Implement periodic hammer2 snapshots.
[dragonfly.git] / share / man / man5 / periodic.conf.5
CommitLineData
984263bc
MD
1.\"-
2.\" Copyright (c) 2000 Brian Somers <brian@Awfulhak.org>
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\" notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\" notice, this list of conditions and the following disclaimer in the
12.\" documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
c451e5e9 26.\" $FreeBSD: head/share/man/man5/periodic.conf.5 323550 2017-09-13 16:35:16Z gordon $
984263bc 27.\"
52d59648 28.Dd June 8, 2020
984263bc
MD
29.Dt PERIODIC.CONF 5
30.Os
31.Sh NAME
32.Nm periodic.conf
33.Nd periodic job configuration information
34.Sh DESCRIPTION
35The file
36.Nm
3f5e28f4 37contains a description of how daily, weekly and monthly system maintenance
984263bc
MD
38jobs should run.
39It resides in the
40.Pa /etc/defaults
41directory and parts may be overridden by a file of the same name in
42.Pa /etc ,
43which itself may be overridden by the
44.Pa /etc/periodic.conf.local
45file.
46.Pp
c451e5e9 47The
984263bc 48.Nm
c451e5e9 49file
984263bc
MD
50is actually sourced as a shell script from each of the periodic scripts
51and is intended to simply provide default configuration variables.
52.Pp
53The following variables are used by
54.Xr periodic 8
55itself:
56.Bl -tag -offset 4n -width 2n
57.It Va local_periodic
58.Pq Vt str
59List of directories to search for periodic scripts.
60This list is always prefixed with
61.Pa /etc/periodic ,
62and is only used when an argument to
63.Xr periodic 8
64is not an absolute directory name.
c451e5e9 65.It Ao Ar dir Ac Ns Va _output
984263bc 66.Pq Vt path No or Vt list
c451e5e9 67What to do with the output of the scripts executed from
984263bc
MD
68the directory
69.Ar dir .
70If this variable is set to an absolute path name, output is logged to
71that file, otherwise it is taken as one or more space separated email
72addresses and mailed to those users.
73If this variable is not set or is empty, output is sent to standard output.
74.Pp
75For an unattended machine, suitable values for
76.Va daily_output ,
77.Va weekly_output ,
78and
79.Va monthly_output
80might be
c451e5e9
AL
81.Dq Li /var/log/daily.log ,
82.Dq Li /var/log/weekly.log ,
984263bc 83and
c451e5e9 84.Dq Li /var/log/monthly.log
984263bc
MD
85respectively, as
86.Xr newsyslog 8
87will rotate these files (if they exists) at the appropriate times.
c451e5e9
AL
88.It Ao Ar dir Ac Ns Va _show_success
89.It Ao Ar dir Ac Ns Va _show_info
90.It Ao Ar dir Ac Ns Va _show_badconfig
984263bc
MD
91.Pq Vt bool
92These variables control whether
93.Xr periodic 8
c451e5e9 94will mask the output of the executed scripts based on their return code
984263bc
MD
95(where
96.Ar dir
97is the base directory name in which each script resides).
98If the return code of a script is
99.Sq 0
100and
c451e5e9 101.Ao Ar dir Ac Ns Va _show_success
984263bc 102is set to
c451e5e9 103.Dq Li NO ,
984263bc
MD
104.Xr periodic 8
105will mask the script's output.
106If the return code of a script is
107.Sq 1
108and
c451e5e9 109.Ao Ar dir Ac Ns Va _show_info
984263bc 110is set to
c451e5e9 111.Dq Li NO ,
984263bc
MD
112.Xr periodic 8
113will mask the script's output.
114If the return code of a script is
115.Sq 2
116and
c451e5e9 117.Ao Ar dir Ac Ns Va _show_badconfig
984263bc 118is set to
c451e5e9 119.Dq Li NO ,
984263bc
MD
120.Xr periodic 8
121will mask the script's output.
122If these variables are set to neither
c451e5e9 123.Dq Li YES
984263bc 124nor
c451e5e9 125.Dq Li NO ,
984263bc 126they default to
c451e5e9
AL
127.Dq Li YES ,
128.Dq Li YES
984263bc 129and
c451e5e9 130.Dq Li NO
984263bc
MD
131respectively.
