Long ago, there was just /etc/daily. Then /etc/security was split out

of /etc/daily. Some time later, /etc/daily became a set of periodic(8) scripts. Now, this evolution continues, and /etc/security has been broken into periodic(8) scripts to make local customization easier and more maintainable. Reviewed by: ru Approved by: ru
svn path=/head/; revision=87514
2001-12-07 23:57:39 +00:00 · 2001-12-07 23:57:39 +00:00 · 2204f3ce42 · 2020-12-20 02:59:44 +00:00
commit 2204f3ce42
parent f4af1f0785
20 changed files with 872 additions and 266 deletions
--- a/etc/Makefile
+++ b/etc/Makefile
@ -14,7 +14,7 @@ BIN1=   amd.map apmd.conf auth.conf \
 	phones printcap profile protocols \
 	rc rc.atm rc.devfs rc.diskless1 rc.diskless2 rc.firewall rc.firewall6 \
 	rc.network rc.network6 rc.pccard rc.serial rc.shutdown \
-	rc.syscons rc.sysctl remote rpc security services shells sysctl.conf \
+	rc.syscons rc.sysctl remote rpc services shells sysctl.conf \
 	syslog.conf usbd.conf \
 	etc.${MACHINE_ARCH}/disktab \
 	etc.${MACHINE_ARCH}/rc.${MACHINE_ARCH} \
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@ -105,9 +105,7 @@ daily_status_mailq_shorten="NO"				# Shorten output

 # 450.status-security
 daily_status_security_enable="YES"			# Security check
-daily_status_security_inline="NO"			# Run inline ?
-daily_status_security_output="root"			# user or /file
-daily_status_security_noamd="NO"			# Don't check amd mounts
+# See "Security options" below for more options

 # 460.status-mail-rejects
 daily_status_mail_rejects_enable="YES"			# Check mail rejects
@ -124,6 +122,51 @@ daily_queuerun_enable="YES"				# Run mail queue
 daily_local="/etc/daily.local"				# Local scripts


+# Security options
+
+# These options are used by the security periodic(8) scripts spawned in 
+# 450.status-security above.
+daily_status_security_inline="NO"			# Run inline ?
+daily_status_security_output="root"			# user or /file
+daily_status_security_noamd="NO"			# Don't check amd mounts
+daily_status_security_logdir="/var/log"			# Directory for logs
+
+# 100.chksetuid
+daily_status_security_chksetuid_enable="YES"
+
+# 200.chkmounts
+daily_status_security_chkmounts_enable="YES"
+#daily_status_security_chkmounts_ignore="^amd:"		# Don't check matching
+							# FS types
+
+# 300.chkuid0
+daily_status_security_chkuid0_enable="YES"
+
+# 400.passwdless
+daily_status_security_passwdless_enable="YES"
+
+# 500.ipfwdenied
+daily_status_security_ipfwdenied_enable="YES"
+
+# 550.ipfwlimit
+daily_status_security_ipfwlimit_enable="YES"
+
+# 600.ip6fwdenied
+daily_status_security_ip6fwdenied_enable="YES"
+
+# 650.ip6fwlimit
+daily_status_security_ip6fwlimit_enable="YES"
+
+# 700.kernelmsg
+daily_status_security_kernelmsg_enable="YES"
+
+# 800.loginfail
+daily_status_security_loginfail_enable="YES"
+
+# 900.tcpwrap
+daily_status_security_tcpwrap_enable="YES"
+
+
 # Weekly options

 # These options are used by periodic(8) itself to determine what to do
--- a/etc/mtree/BSD.root.dist
+++ b/etc/mtree/BSD.root.dist
@ -45,6 +45,8 @@
            ..
            monthly
            ..
+            security
+            ..
            weekly
            ..
        ..
--- a/etc/periodic/Makefile
+++ b/etc/periodic/Makefile
@ -1,5 +1,5 @@
 # $FreeBSD$

-SUBDIR=	daily weekly monthly
+SUBDIR=	daily security weekly monthly

 .include <bsd.subdir.mk>
--- a/etc/periodic/daily/450.status-security
+++ b/etc/periodic/daily/450.status-security
@ -16,30 +16,23 @@ case "$daily_status_security_enable" in
 	echo ""
 	echo "Security check:"

