xref: /freebsd/usr.sbin/periodic/periodic.conf (revision b64c5a0ace59af62eff52bfe110a521dc73c937b)
1#!/bin/sh
2#
3# This is defaults/periodic.conf - a file full of useful variables that
4# you can set to change the default behaviour of periodic jobs on your
5# system.  You should not edit this file!  Put any overrides into one of the
6# $periodic_conf_files instead and you will be able to update these defaults
7# later without spamming your local configuration information.
8#
9# The $periodic_conf_files files should only contain values which override
10# values set in this file.  This eases the upgrade path when defaults
11# are changed and new features are added.
12#
13# For a more detailed explanation of all the periodic.conf variables, please
14# refer to the periodic.conf(5) manual page.
15#
16#
17
18# What files override these defaults ?
19periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local ${_localbase}/etc/periodic.conf"
20
21# periodic script dirs. _localbase is being set in /usr/sbin/periodic
22local_periodic="${_localbase}/etc/periodic"
23
24# Max time to sleep to avoid causing congestion on download servers
25anticongestion_sleeptime=3600
26
27# Daily options
28
29# These options are used by periodic(8) itself to determine what to do
30# with the output of the sub-programs that are run, and where to send
31# that output.  $daily_output might be set to /var/log/daily.log if you
32# wish to log the daily output and have the files rotated by newsyslog(8)
33#
34daily_diff_flags="-b -U 0"				# flags for diff output
35daily_output="root"					# user or /file
36daily_show_success="YES"				# scripts returning 0
37daily_show_info="YES"					# scripts returning 1
38daily_show_badconfig="NO"				# scripts returning 2
39
40# 100.clean-disks
41daily_clean_disks_enable="NO"				# Delete files daily
42daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*"
43daily_clean_disks_days=3				# If older than this
44daily_clean_disks_verbose="YES"				# Mention files deleted
45
46# 110.clean-tmps
47daily_clean_tmps_enable="NO"				# Delete stuff daily
48daily_clean_tmps_dirs="/tmp"				# Delete under here
49daily_clean_tmps_days="3"				# If not accessed for
50daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix"
51daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap"
52daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal"
53							# Don't delete these
54daily_clean_tmps_verbose="YES"				# Mention files deleted
55
56# 120.clean-preserve
57daily_clean_preserve_enable="YES"			# Delete files daily
58daily_clean_preserve_days=7				# If not modified for
59daily_clean_preserve_verbose="YES"			# Mention files deleted
60
61# 130.clean-msgs
62daily_clean_msgs_enable="YES"				# Delete msgs daily
63daily_clean_msgs_days=					# If not modified for
64
65# 140.clean-rwho
66daily_clean_rwho_enable="YES"				# Delete rwho daily
67daily_clean_rwho_days=7					# If not modified for
68daily_clean_rwho_verbose="YES"				# Mention files deleted
69
70# 150.clean-hoststat
71daily_clean_hoststat_enable="YES"			# Purge sendmail host
72							# status cache daily
73
74# 200.backup-passwd
75daily_backup_passwd_enable="YES"			# Backup passwd & group
76
77# 210.backup-aliases
78daily_backup_aliases_enable="YES"			# Backup mail aliases
79
80# 221.backup-gpart
81if [ $(sysctl -n security.jail.jailed) = 0 ]; then
82        # Backup partition table/boot partition/MBR
83        daily_backup_gpart_enable="YES"
84else
85        daily_backup_gpart_enable="NO"
86fi
87daily_backup_gpart_verbose="NO"             		# Be verbose if new backup differs from the old one
88daily_backup_efi_enable="NO"                		# Backup EFI system partition (ESP)
89
90# 222.backup-gmirror
91daily_backup_gmirror_enable="NO"			# Backup of gmirror info (i.e., output of `gmirror list`)
92daily_backup_gmirror_verbose="NO"			# Log diff if new backup differs from the old one
93
94# 223.backup-zfs
95daily_backup_zfs_enable="NO"				# Backup output from zpool/zfs list
96daily_backup_zfs_props_enable="NO"			# Backup zpool/zfs filesystem properties
97daily_backup_zfs_get_flags="all"			# flags passed to `zfs get`
98daily_backup_zfs_list_flags=""				# flags passed to `zfs list`
99daily_backup_zpool_get_flags="all"			# flags passed to `zpool get`
100daily_backup_zpool_list_flags="-v"			# flags passed to `zpool list`
101daily_backup_zfs_verbose="NO"				# Report diff between the old and new backups.