132.Pp
133Refer to the
134.Xr periodic 8
c451e5e9
AL
135manual page for how script return codes are interpreted.
136.It Va anticongestion_sleeptime
137.Pq Vt int
138The maximum number of seconds to randomly sleep in order to smooth bursty loads
139on a shared resource, such as a download mirror.
984263bc
MD
140.El
141.Pp
142The following variables are used by the standard scripts that reside in
143.Pa /etc/periodic/daily :
144.Bl -tag -offset 4n -width 2n
145.It Va daily_clean_disks_enable
146.Pq Vt bool
147Set to
c451e5e9 148.Dq Li YES
984263bc
MD
149if you want to remove all files matching
150.Va daily_clean_disks_files
151daily.
152.It Va daily_clean_disks_files
153.Pq Vt str
154Set to a list of file names to match.
155Wild cards are permitted.
156.It Va daily_clean_disks_days
157.Pq Vt num
158When
159.Va daily_clean_disks_enable
160is set to
c451e5e9 161.Dq Li YES ,
984263bc 162this must also be set to the number of days old that a file's access
c451e5e9 163and modification times must be before it is deleted.
984263bc
MD
164.It Va daily_clean_disks_verbose
165.Pq Vt bool
166Set to
c451e5e9 167.Dq Li YES
984263bc
MD
168if you want the removed files to be reported in your daily output.
169.It Va daily_clean_tmps_enable
170.Pq Vt bool
171Set to
c451e5e9 172.Dq Li YES
984263bc
MD
173if you want to clear temporary directories daily.
174.It Va daily_clean_tmps_dirs
175.Pq Vt str
176Set to the list of directories to clear if
177.Va daily_clean_tmps_enable
178is set to
c451e5e9 179.Dq Li YES .
984263bc
MD
180.It Va daily_clean_tmps_days
181.Pq Vt num
182When
183.Va daily_clean_tmps_enable
184is set, this must also be set to the number of days old that a file's access
c451e5e9 185and modification times must be before it is deleted.
984263bc
MD
186.It Va daily_clean_tmps_ignore
187.Pq Vt str
188Set to the list of files that should not be deleted when
189.Va daily_clean_tmps_enable
190is set to
c451e5e9 191.Dq Li YES .
984263bc
MD
192Wild card characters are permitted.
193.It Va daily_clean_tmps_verbose
194.Pq Vt bool
195Set to
c451e5e9 196.Dq Li YES
984263bc
MD
197if you want the removed files to be reported in your daily output.
198.It Va daily_clean_preserve_enable
199.Pq Vt bool
200Set to
c451e5e9 201.Dq Li YES
984263bc
MD
202if you wish to remove old files from
203.Pa /var/preserve .
204.It Va daily_clean_preserve_days
205.Pq Vt num
206Set to the number of days that files must not have been modified before
207they are deleted.
208.It Va daily_clean_preserve_verbose
209.Pq Vt bool
210Set to
c451e5e9 211.Dq Li YES
984263bc
MD
212if you want the removed files to be reported in your daily output.
213.It Va daily_clean_msgs_enable
214.Pq Vt bool
215Set to
c451e5e9 216.Dq Li YES
984263bc
MD
217if you wish old system messages to be purged.
218.It Va daily_clean_msgs_days
219.Pq Vt num
220Set to the number of days that files must not have been modified before
221they are deleted.
222If this variable is left blank, the
223.Xr msgs 1
224default is used.
225.It Va daily_clean_rwho_enable
226.Pq Vt bool
227Set to
c451e5e9 228.Dq Li YES
984263bc
MD
229if you wish old files in
230.Pa /var/who
231to be purged.
232.It Va daily_clean_rwho_days
233.Pq Vt num
234Set to the number of days that files must not have been modified before
235they are deleted.
236.It Va daily_clean_rwho_verbose
237.Pq Vt bool
238Set to
c451e5e9 239.Dq Li YES
984263bc
MD
240if you want the removed files to be reported in your daily output.
