Feb 25, 2020

2020-02-25 11:28:31 -08:00
commit f26cf87f5a
436 changed files with 67904 additions and 0 deletions
--- a/configs/etc/defaults/devfs.rules
+++ b/configs/etc/defaults/devfs.rules
@ -0,0 +1,112 @@
+#
+# The following are some default rules for devfs(5) mounts.
+# The format is very simple. Empty lines and lines beginning
+# with a hash '#' are ignored. If the hash mark occurs anywhere
+# other than the beginning of a line, it and any subsequent
+# characters will be ignored.  A line in between brackets '[]'
+# denotes the beginning of a ruleset. In the brackets should
+# be a name for the rule and its ruleset number. Any other lines
+# will be considered to be the 'action' part of a rule
+# passed to the devfs(8) command. These will be passed
+# "as-is" to the devfs(8) command with the exception that
+# any references to other rulesets will be expanded first. These
+# references must include a dollar sign '$' in front of the
+# name to be expanded properly.
+#
+# $FreeBSD: releng/12.1/sbin/devfs/devfs.rules 338204 2018-08-22 15:55:23Z brd $
+#
+
+# Very basic and secure ruleset: Hide everything.
+# Used as a basis for other rules.
+#
+[devfsrules_hide_all=1]
+add hide
+
+# Basic devices typically necessary.
+# Requires: devfsrules_hide_all
+#
+[devfsrules_unhide_basic=2]
+add path log unhide
+add path null unhide
+add path zero unhide
+add path crypto unhide
+add path random unhide
+add path urandom unhide
+
+# Devices typically needed to support logged-in users.
+# Requires: devfsrules_hide_all
+#
+[devfsrules_unhide_login=3]
+add path 'ptyp*' unhide
+add path 'ptyq*' unhide
+add path 'ptyr*' unhide
+add path 'ptys*' unhide
+add path 'ptyP*' unhide
+add path 'ptyQ*' unhide
+add path 'ptyR*' unhide
+add path 'ptyS*' unhide
+add path 'ptyl*' unhide
+add path 'ptym*' unhide
+add path 'ptyn*' unhide
+add path 'ptyo*' unhide
+add path 'ptyL*' unhide
+add path 'ptyM*' unhide
+add path 'ptyN*' unhide
+add path 'ptyO*' unhide
+add path 'ttyp*' unhide
+add path 'ttyq*' unhide
+add path 'ttyr*' unhide
+add path 'ttys*' unhide
+add path 'ttyP*' unhide
+add path 'ttyQ*' unhide
+add path 'ttyR*' unhide
+add path 'ttyS*' unhide
+add path 'ttyl*' unhide
+add path 'ttym*' unhide
+add path 'ttyn*' unhide
+add path 'ttyo*' unhide
+add path 'ttyL*' unhide
+add path 'ttyM*' unhide
+add path 'ttyN*' unhide
+add path 'ttyO*' unhide
+add path ptmx unhide
+add path pts unhide
+add path 'pts/*' unhide
+add path fd unhide
+add path 'fd/*' unhide
+add path stdin unhide
+add path stdout unhide
+add path stderr unhide
+
+# Devices usually found in a jail.
+#
+[devfsrules_jail=4]
+add include $devfsrules_hide_all
+add include $devfsrules_unhide_basic
+add include $devfsrules_unhide_login
+add path fuse unhide
+add path zfs unhide
+
+[usbrules=100]
+add path 'usbctl' mode 660 group uucp
+add path 'usb/*' mode 660 group uucp
+add path 'ttyU*' mode 660 group uucp
+
+[serial_usb_rules=1000]
+add include $devfsrules_jail
+add path 'cuau*' unhide
+add path 'cuaU*' unhide
+add path 'ttyu*' unhide
+add path 'ttyU*' unhide
+add path 'usb*' unhide
+add path 'usb/*' unhide
+
+[devfs_rules_bhyve_jail=2000]
+add include $devfsrules_jail
+add path vmm unhide
+add path vmm/* unhide
+add path vmm.io unhide
+add path vmm.io/* unhide
+add path tap* unhide
+add path zvol/ship/raw/* unhide
+add path nmdm* unhide
--- a/configs/etc/defaults/periodic.conf
+++ b/configs/etc/defaults/periodic.conf
@ -0,0 +1,407 @@
+#!/bin/sh
+#
+# This is defaults/periodic.conf - a file full of useful variables that
+# you can set to change the default behaviour of periodic jobs on your
+# system.  You should not edit this file!  Put any overrides into one of the
+# $periodic_conf_files instead and you will be able to update these defaults
+# later without spamming your local configuration information.