102
103# 300.calendar
104daily_calendar_enable="NO"				# Run calendar -a
105
106# 310.accounting
107daily_accounting_enable="YES"				# Rotate acct files
108daily_accounting_compress="NO"				# Gzip rotated files
109daily_accounting_flags=-q				# Flags to /usr/sbin/sa
110daily_accounting_save=3					# How many files to save
111
112# 400.status-disks
113daily_status_disks_enable="YES"				# Check disk status
114daily_status_disks_df_flags="-l -h"			# df(1) flags for check
115
116# 401.status-graid
117daily_status_graid_enable="NO"				# Check graid(8)
118
119# 404.status-zfs
120daily_status_zfs_enable="NO"				# Check ZFS
121daily_status_zfs_zpool_list_enable="YES"		# List ZFS pools
122
123# 406.status-gmirror
124daily_status_gmirror_enable="NO"			# Check gmirror(8)
125
126# 407.status-graid3
127daily_status_graid3_enable="NO" 			# Check graid3(8)
128
129# 408.status-gstripe
130daily_status_gstripe_enable="NO"			# Check gstripe(8)
131
132# 409.status-gconcat
133daily_status_gconcat_enable="NO"			# Check gconcat(8)
134
135# 410.status-mfi
136daily_status_mfi_enable="NO"				# Check mfiutil(8)
137
138# 420.status-network
139daily_status_network_enable="YES"			# Check network status
140daily_status_network_usedns="YES"			# DNS lookups are ok
141daily_status_network_netstat_flags="-d -W"		# netstat(1) flags
142
143# 430.status-uptime
144daily_status_uptime_enable="YES"			# Check system uptime
145
146# 440.status-mailq
147daily_status_mailq_enable="YES"				# Check mail status
148daily_status_mailq_shorten="NO"				# Shorten output
149daily_status_include_submit_mailq="YES"			# Also submit queue
150
151# 450.status-security
152daily_status_security_enable="YES"			# Security check
153# See also "Security options" below for more options
154daily_status_security_inline="NO"			# Run inline ?
155daily_status_security_output="root"			# user or /file
156
157# 460.status-mail-rejects
158daily_status_mail_rejects_enable="YES"			# Check mail rejects
159daily_status_mail_rejects_logs=3			# How many logs to check
160daily_status_mail_rejects_shorten="NO"			# Shorten output
161
162# 480.leapfile-ntpd
163daily_ntpd_leapfile_enable="YES"			# Fetch NTP leapfile
164
165# 480.status-ntpd
166daily_status_ntpd_enable="NO"				# Check NTP status
167
168# 500.queuerun
169daily_queuerun_enable="YES"				# Run mail queue
170daily_submit_queuerun="YES"				# Also submit queue
171
172# 510.status-world-kernel
173daily_status_world_kernel="YES"				# Check the running
174							# userland/kernel version
175
176# 800.scrub-zfs
177daily_scrub_zfs_enable="NO"
178daily_scrub_zfs_pools=""			# empty string selects all pools
179daily_scrub_zfs_default_threshold="35"		# days between scrubs
180#daily_scrub_zfs_${poolname}_threshold="35"	# pool specific threshold
181
182# 801.trim-zfs
183daily_trim_zfs_enable="NO"
184daily_trim_zfs_pools=""				# empty string selects all pools
185daily_trim_zfs_flags=""				# zpool-trim(8) flags
186
187# 999.local
188daily_local="/etc/daily.local"				# Local scripts
189
190
191# Weekly options
192
193# These options are used by periodic(8) itself to determine what to do
194# with the output of the sub-programs that are run, and where to send
195# that output.  $weekly_output might be set to /var/log/weekly.log if you
196# wish to log the weekly output and have the files rotated by newsyslog(8)
197#
198weekly_output="root"					# user or /file
199weekly_show_success="YES"				# scripts returning 0
200weekly_show_info="YES"					# scripts returning 1
201weekly_show_badconfig="NO"				# scripts returning 2
202
203# 310.locate
204weekly_locate_enable="YES"				# Update locate weekly
205
206# 320.whatis
207weekly_whatis_enable="YES"				# Update whatis weekly
208
209# 340.noid
210weekly_noid_enable="NO"					# Find unowned files
211weekly_noid_dirs="/"					# Look here
212
213# 450.status-security
214weekly_status_security_enable="YES"			# Security check
215# See also "Security options" above for more options
216weekly_status_security_inline="NO"			# Run inline ?
217weekly_status_security_output="root"			# user or /file
218
219# 999.local
220weekly_local="/etc/weekly.local"			# Local scripts
221
222
223# Monthly options
224
225# These options are used by periodic(8) itself to determine what to do
226# with the output of the sub-programs that are run, and where to send
227# that output.  $monthly_output might be set to /var/log/monthly.log if you
228# wish to log the monthly output and have the files rotated by newsyslog(8)
229#
230monthly_output="root"					# user or /file
231monthly_show_success="YES"				# scripts returning 0
232monthly_show_info="YES"					# scripts returning 1
233monthly_show_badconfig="NO"				# scripts returning 2
234
235# 200.accounting
236monthly_accounting_enable="YES"				# Login accounting
237
238# 450.status-security
239monthly_status_security_enable="YES"			# Security check
240# See also "Security options" above for more options
241monthly_status_security_inline="NO"			# Run inline ?