241.It Va daily_clean_hoststat_enable
242.Pq Vt bool
243Set to
c451e5e9 244.Dq Li YES
3181538d
GNS
245to run
246.Nm sendmail Fl bH
247to automatically purge stale entries from
248.Xr sendmail 8 Ns 's
249host status cache.
250Files will be deleted using the same criteria as
251.Xr sendmail 8
252would normally use when determining whether to believe the cached information,
253as configured in
254.Pa /etc/mail/sendmail.cf .
e0331f4f
SW
255.It Va daily_clean_hammer_enable
256.Pq Vt bool
257Set to
c451e5e9 258.Dq Li YES
e0331f4f
SW
259if you want
260.Xr HAMMER 5
261file systems to be snapshot, pruned and reblocked.
262.It Va daily_clean_hammer_verbose
263.Pq Vt bool
264Set to
c451e5e9 265.Dq Li YES
e0331f4f 266if you wish more verbose output.
3ea362ca
CT
267.It Va daily_clean_hammer_pfslist
268.Pq Vt str
269Set to a list of
270.Xr HAMMER 5
1760c796 271filesystems and pseudo-filesystems to clean.
3ea362ca
CT
272If this variable is left blank, the default
273.Xr hammer 8
274.Ic cleanup
275actions occur.
7979f03d
TN
276.It Va daily_clean_hammer2_enable
277.Pq Vt bool
278Set to
c451e5e9 279.Dq Li YES
7979f03d
TN
280if you want
281to run
282.Xr hammer2 8
283.Cm cleanup .
284This will e.g.\&
285.Ic bulkfree
286.Xr hammer2 8
287file systems.
288.It Va daily_clean_hammer2_verbose
289.Pq Vt bool
290Set to
c451e5e9 291.Dq Li YES
7979f03d
TN
292if you wish more verbose output.
293.It Va daily_clean_hammer2_pfslist
294.Pq Vt str
295Set to a list of
296.Xr hammer2 8
297filesystems and pseudo-filesystems to clean.
298If this variable is left blank, the default
299.Xr hammer2 8
300.Ic cleanup
301actions occur.
984263bc
MD
302.It Va daily_backup_passwd_enable
303.Pq Vt bool
304Set to
c451e5e9 305.Dq Li YES
984263bc
MD
306if you want the
307.Pa /etc/master.passwd
308and
309.Pa /etc/group
310files backed up and reported on.
311Reporting consists of checking both files for modifications and running
312.Xr chkgrp 8
313on the
314.Pa group
315file.
316.It Va daily_backup_aliases_enable
317.Pq Vt bool
318Set to
c451e5e9 319.Dq Li YES
984263bc
MD
320if you want the
321.Pa /etc/mail/aliases
322file backed up and modifications to be displayed in your daily output.
984263bc
MD
323.It Va daily_calendar_enable
324.Pq Vt bool
325Set to
c451e5e9 326.Dq Li YES
984263bc 327if you want to run
c451e5e9 328.Nm calendar Fl a
984263bc
MD
329daily.
330.It Va daily_accounting_enable
331.Pq Vt bool
332Set to
c451e5e9 333.Dq Li YES
984263bc
MD
334if you want to rotate your daily accounting files.
335No rotations are necessary unless
336.Va accounting_enable
337is enabled in
338.Xr rc.conf 5 .
339.It Va daily_accounting_compress
340.Pq Vt bool
341Set to
c451e5e9 342.Dq Li YES
984263bc
MD
343if you want your daily accounting files to be compressed using
344.Xr gzip 1 .
345.It Va daily_accounting_save
346.Pq Vt num
347When
348.Va daily_accounting_enable
349is set, this may also be set to the number of daily accounting files that are
350to be saved.
351The default is
c451e5e9 352.Dq Li 3 .
984263bc
MD
353.It Va daily_accounting_flags
354.Pq Vt str
355Set to the arguments to pass to the
356.Xr sa 8
357utility (in addition to
358.Fl s )
359when
360.Va daily_accounting_enable
361is set to
c451e5e9 362.Dq Li YES .
984263bc
MD
363The default is
364.Fl q .