+#
+# The $periodic_conf_files files should only contain values which override
+# values set in this file.  This eases the upgrade path when defaults
+# are changed and new features are added.
+#
+# For a more detailed explanation of all the periodic.conf variables, please
+# refer to the periodic.conf(5) manual page.
+#
+# $FreeBSD: releng/12.1/usr.sbin/periodic/periodic.conf 337648 2018-08-11 17:11:08Z brd $
+#
+
+# What files override these defaults ?
+periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local"
+
+# periodic script dirs
+local_periodic="/usr/local/etc/periodic"
+
+# Max time to sleep to avoid causing congestion on download servers
+anticongestion_sleeptime=3600
+
+# Daily options
+
+# These options are used by periodic(8) itself to determine what to do
+# with the output of the sub-programs that are run, and where to send
+# that output.  $daily_output might be set to /var/log/daily.log if you
+# wish to log the daily output and have the files rotated by newsyslog(8)
+#
+daily_output="root"					# user or /file
+daily_show_success="YES"				# scripts returning 0
+daily_show_info="YES"					# scripts returning 1
+daily_show_badconfig="YES"				# scripts returning 2
+
+# 100.clean-disks
+daily_clean_disks_enable="NO"				# Delete files daily
+daily_clean_disks_files="[#,]* .#* a.out *.core *.CKP .emacs_[0-9]*"
+daily_clean_disks_days=3				# If older than this
+daily_clean_disks_verbose="YES"				# Mention files deleted
+
+# 110.clean-tmps
+daily_clean_tmps_enable="NO"				# Delete stuff daily
+daily_clean_tmps_dirs="/tmp"				# Delete under here
+daily_clean_tmps_days="3"				# If not accessed for
+daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix"
+daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap"
+daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal"
+							# Don't delete these
+daily_clean_tmps_verbose="YES"				# Mention files deleted
+
+# 120.clean-preserve
+daily_clean_preserve_enable="YES"			# Delete files daily
+daily_clean_preserve_days=7				# If not modified for
+daily_clean_preserve_verbose="YES"			# Mention files deleted
+
+# 130.clean-msgs
+daily_clean_msgs_enable="YES"				# Delete msgs daily
+daily_clean_msgs_days=					# If not modified for
+
+# 140.clean-rwho
+daily_clean_rwho_enable="YES"				# Delete rwho daily
+daily_clean_rwho_days=7					# If not modified for
+daily_clean_rwho_verbose="YES"				# Mention files deleted
+
+# 150.clean-hoststat
+daily_clean_hoststat_enable="YES"			# Purge sendmail host
+							# status cache daily
+
+# 200.backup-passwd
+daily_backup_passwd_enable="YES"			# Backup passwd & group
+
+# 210.backup-aliases
+daily_backup_aliases_enable="YES"			# Backup mail aliases
+
+# 300.calendar
+daily_calendar_enable="NO"				# Run calendar -a
+
+# 310.accounting
+daily_accounting_enable="YES"				# Rotate acct files
+daily_accounting_compress="NO"				# Gzip rotated files
+daily_accounting_flags=-q				# Flags to /usr/sbin/sa
+daily_accounting_save=3					# How many files to save
+
+# 330.news
+daily_news_expire_enable="YES"				# Run news.expire
+
+# 400.status-disks
+daily_status_disks_enable="NO"				# Check disk status
+daily_status_disks_df_flags="-l -h"			# df(1) flags for check
+
+# 401.status-graid
+daily_status_graid_enable="NO"				# Check graid(8)
+
+# 404.status-zfs
+daily_status_zfs_enable="YES"				# Check ZFS
+daily_status_zfs_zpool_list_enable="YES"		# List ZFS pools
+
+# 406.status-gmirror
+daily_status_gmirror_enable="NO"			# Check gmirror(8)
+
+# 407.status-graid3
+daily_status_graid3_enable="NO" 			# Check graid3(8)
+
+# 408.status-gstripe
+daily_status_gstripe_enable="NO"			# Check gstripe(8)
+
+# 409.status-gconcat
+daily_status_gconcat_enable="NO"			# Check gconcat(8)
+
+# 410.status-mfi
+daily_status_mfi_enable="NO"				# Check mfiutil(8)
+
+# 420.status-network
+daily_status_network_enable="NO"			# Check network status
+daily_status_network_usedns="YES"			# DNS lookups are ok
+daily_status_network_netstat_flags="-d"			# netstat(1) flags
+
+# 430.status-uptime
+daily_status_uptime_enable="YES"			# Check system uptime
+
+# 440.status-mailq
+daily_status_mailq_enable="YES"				# Check mail status
+daily_status_mailq_shorten="NO"				# Shorten output
+daily_status_include_submit_mailq="YES"			# Also submit queue
+
+# 450.status-security
+daily_status_security_enable="YES"			# Security check
+# See also "Security options" below for more options
+daily_status_security_inline="NO"			# Run inline ?