242monthly_status_security_output="root"			# user or /file
243
244# 999.local
245monthly_local="/etc/monthly.local"			# Local scripts
246
247
248# Security options
249
250security_show_success="YES"				# scripts returning 0
251security_show_info="YES"				# scripts returning 1
252security_show_badconfig="NO"				# scripts returning 2
253
254# These options are used by the security periodic(8) scripts spawned in
255# daily and weekly 450.status-security.
256security_status_logdir="/var/log"			# Directory for logs
257security_status_diff_flags="-b -U 0"			# flags for diff output
258
259# Each of the security_status_*_period options below can have one of the
260# following values:
261# - NO: do not run at all
262# - daily: only run during the daily security status
263# - weekly: only run during the weekly security status
264# - monthly: only run during the monthly security status
265# Note that if periodic security scripts are run from crontab(5) directly,
266# they will be run unless _enable or _period is set to "NO".
267
268# 100.chksetuid
269security_status_chksetuid_enable="YES"
270security_status_chksetuid_period="daily"
271
272# 110.neggrpperm
273security_status_neggrpperm_enable="YES"
274security_status_neggrpperm_period="daily"
275
276# 200.chkmounts
277security_status_chkmounts_enable="YES"
278security_status_chkmounts_period="daily"
279#security_status_chkmounts_ignore="^amd:"		# Don't check matching
280							# FS types
281security_status_noamd="NO"				# Don't check amd mounts
282
283# 300.chkuid0
284security_status_chkuid0_enable="YES"
285security_status_chkuid0_period="daily"
286
287# 400.passwdless
288security_status_passwdless_enable="YES"
289security_status_passwdless_period="daily"
290
291# 410.logincheck
292security_status_logincheck_enable="YES"
293security_status_logincheck_period="daily"
294
295# 500.ipfwdenied
296security_status_ipfwdenied_enable="YES"
297security_status_ipfwdenied_period="daily"
298
299# 510.ipfdenied
300security_status_ipfdenied_enable="YES"
301security_status_ipfdenied_period="daily"
302
303# 520.pfdenied
304security_status_pfdenied_enable="YES"
305security_status_pfdenied_period="daily"
306security_status_pfdenied_additionalanchors=""
307
308# 550.ipfwlimit
309security_status_ipfwlimit_enable="YES"
310security_status_ipfwlimit_period="daily"
311
312# 610.ipf6denied
313security_status_ipf6denied_enable="YES"
314security_status_ipf6denied_period="daily"
315
316# 700.kernelmsg
317security_status_kernelmsg_enable="YES"
318security_status_kernelmsg_period="daily"
319
320# 800.loginfail
321security_status_loginfail_enable="YES"
322security_status_loginfail_period="daily"
323
324# 900.tcpwrap
325security_status_tcpwrap_enable="YES"
326security_status_tcpwrap_period="daily"
327
328
329
330# Define source_periodic_confs, the mechanism used by /etc/periodic/*/*
331# scripts to source defaults/periodic.conf overrides safely.
332
333if [ -z "${source_periodic_confs_defined}" ]; then
334        source_periodic_confs_defined=yes
335
336	# Sleep for a random amount of time in order to mitigate the thundering
337	# herd problem of multiple hosts running periodic simultaneously.
338	# Will not sleep when used interactively.
339	# Will sleep at most once per invocation of periodic
340	anticongestion() {
341		[ -n "$PERIODIC_IS_INTERACTIVE" ] && return
342		if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then
343			rm -f $PERIODIC_ANTICONGESTION_FILE
344			sleep `jot -r 1 0 ${anticongestion_sleeptime}`
345		fi
346	}
347
348	check_yesno_period() {
349		local var="$1" periodvar value period
350
351		eval value=\"\$$var\"
352		case "$value" in
353		[Yy][Ee][Ss]) ;;
354		*) return 1 ;;
355		esac
356
357		periodvar=${var%enable}period
358		eval period=\"\$$periodvar\"
359		case "$PERIODIC" in
360		"security daily")
361			case "$period" in
362			[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
363			*) return 1 ;;
364			esac
365			;;
366		"security weekly")
367			case "$period" in
368			[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
369			*) return 1 ;;
370			esac
371			;;
372		"security monthly")
373			case "$period" in
374			[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
375			*) return 1 ;;
376			esac
377			;;
378		security)
379			# Run directly from crontab(5).
380			case "$period" in
381			[Nn][Oo]) return 1 ;;
382			*) return 0 ;;
383			esac
384			;;
385                '')
386                        # Script run manually.
387                        return 0
388                        ;;
389		*)
390			echo "ASSERTION FAILED: Unexpected value for" \
391			    "\$PERIODIC: '$PERIODIC'" >&2
392			exit 127
393			;;
394		esac
395	}
396
397        source_periodic_confs() {
398                local i sourced_files
399
400                for i in ${periodic_conf_files}; do
401                        case ${sourced_files} in
402                        *:$i:*)
403                                ;;
404                        *)
405                                sourced_files="${sourced_files}:$i:"
406                                [ -r $i ] && . $i
407                                ;;
408                        esac
409                done
410        }
411fi
412