984263bc
MD
365.It Va daily_news_expire_enable
366.Pq Vt bool
367Set to
c451e5e9 368.Dq Li YES
984263bc
MD
369if you want to run
370.Pa /etc/news.expire .
52d59648
DF
371.It Va daily_snapshot_hammer2_capacity
372.Pq Vt num
373Storage usage threshold, in percents. Snapshots won't be created once
374used capacity exceeds this limit. Default is 90.
375.It Va daily_snapshot_hammer2_dirs
376.Pq Vt str
377Space-separated list of directories on HAMMER2 filesystem(s) to snapshot.
378Default is (a special keyword) "auto" which means snapshots will be created
379for all currently mounted HAMMER2 volumes.
380.It Va daily_snapshot_hammer2_enable
381.Pq Vt bool
382Set to
383.Dq Li YES
384if you want to create daily snapshots of directories on HAMMER2 filesystem(s).
385.It Va daily_snapshot_hammer2_keep
386.Pq Vt num or "auto"
387Maximum number of daily snapshots to keep for each configured HAMMER2 directory.
388If set to "auto", 15 is used as the initial value, but more snapshots can be
389kept actually, according to free storage capacity.
390.It Va daily_snapshot_hammer2_tag
391.Pq Vt str
392Tag to be used for daily snapshots labels. Default is "daily".
393The actual label is then composed adhering to this pattern:
394<path>.<flag>.<year><month><day>.<hour>:<minute>
984263bc
MD
395.It Va daily_status_disks_enable
396.Pq Vt bool
397Set to
c451e5e9 398.Dq Li YES
984263bc
MD
399if you want to run
400.Xr df 1
401(with the arguments supplied in
402.Va daily_status_disks_df_flags )
403and
c451e5e9 404.Nm dump Fl W .
984263bc
MD
405.It Va daily_status_disks_df_flags
406.Pq Vt str
407Set to the arguments for the
408.Xr df 1
409utility when
410.Va daily_status_disks_enable
411is set to
c451e5e9 412.Dq Li YES .
f904d9d6
SW
413.It Va daily_status_mfi_enable
414.Pq Vt bool
415Set to
416.Dq Li YES
417if you want to run
418.Nm mfiutil Cm status
419on your
420.Xr mfi 4
421devices.
984263bc
MD
422.It Va daily_status_network_enable
423.Pq Vt bool
424Set to
c451e5e9 425.Dq Li YES
984263bc 426if you want to run
c451e5e9
AL
427.Nm netstat Fl i .
428.It Va daily_status_network_netstat_flags
429.Pq Vt str
430Set to additional arguments for the
431.Xr netstat 1
432utility when
433.Va daily_status_network_enable
434is set to
435.Dq Li YES .
436The default is
437.Fl d .
984263bc
MD
438.It Va daily_status_network_usedns
439.Pq Vt bool
440Set to
c451e5e9 441.Dq Li YES
984263bc
MD
442if you want to run
443.Xr netstat 1
444without the
445.Fl n
446option (to do DNS lookups).
c451e5e9 447.It Va daily_status_uptime_enable
984263bc
MD
448.Pq Vt bool
449Set to
c451e5e9 450.Dq Li YES
984263bc
MD
451if you want to run
452.Xr uptime 1
453(or
454.Xr ruptime 1
455if
456.Va rwhod_enable
457is set to
c451e5e9 458.Dq Li YES
984263bc
MD
459in
460.Pa /etc/rc.conf ) .
461.It Va daily_status_mailq_enable
462.Pq Vt bool
463Set to
c451e5e9 464.Dq Li YES
984263bc
MD
465if you want to run
466.Xr mailq 1 .
467.It Va daily_status_mailq_shorten
468.Pq Vt bool
469Set to
c451e5e9 470.Dq Li YES
984263bc 471if you want to shorten the
c451e5e9 472.Xr mailq 1
984263bc
MD
473output when
474.Va daily_status_mailq_enable
475is set to
c451e5e9 476.Dq Li YES .