+daily_status_security_output="root"			# user or /file
+
+# 460.status-mail-rejects
+daily_status_mail_rejects_enable="YES"			# Check mail rejects
+daily_status_mail_rejects_logs=3			# How many logs to check
+daily_status_mail_rejects_shorten="NO"			# Shorten output
+
+# 480.leapfile-ntpd
+daily_ntpd_leapfile_enable="YES"			# Fetch NTP leapfile
+
+# 480.status-ntpd
+daily_status_ntpd_enable="NO"				# Check NTP status
+
+# 500.queuerun
+daily_queuerun_enable="YES"				# Run mail queue
+daily_submit_queuerun="YES"				# Also submit queue
+
+# 510.status-world-kernel
+daily_status_world_kernel="YES"				# Check the running
+							# userland/kernel version
+
+# 800.scrub-zfs
+daily_scrub_zfs_enable="YES"
+daily_scrub_zfs_pools=""			# empty string selects all pools
+daily_scrub_zfs_default_threshold="35"		# days between scrubs
+#daily_scrub_zfs_${poolname}_threshold="35"	# pool specific threshold
+
+# 999.local
+daily_local="/etc/daily.local"				# Local scripts
+
+
+# Weekly options
+
+# These options are used by periodic(8) itself to determine what to do
+# with the output of the sub-programs that are run, and where to send
+# that output.  $weekly_output might be set to /var/log/weekly.log if you
+# wish to log the weekly output and have the files rotated by newsyslog(8)
+#
+weekly_output="root"					# user or /file
+weekly_show_success="YES"				# scripts returning 0
+weekly_show_info="YES"					# scripts returning 1
+weekly_show_badconfig="NO"				# scripts returning 2
+
+# 310.locate
+weekly_locate_enable="YES"				# Update locate weekly
+
+# 320.whatis
+weekly_whatis_enable="YES"				# Update whatis weekly
+
+# 340.noid
+weekly_noid_enable="NO"					# Find unowned files
+weekly_noid_dirs="/"					# Look here
+
+# 450.status-security
+weekly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+weekly_status_security_inline="NO"			# Run inline ?
+weekly_status_security_output="root"			# user or /file
+
+# 999.local
+weekly_local="/etc/weekly.local"			# Local scripts
+
+
+# Monthly options
+
+# These options are used by periodic(8) itself to determine what to do
+# with the output of the sub-programs that are run, and where to send
+# that output.  $monthly_output might be set to /var/log/monthly.log if you
+# wish to log the monthly output and have the files rotated by newsyslog(8)
+#
+monthly_output="root"					# user or /file
+monthly_show_success="YES"				# scripts returning 0
+monthly_show_info="YES"					# scripts returning 1
+monthly_show_badconfig="NO"				# scripts returning 2
+
+# 200.accounting
+monthly_accounting_enable="YES"				# Login accounting
+
+# 450.status-security
+monthly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+monthly_status_security_inline="NO"			# Run inline ?
