
|
|
if [ ! -f $bak/group.bak ] ; then
|
|
echo "no $bak/group.bak"
|
|
cp -p /etc/group $bak/group.bak
|
|
fi
|
|
if cmp -s $bak/group.bak /etc/group; then :; else
|
|
echo "$host group diffs:"
|
|
diff $bak/group.bak /etc/group
|
|
mv $bak/group.bak $bak/group.bak2
|
|
cp -p /etc/group $bak/group.bak
|
|
fi
|
|
if [ ! -f $bak/aliases.bak ] ; then
|
|
echo "no $bak/aliases.bak"
|
|
cp -p /etc/aliases $bak/aliases.bak
|
|
fi
|
|
if cmp -s $bak/aliases.bak /etc/aliases; then :; else
|
|
echo "$host aliases diffs:"
|
|
diff $bak/aliases.bak /etc/aliases
|
|
mv $bak/aliases.bak $bak/aliases.bak2
|
|
cp -p /etc/aliases $bak/aliases.bak
|
|
fi
|
|
if [ -f /etc/Distfile ]; then
|
|
if cmp -s $bak/Distfile.bak /etc/Distfile; then :; else
|
|
mv $bak/Distfile.bak $bak/Distfile.bak2
|
|
cp /etc/Distfile $bak/Distfile.bak
|
|
fi
|
|
fi
|
|
|
|
|
|
# `calendar -a' needs to die. Why? Because it's a bad idea, particular
|
|
# with networked home directories, but also in general. If you want the
|
|
# output of `calendar' mailed to you, set up a cron job to do it,
|
|
# or run it from your ~/.profile or ~/.login.
|
|
#
|
|
# echo ""
|
|
# echo "Running calendar:"
|
|
# calendar -a
|
|
|
|
|
|
if [ -d /var/spool/uucp -a -f /etc/uuclean.daily ]; then
|
|
echo ""
|
|
echo "Cleaning up UUCP:"
|
|
echo /etc/uuclean.daily | su daemon
|
|
fi
|
|
|
|
echo ""
|
|
echo ""
|
|
echo "Checking subsystem status:"
|
|
echo ""
|
|
echo "disks:"
|
|
df -k -t local
|
|
echo ""
|
|
dump W
|
|
echo ""
|
|
|
|
|
|
echo ""
|
|
echo "mail:"
|
|
mailq
|
|
|
|
if [ -d /var/spool/uucp ]; then
|
|
echo ""
|
|
echo "uucp:"
|
|
uustat -a
|
|
fi
|
|
|
|
echo ""
|
|
echo "network:"
|
|
netstat -i
|
|
echo ""
|
|
if [ -d /var/rwho ] ; then
|
|
ruptime
|
|
fi
|
|
|
|
echo ""
|
|
if [ -f /etc/Distfile ]; then
|
|
echo "Running rdist:"
|
|
rdist -f /etc/Distfile
|
|
fi
|
|
|
|
if [ -f /etc/daily.local ]; then
|
|
echo "Running daily.local:"
|
|
sh /etc/daily.local
|
|
fi
|
|
|
|
sh /etc/security 2>&1 | sendmail root
|