984263bc
MD
477.It Va daily_status_include_submit_mailq
478.Pq Vt bool
479Set to
c451e5e9 480.Dq Li YES
984263bc
MD
481if you also want to run
482.Xr mailq 1
483on the submit mail queue when
484.Va daily_status_mailq_enable
485is set to
c451e5e9 486.Dq Li YES .
984263bc
MD
487This may not work with MTAs other than
488.Xr sendmail 8 .
489.It Va daily_status_security_enable
490.Pq Vt bool
491Set to
c451e5e9 492.Dq Li YES
984263bc
MD
493if you want to run the security check.
494The security check is another set of
495.Xr periodic 8
496scripts.
497The system defaults are in
498.Pa /etc/periodic/security .
499Local scripts should be placed in
500.Pa /usr/local/etc/periodic/security .
501See the
502.Xr periodic 8
503manual page for more information.
504.It Va daily_status_security_inline
505.Pq Vt bool
506Set to
c451e5e9 507.Dq Li YES
984263bc
MD
508if you want the security check output inline.
509The default is to either mail or log the output according to the value of
510.Va daily_status_security_output .
511.It Va daily_status_security_output
512.Pq Vt str
513Where to send the output of the security check if
514.Va daily_status_security_inline
515is set to
c451e5e9 516.Dq Li NO .
984263bc
MD
517This variable behaves in the same way as the
518.Va *_output
519variables above, namely it can be set either to one or more email addresses
520or to an absolute file name.
984263bc
MD
521.It Va daily_status_mail_rejects_enable
522.Pq Vt bool
523Set to
c451e5e9 524.Dq Li YES
984263bc
MD
525if you want to summarise mail rejections logged to
526.Pa /var/log/maillog
527for the previous day.
528.It Va daily_status_mail_rejects_logs
529.Pq Vt num
530Set to the number of maillog files that should be checked
531for yesterday's mail rejects.
f904d9d6 532.It Va daily_status_mail_rejects_shorten
ebc73b4b 533.Pq Vt bool
f904d9d6
SW
534Set to
535.Dq Li YES
536if you want to shorten the mail rejections output.
984263bc
MD
537.It Va daily_queuerun_enable
538.Pq Vt bool
539Set to
c451e5e9 540.Dq Li YES
984263bc
MD
541if you want to manually run the mail queue at least once a day.
542.It Va daily_submit_queuerun
543.Pq Vt bool
544Set to
c451e5e9 545.Dq Li YES
984263bc
MD
546if you also want to manually run the submit mail queue at least once a day
547when
548.Va daily_queuerun_enable
549is set to
c451e5e9 550.Dq Li YES .
984263bc
MD
551.It Va daily_local
552.Pq Vt str
553Set to a list of extra scripts that should be run after all other
554daily scripts.
555All scripts must be absolute path names.
556.El
557.Pp
558The following variables are used by the standard scripts that reside in
559.Pa /etc/periodic/weekly :
560.Bl -tag -offset 4n -width 2n
984263bc
MD
561.It Va weekly_locate_enable
562.Pq Vt bool
563Set to
c451e5e9 564.Dq Li YES
984263bc
MD
565if you want to run
566.Pa /usr/libexec/locate.updatedb .
567This script is run using
c451e5e9 568.Nm nice Fl 5
984263bc 569as user
c451e5e9 570.Dq Li nobody ,
984263bc
MD
571and generates the table used by the
572.Xr locate 1
573command.
574.It Va weekly_whatis_enable
575.Pq Vt bool
576Set to
c451e5e9 577.Dq Li YES
984263bc
MD
578if you want to run
579.Pa /usr/libexec/makewhatis.local .
580This script regenerates the database used by the
581.Xr apropos 1
582command.
984263bc
MD
583.It Va weekly_noid_enable
584.Pq Vt bool
585Set to
c451e5e9 586.Dq Li YES
984263bc
MD
587if you want to locate orphaned files on the system.
588An orphaned file is one with an invalid owner or group.
589.It Va weekly_noid_dirs
590.Pq Vt str
591A list of directories under which orphaned files are searched for.
592This would usually be set to
593.Pa / .
52d59648
DF
594.It Va weekly_snapshot_hammer2_capacity
595.Pq Vt num
596Weekly counterpart of
597.Va daily_snapshot_hammer2_capacity .