-	case "$daily_status_security_noamd" in
-	    [Yy][Ee][Ss])
-		args=-a;;
-	    *)
-		args=;;
-	esac
-
 	case "$daily_status_security_inline" in
 	    [Yy][Ee][Ss])
-		sh /etc/security -s $args
-		rc=$?;;
-
+		export security_output="";;
 	    *)
-		case "${daily_status_security_output:=root}" in
+		export security_output="${daily_status_security_output}"
+		case "${daily_status_security_output}" in
+		    "")
+			;;
 		    /*)
-			echo "    (output logged separately)"
-			sh /etc/security -s $args \
-			    >$daily_status_security_output 2>&1;;
+			echo "    (output logged separately)";;
 		    *)
-			echo "    (output mailed separately)"
-			sh /etc/security $args 2>&1 |
-			    mail -s "`hostname` security check output" $daily_status_security_output;;
+			echo "    (output mailed separately)";;
 		esac;;
-	esac;;
+	esac
+
+	periodic security
+	rc=$?;;

    *)  rc=0;;
 esac
--- a/etc/periodic/security/100.chksetuid
+++ b/etc/periodic/security/100.chksetuid
@ -0,0 +1,75 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_chksetuid_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo 'Checking setuid files and devices:'
+	# XXX Note that there is the possibility of overrunning the args to ls
+	MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
+	set ${MP}
+	while [ $# -ge 1 ]; do
+	    mount=$1
+	    shift
+	    find $mount -xdev -type f \
+		    \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
+		    \( -perm -u+s -or -perm -g+s \) -print0
+	done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
+
+	if [ ! -f ${LOG}/setuid.today ]; then
+	    rc=1
+	    echo "No ${LOG}/setuid.today"
+	    cp ${TMP} ${LOG}/setuid.today || rc=3
+	fi
+
+	if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null
+	then
+	    [ $rc -lt 1 ] && rc=1
+	    echo "${host} setuid diffs:"
+	    diff -w ${LOG}/setuid.today ${TMP}
+	    mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
+	    mv ${TMP} ${LOG}/setuid.today || rc=3
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
--- a/etc/periodic/security/200.chkmounts
+++ b/etc/periodic/security/200.chkmounts
@ -0,0 +1,73 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show changes in the way filesystems are mounted
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+ignore="${daily_status_security_chkmounts_ignore}"
+rc=0
+
+case "$daily_status_security_chkmounts_enable" in
+    [Yy][Ee][Ss])
+	case "$daily_status_security_noamd" in
+	    [Yy][Ee][Ss])
+		ignore="${ignore}|^amd:"
+	esac
+	[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
+	if mount -p | ${cmd} > ${TMP}; then
+	    if [ ! -f ${LOG}/mount.today ]; then
+		rc=1
+		echo ""
+		echo "No ${LOG}/mount.today"
+		cp ${TMP} ${LOG}/mount.today || rc=3
+	    fi
+	    if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then
+		[ $rc -lt 1 ] && rc=1
+		echo ""
+		echo "${host} changes in mounted filesystems:"
+		diff -b ${LOG}/mount.today ${TMP}
+		mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3
+		mv ${TMP} ${LOG}/mount}.today || rc=3
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit "$rc"
--- a/etc/periodic/security/300.chkuid0
+++ b/etc/periodic/security/300.chkuid0
@ -0,0 +1,51 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$daily_status_security_chkuid0_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo 'Checking for uids of 0:'
+	n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
+	tee /dev/stderr |
+	sed -e '/^root 0$/d' -e '/^toor 0$/d' |
+	wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0;;
+    *)	rc=0;;
+esac
+
+exit "$rc"
--- a/etc/periodic/security/400.passwdless
+++ b/etc/periodic/security/400.passwdless
@ -0,0 +1,48 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$daily_status_security_passwdless_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo 'Checking for passwordless accounts:'
+	n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
+	    tee /dev/stderr | wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0;;
+    *)	rc=0;;
+esac
+
+exit "$rc"
--- a/etc/periodic/security/500.ipfwdenied
+++ b/etc/periodic/security/500.ipfwdenied
@ -0,0 +1,69 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show denied packets
+#
+
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_ipfwdenied_enable" in
+    [Yy][Ee][Ss])
+	if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
+	    if [ ! -f ${LOG}/ipfw.today ]; then
+		rc=1
+		echo ""