+monthly_status_security_output="root"			# user or /file
+
+# 999.local
+monthly_local="/etc/monthly.local"			# Local scripts
+
+
+# Security options
+
+security_show_success="YES"				# scripts returning 0
+security_show_info="YES"				# scripts returning 1
+security_show_badconfig="NO"				# scripts returning 2
+
+# These options are used by the security periodic(8) scripts spawned in
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log"			# Directory for logs
+security_status_diff_flags="-b -u"			# flags for diff output
+
+# Each of the security_status_*_period options below can have one of the
+# following values:
+# - NO: do not run at all
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
+# - monthly: only run during the monthly security status
+# Note that if periodic security scripts are run from crontab(5) directly,
+# they will be run unless _enable or _period is set to "NO".
+
+# 100.chksetuid
+security_status_chksetuid_enable="NO"
+security_status_chksetuid_period="daily"
+
+# 110.neggrpperm
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
+
+# 200.chkmounts
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^amd:"		# Don't check matching
+							# FS types
+security_status_noamd="NO"				# Don't check amd mounts
+
+# 300.chkuid0
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
+
+# 400.passwdless
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
+
+# 410.logincheck
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
+
+# 500.ipfwdenied
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
+
+# 510.ipfdenied
+security_status_ipfdenied_enable="YES"
+security_status_ipfdenied_period="daily"
+
+# 520.pfdenied
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
+
+# 550.ipfwlimit
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
+
+# 610.ipf6denied
+security_status_ipf6denied_enable="YES"
+security_status_ipf6denied_period="daily"
+
+# 700.kernelmsg
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
+
+# 800.loginfail
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
+
+# 900.tcpwrap
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
+
+
+
+# Define source_periodic_confs, the mechanism used by /etc/periodic/*/*
+# scripts to source defaults/periodic.conf overrides safely.
+
+if [ -z "${source_periodic_confs_defined}" ]; then
+        source_periodic_confs_defined=yes
+
+	# Sleep for a random amount of time in order to mitigate the thundering
+	# herd problem of multiple hosts running periodic simultaneously.
+	# Will not sleep when used interactively.
+	# Will sleep at most once per invocation of periodic
+	anticongestion() {
+		[ -n "$PERIODIC_IS_INTERACTIVE" ] && return
+		if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then
+			rm -f $PERIODIC_ANTICONGESTION_FILE
+			sleep `jot -r 1 0 ${anticongestion_sleeptime}`
+		fi
+	}
+
+	# Compatibility with old daily variable names.
+	# They can be removed in stable/11.
+	security_daily_compat_var() {
+		local var=$1 dailyvar value
+
+		dailyvar=daily_status_security${var#security_status}
+		periodvar=${var%enable}period
+		eval value=\"\$$dailyvar\"
+		[ -z "$value" ] && return
+		echo "Warning: Variable \$$dailyvar is deprecated," \
+		    "use \$$var instead." >&2
+		case "$value" in
+		[Yy][Ee][Ss])
+			eval $var=YES
+			eval $periodvar=daily
+			;;
+		*)
+			eval $var=\"$value\"
+			;;
+		esac
+	}
+
+	check_yesno_period() {
+		local var="$1" periodvar value period
+
+		eval value=\"\$$var\"
+		case "$value" in
+		[Yy][Ee][Ss]) ;;
+		*) return 1 ;;
+		esac
+
+		periodvar=${var%enable}period
+		eval period=\"\$$periodvar\"
+		case "$PERIODIC" in
+		"security daily")
+			case "$period" in
+			[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security weekly")
+			case "$period" in
+			[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security monthly")
+			case "$period" in
+			[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		security)
+			# Run directly from crontab(5).
+			case "$period" in
+			[Nn][Oo]) return 1 ;;
+			*) return 0 ;;
+			esac
+			;;
+                '')
+                        # Script run manually.
+                        return 0
+                        ;;
+		*)
+			echo "ASSERTION FAILED: Unexpected value for" \
+			    "\$PERIODIC: '$PERIODIC'" >&2
+			exit 127
+			;;
+		esac
+	}
+
+        source_periodic_confs() {
+                local i sourced_files
+
+                for i in ${periodic_conf_files}; do
+                        case ${sourced_files} in
+                        *:$i:*)
+                                ;;
+                        *)
+                                sourced_files="${sourced_files}:$i:"
+                                [ -r $i ] && . $i
+                                ;;
+                        esac
+                done
+        }
+fi