598.It Va weekly_snapshot_hammer2_dirs
599.Pq Vt str
600Weekly counterpart of
601.Va daily_snapshot_hammer2_dirs .
602.It Va weekly_snapshot_hammer2_enable
603.Pq Vt bool
604Set to
605.Dq Li YES
606if you want to create weekly snapshots of directories on HAMMER2 filesystem(s).
607.It Va weekly_snapshot_hammer2_keep
608.Pq Vt num or "auto"
609Weekly counterpart of
610.Va daily_snapshot_hammer2_keep .
611If set to "auto", 6 is used as the initial value.
612.It Va weekly_snapshot_hammer2_tag
613.Pq Vt str
614Weekly counterpart of
615.Va daily_snapshot_hammer2_tag .
616Default is "weekly".
c451e5e9
AL
617.It Va weekly_status_security_enable
618.Pq Vt bool
619Weekly counterpart of
620.Va daily_status_security_enable .
621.It Va weekly_status_security_inline
622.Pq Vt bool
623Weekly counterpart of
624.Va daily_status_security_inline .
625.It Va weekly_status_security_output
626.Pq Vt str
627Weekly counterpart of
628.Va daily_status_security_output .
984263bc
MD
629.It Va weekly_local
630.Pq Vt str
631Set to a list of extra scripts that should be run after all other
632weekly scripts.
633All scripts must be absolute path names.
634.El
635.Pp
636The following variables are used by the standard scripts that reside in
637.Pa /etc/periodic/monthly :
638.Bl -tag -offset 4n -width 2n
639.It Va monthly_accounting_enable
640.Pq Vt bool
641Set to
c451e5e9 642.Dq Li YES
984263bc
MD
643if you want to do login accounting using the
644.Xr ac 8
645command.
52d59648
DF
646.It Va monthly_snapshot_hammer2_capacity
647.Pq Vt num
648Monthly counterpart of
649.Va daily_snapshot_hammer2_capacity .
650.It Va monthly_snapshot_hammer2_dirs
651.Pq Vt str
652Monthly counterpart of
653.Va daily_snapshot_hammer2_dirs .
654.It Va monthly_snapshot_hammer2_enable
655.Pq Vt bool
656Set to
657.Dq Li YES
658if you want to create monthly snapshots of directories on HAMMER2 filesystem(s).
659.It Va monthly_snapshot_hammer2_keep
660.Pq Vt num or "auto"
661Monthly counterpart of
662.Va daily_snapshot_hammer2_keep .
663If set to "auto", 12 is used as the initial value.
664.It Va monthly_snapshot_hammer2_tag
665.Pq Vt str
666Monthly counterpart of
667.Va daily_snapshot_hammer2_tag .
668Default is "monthly".
c451e5e9 669.It Va monthly_status_security_enable
3b4d8a54 670.Pq Vt bool
c451e5e9
AL
671Monthly counterpart of
672.Va daily_status_security_enable .
673.It Va monthly_status_security_inline
3b4d8a54 674.Pq Vt bool
c451e5e9
AL
675Monthly counterpart of
676.Va daily_status_security_inline .
677.It Va monthly_status_security_output
678.Pq Vt str
679Monthly counterpart of
680.Va daily_status_security_output .
984263bc
MD
681.It Va monthly_local
682.Pq Vt str
683Set to a list of extra scripts that should be run after all other
684monthly scripts.
685All scripts must be absolute path names.
686.El
c451e5e9
AL
687.Pp
688The following variables are used by the standard scripts that reside in
689.Pa /etc/periodic/security .
690Those scripts are usually run from daily
691.Pq Va daily_status_security_enable ,
692weekly
693.Pq Va weekly_status_security_enable ,
694and monthly
695.Pq Va monthly_status_security_enable
696periodic hooks.
697The
698.Va ..._period
699of each script can be configured as
700.Dq daily ,
701.Dq weekly ,
702.Dq monthly
703or
704.Dq NO .
705Note that when periodic security scripts are run from
706.Xr crontab 5 ,
707they will be always run unless their
708.Va ..._enable
709or
710.Va ..._period
711variable is set to
712.Dq NO .