+		echo "No ${LOG}/ipfw.today"
+		cp ${TMP} ${LOG}/ipfw.today || rc=3
+	    fi
+
+	    if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
+		[ $rc -lt 1 ] && rc=1
+		echo ""
+		echo "${host} denied packets:"
+		diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
+		mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
+		mv ${TMP} ${LOG}/ipfw.today || rc=3
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
--- a/etc/periodic/security/550.ipfwlimit
+++ b/etc/periodic/security/550.ipfwlimit
@ -0,0 +1,61 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show ipfw rules which have reached the log limit
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+rc=0
+
+case "$daily_status_security_ipfwlimit_enable" in
+    [Yy][Ee][Ss])
+	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
+	if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
+	    ipfw -a l | grep " log " | perl -n -e \
+		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
+	    if [ -s "${TMP}" ]; then
+		rc=1
+		echo ""
+		echo 'ipfw log limit reached:'
+		cat ${TMP}
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
--- a/etc/periodic/security/600.ip6fwdenied
+++ b/etc/periodic/security/600.ip6fwdenied
@ -0,0 +1,69 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show IPv6 denied packets
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_ip6fwdenied_enable" in
+    [Yy][Ee][Ss])
+	if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
+	    if [ ! -f ${LOG}/ip6fw.today ]; then
+		rc=1
+		echo ""
+		echo "No ${LOG}/ip6fw.today"
+		cp ${TMP} ${LOG}/ip6fw.today || rc=3
+	    fi
+
+	    if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
+		[ $rc -lt 1 ] && rc=1
+		echo ""
+		echo "${host} IPv6 denied packets:"
+		diff -b ${LOG}/ip6fw.today ${TMP} |
+		    egrep "^>"
+		mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
+		mv ${TMP} ${LOG}/ip6fw.today || rc=3
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
--- a/etc/periodic/security/650.ip6fwlimit
+++ b/etc/periodic/security/650.ip6fwlimit
@ -0,0 +1,61 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show ip6fw rules which have reached the log limit
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+rc=0
+
+case "$daily_status_security_ip6fwlimit_enable" in
+    [Yy][Ee][Ss])
+	IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
+	if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
+	    ip6fw -a l | grep " log " | perl -n -e \
+		'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
+	    if [ -s "${TMP}" ]; then
+		rc=1
+		echo ""
+		echo 'ip6fw log limit reached:'
+		cat ${TMP}
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
--- a/etc/periodic/security/700.kernelmsg
+++ b/etc/periodic/security/700.kernelmsg
@ -0,0 +1,68 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show kernel log messages
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_kernelmsg_enable" in
+    [Yy][Ee][Ss])
+	if dmesg -a 2>/dev/null > ${TMP}; then
+	    if [ ! -f ${LOG}/dmesg.today ]; then
+		rc=1
+		echo ""
+		echo "No ${LOG}/dmesg.today"
+		cp ${TMP} ${LOG}/dmesg.today || rc=3
+	    fi
+
+	    if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
+		[ $rc -lt 1 ] && rc=1
+		echo ""
+		echo "${host} kernel log messages:"
+		diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
+		mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
+		mv ${TMP} ${LOG}/dmesg.today || rc=3
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
--- a/etc/periodic/security/800.loginfail
+++ b/etc/periodic/security/800.loginfail
@ -0,0 +1,62 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show login failures
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+LOG="${daily_status_security_logdir}"
+
+yesterday=`date -v-1d "+%b %e "`
+
+catmsgs() {
+	find ${LOG} -name 'messages.*' -mtime -2 |
+	    sort -t. -r -n +1 -2 |
+	    xargs zcat -f
+	[ -f ${LOG}/messages ] && cat $LOG/messages
+}
+
+case "$daily_status_security_loginfail_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "${host} login failures:"
+	n=$(catmsgs | grep -ia "^$yesterday.*login failure" |
+	    tee /dev/stderr | wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0;;
+    *)	rc=0;;
+esac
+
+exit $rc
--- a/etc/periodic/security/900.tcpwrap
+++ b/etc/periodic/security/900.tcpwrap
@ -0,0 +1,62 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show tcp_wrapper warning messages
