About
This post provides an introduction to the periodic(8) utility on FreeBSD.
Motivation
We can maintain a healthy and secure system by paying attention to regular, recurring tasks like log rotation, temporary file cleanup, security checks, and other system updates.
It can be tedious and error prone to perform these tasks manually, but thankfully the periodic(8) utility on FreeBSD offers an automated framework that can organize and execute system maintenance tasks at regular intervals.
Background
From the previous section we know that the periodic(8) utility on FreeBSD provides an automated framework that can execute recurring system maintenance tasks. This is achieved by running periodic(8) via cron(8) at daily, weekly, and monthly intervals:
# /etc/crontab
# Perform daily/weekly/monthly maintenance.
1 3 * * * root periodic daily
15 4 * * 6 root periodic weekly
30 5 1 * * root periodic monthly
Each period corresponds to a subdirectory –
/etc/periodic/daily, /etc/periodic/weekly, and
/etc/periodic/monthly – and each subdirectory contains a
collection of executable shell scripts. These scripts perform various
maintenance tasks specific to their designated period. Even though
FreeBSD ships with its own set of scripts, users can extend periodic(8)
by adding their own executable scripts to any one of these
subdirectories.
The periodic(8) utility is typically executed via cron(8), but it can
also be called manually from the command line using the periodic
daily, periodic weekly, or periodic
monthly commands.
A fourth category of scripts, known as security scripts, lives under
the /etc/periodic/security/ directory. Unlike the other
categories, security scripts are designed to run at every interval
(daily, weekly, and monthly) and normally the security category is not
run independent of the main three categories, although they can be
through the periodic security command.
Mail logs
General
periodic.conf configures periodic(8).
The variables defined by periodic.conf can control where
the output of daily, weekly, and monthly scripts are sent. By default,
output is sent to the root user via mail. We can redirect output to a
separate user account named periodic (which would need to be
created), with the following variables:
# /etc/periodic.conf
daily_output="periodic"
weekly_output="periodic"
monthly_output="periodic"
Security
The daily, weekly, and monthly commands run the security scripts via
/etc/periodic/(daily|weekly|monthly)/450.status-security.
The output of these security scripts is managed by a separate set of
variables, which should also be updated:
# /etc/periodic.conf
daily_status_security_output="periodic"
weekly_status_security_output="periodic"
monthly_status_security_output="periodic"
File logs
General
We can send output to a file instead of mailing it to user(s) by
setting the (daily|weekly|monthly)_output variables to an
absolute path. Personally I prefer this approach:
# /etc/periodic.conf
daily_output="/var/log/periodic-daily.log"
weekly_output="/var/log/periodic-weekly.log"
monthly_output="/var/log/periodic-monthly.log"
Security
Similarly, security script output can also be redirected to files by updating the following variables:
# /etc/periodic.conf
daily_status_security_output="/var/log/periodic-daily-security.log"
weekly_status_security_output="/var/log/periodic-weekly-security.log"
monthly_status_security_output="/var/log/periodic-monthly-security.log"
Conclusion
Context
After configuring periodic(8) to log its output to a file, we can manually trigger a daily run to observe the results.
Demo
root@localhost# periodic daily
root@localhost# cat /var/log/periodic-daily.log
Explanation
The periodic daily command initiates a single execution
of all daily periodic scripts. The output, which would typically be
mailed, is now redirected to the /var/log/periodic-daily.log
file.