713.Bl -tag -offset 4n -width 2n
714.It Va security_status_logdir
715.Pq Vt str
716The directory where the security scripts expect the system's log files.
717The default is
718.Pa /var/log .
719.It Va security_status_diff_flags
720.Pq Vt str
721Set to the arguments to pass to the
722.Xr diff 1
723utility when generating differences.
724The default is
725.Fl b u .
726.It Va security_status_chksetuid_enable
727.Pq Vt bool
728Set to
729.Dq Li YES
730to compare the modes and modification times of setuid executables with
731the previous day's values.
732.It Va security_status_chksetuid_period
733.Pq Vt str
734Set to either
735.Dq Li daily ,
736.Dq Li weekly ,
737.Dq Li monthly
738or
739.Dq Li NO .
740.It Va security_status_neggrpperm_enable
741.Pq Vt bool
742Set to
743.Dq Li YES
744to check for files where the group of a file has less permissions than
745the world at large.
746When users are in more than 14 supplemental groups these negative
747permissions may not be enforced via NFS shares.
748.It Va security_status_neggrpperm_period
749.Pq Vt str
750Set to either
751.Dq Li daily ,
752.Dq Li weekly ,
753.Dq Li monthly
754or
755.Dq Li NO .
756.It Va security_status_chkmounts_enable
757.Pq Vt bool
758Set to
759.Dq Li YES
760to check for changes mounted file systems to the previous day's values.
761.It Va security_status_chkmounts_period
762.Pq Vt str
763Set to either
764.Dq Li daily ,
765.Dq Li weekly ,
766.Dq Li monthly
767or
768.Dq Li NO .
769.It Va security_status_nomfs
770.Pq Vt bool
771Set to
772.Dq Li YES
773if you want to ignore
774.Xr mfs 8
775mounts when comparing against yesterday's file system mounts in the
776.Va security_status_chkmounts_enable
777check.
778.It Va security_status_chkuid0_enable
779.Pq Vt bool
780Set to
781.Dq Li YES
782to check
783.Pa /etc/master.passwd
784for accounts with UID 0.
785.It Va security_status_chkuid0_period
786.Pq Vt str
787Set to either
788.Dq Li daily ,
789.Dq Li weekly ,
790.Dq Li monthly
791or
792.Dq Li NO .
793.It Va security_status_passwdless_enable
794.Pq Vt bool
795Set to
796.Dq Li YES
797to check
798.Pa /etc/master.passwd
799for accounts with empty passwords.
800.It Va security_status_passwdless_period
801.Pq Vt str
802Set to either
803.Dq Li daily ,
804.Dq Li weekly ,
805.Dq Li monthly
806or
807.Dq Li NO .
808.It Va security_status_logincheck_enable
809.Pq Vt bool
810Set to
811.Dq Li YES
812to check
813.Pa /etc/login.conf
814ownership, see
815.Xr login.conf 5
816for more information.
817.It Va security_status_logincheck_period
818.Pq Vt str
819Set to either
820.Dq Li daily ,
821.Dq Li weekly ,
822.Dq Li monthly
823or
824.Dq Li NO .
825.It Va security_status_ipfwdenied_enable
826.Pq Vt bool
827Set to
828.Dq Li YES
829to show log entries for packets denied by
830.Xr ipfw 8
831since yesterday's check.
832.It Va security_status_ipfwdenied_period
833.Pq Vt str
834Set to either
835.Dq Li daily ,
836.Dq Li weekly ,
837.Dq Li monthly
838or
839.Dq Li NO .
840.It Va security_status_pfdenied_enable
841.Pq Vt bool
842Set to
843.Dq Li YES
844to show log entries for packets denied by
845.Xr pf 4
846since yesterday's check.
847.It Va security_status_pfdenied_period
848.Pq Vt str
849Set to either
850.Dq Li daily ,
851.Dq Li weekly ,
852.Dq Li monthly
853or
854.Dq Li NO .
855.It Va security_status_ipfwlimit_enable
856.Pq Vt bool
857Set to
858.Dq Li YES
859to display
860.Xr ipfw 8
861rules that have reached their verbosity limit.
862.It Va security_status_ipfwlimit_period
863.Pq Vt str
864Set to either
865.Dq Li daily ,
866.Dq Li weekly ,
867.Dq Li monthly
868or
869.Dq Li NO .
870.It Va security_status_ip6fwdenied_enable
871.Pq Vt bool
872Set to
873.Dq Li YES
874to show log entries for packets denied by
875.Xr ip6fw 8
876since yesterday's check.
877.It Va security_status_ip6fwdenied_period
878.Pq Vt str
879Set to either
880.Dq Li daily ,
881.Dq Li weekly ,
882.Dq Li monthly
883or
884.Dq Li NO .
885.It Va security_status_ip6fwlimit_enable
886.Pq Vt bool
887Set to
888.Dq Li YES
889to display
890.Xr ip6fw 8
891rules that have reached their verbosity limit.
892.It Va security_status_ip6fwlimit_period
893.Pq Vt str
894Set to either
895.Dq Li daily ,
896.Dq Li weekly ,
897.Dq Li monthly
898or
899.Dq Li NO .
900.It Va security_status_kernelmsg_enable
901.Pq Vt bool
902Set to
903.Dq Li YES
904to show new
905.Xr dmesg 8
906entries since yesterday's check.
907.It Va security_status_kernelmsg_period
908.Pq Vt str
909Set to either
910.Dq Li daily ,
911.Dq Li weekly ,
912.Dq Li monthly
913or
914.Dq Li NO .
915.It Va security_status_loginfail_enable
916.Pq Vt bool
917Set to
918.Dq Li YES
919to display failed logins from
920.Pa /var/log/messages
921in the previous day.
922.It Va security_status_loginfail_period
923.Pq Vt str
924Set to either
925.Dq Li daily ,
926.Dq Li weekly ,
927.Dq Li monthly
928or
929.Dq Li NO .
930.It Va security_status_tcpwrap_enable
931.Pq Vt bool
932Set to
933.Dq Li YES
934to display connections denied by tcpwrappers (see
935.Xr hosts_access 5 )
936from
937.Pa /var/log/messages
938during the previous day.
939.It Va security_status_tcpwrap_period
940.Pq Vt str
941Set to either
942.Dq Li daily ,
943.Dq Li weekly ,
944.Dq Li monthly
945or
946.Dq Li NO .
947.El
984263bc 948.Sh FILES
c451e5e9 949.Bl -tag -width ".Pa /etc/defaults/periodic.conf"
984263bc
MD
950.It Pa /etc/defaults/periodic.conf
951The default configuration file.
952This file contains all default variables and values.
953.It Pa /etc/periodic.conf
954The usual system specific variable override file.
955.It Pa /etc/periodic.conf.local
956An additional override file, useful when
957.Pa /etc/periodic.conf
958is shared or distributed.
959.El
960.Sh SEE ALSO
961.Xr apropos 1 ,
962.Xr calendar 1 ,
963.Xr df 1 ,
7714392d 964.Xr diff 1 ,
984263bc
MD
965.Xr gzip 1 ,
966.Xr locate 1 ,
967.Xr man 1 ,
968.Xr msgs 1 ,
969.Xr netstat 1 ,
970.Xr nice 1 ,
7979f03d 971.Xr HAMMER 5 ,
c451e5e9 972.Xr login.conf 5 ,
984263bc
MD
973.Xr rc.conf 5 ,
974.Xr ac 8 ,
984263bc
MD
975.Xr chkgrp 8 ,
976.Xr dump 8 ,
7979f03d
TN
977.Xr hammer 8 ,
978.Xr hammer2 8 ,
984263bc
MD
979.Xr mfs 8 ,
980.Xr newsyslog 8 ,
3181538d
GNS
981.Xr periodic 8 ,
982.Xr sendmail 8
984263bc
MD
983.Sh HISTORY
984The
985.Nm
986file appeared in
987.Fx 4.1 .
988.Sh AUTHORS
c451e5e9 989.An Brian Somers Aq Mt brian@Awfulhak.org