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+LOG="${daily_status_security_logdir}"
+
+yesterday=`date -v-1d "+%b %e "`
+
+catmsgs() {
+	find ${LOG} -name 'messages.*' -mtime -2 |
+	    sort -t. -r -n +1 -2 |
+	    xargs zcat -f
+	[ -f ${LOG}/messages ] && cat $LOG/messages
+}
+
+case "$daily_status_security_tcpwrap_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "${host} refused connections:"
+	n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
+	    tee /dev/stderr | wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0;;
+    *)	rc=0;;
+esac
+
+exit $rc
--- a/etc/periodic/security/Makefile
+++ b/etc/periodic/security/Makefile
@ -0,0 +1,15 @@
+# $FreeBSD$
+
+BIN=	100.chksetuid \
+	200.chkmounts \
+	300.chkuid0 \
+	400.passwdless \
+	500.ipfwdenied \
+	550.ipfwlimit \
+	600.ip6fwdenied \
+	650.ip6fwlimit \
+	700.kernelmsg \
+	800.loginfail \
+	900.tcpwrap
+
+.include <bsd.prog.mk>
--- a/etc/security
+++ b/etc/security
@ -1,234 +0,0 @@
-#!/bin/sh -
-#
-# Copyright (c) 2000  The FreeBSD Project
-# All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-#	@(#)security	5.3 (Berkeley) 5/28/91
-# $FreeBSD$
-#
-
-PATH=/sbin:/bin:/usr/bin
-LC_ALL=C; export LC_ALL
-rc=0
-LOG=/var/log
-TMP=/var/run/_secure.$$
-
-separator () {
-	echo ''
-	echo ''
-}
-
-catmsgs() {
-	find $LOG -name 'messages.*' -mtime -2 |
-	    sort -t. -r -n +1 -2 |
-	    xargs zcat -f
-	[ -f $LOG/messages ] && cat $LOG/messages
-}
-
-sflag=FALSE ignore=
-while getopts as c
-do
-	case "$c" in
-		a) ignore="$ignore|^amd:";;
-		s) sflag=TRUE;;
-	esac
-done
-
-yesterday=`date -v-1d "+%b %e "`
-
-host=`hostname`
-
-umask 027
-
-echo 'Checking setuid files and devices:'
-
-# Don't have ncheck, but this does the equivalent of the commented out block.
-# Note that one of the original problems, the possibility of overrunning
-# the args to ls, is still here...
-#
-MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
-set ${MP}
-while [ $# -ge 1 ]; do
-	mount=$1
-	shift
-	find $mount -xdev -type f \
-		\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
-		\( -perm -u+s -or -perm -g+s \) -print0
-done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
-
-if [ ! -f ${LOG}/setuid.today ]; then
-	[ $rc -lt 1 ] && rc=1
-	separator
-	echo "No ${LOG}/setuid.today"
-	cp ${TMP} ${LOG}/setuid.today || rc=3
-fi
-
-if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then
-	[ $rc -lt 1 ] && rc=1
-	separator
-	echo "${host} setuid diffs:"
-	diff -w ${LOG}/setuid.today ${TMP}
-	mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
-	mv ${TMP} ${LOG}/setuid.today || rc=3
-fi
-
-# Show changes in the way filesystems are mounted
-#
-[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
-if mount -p | $cmd > $TMP; then
-	if [ ! -f $LOG/mount.today ]; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo "No $LOG/mount.today"
-		cp $TMP $LOG/mount.today || rc=3
-	fi
-	if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo "$host changes in mounted filesystems:"
-		diff -b $LOG/mount.today $TMP
-		mv $LOG/mount.today $LOG/mount.yesterday || rc=3
-		mv $TMP $LOG/mount.today || rc=3
-	fi
-fi
-
-separator
-echo 'Checking for uids of 0:'
-n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
-    tee /dev/stderr |
-    sed -e '/^root 0$/d' -e '/^toor 0$/d' |
-    wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
-separator
-echo 'Checking for passwordless accounts:'
-n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
-    tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
-# Show denied packets
-#
-if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
-	if [ ! -f ${LOG}/ipfw.today ]; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo "No ${LOG}/ipfw.today"
-		cp ${TMP} ${LOG}/ipfw.today || rc=3
-	fi
-
-	if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo "${host} denied packets:"
-		diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
-		mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
-		mv ${TMP} ${LOG}/ipfw.today || rc=3
-	fi
-fi
-
-# Show ipfw rules which have reached the log limit
-#
-IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
-	ipfw -a l | grep " log " | perl -n -e \
-		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
-	if [ -s "${TMP}" ]; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo 'ipfw log limit reached:'
-		cat ${TMP}
-	fi
-fi
-
-# Show IPv6 denied packets
-#
-if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
-	if [ ! -f ${LOG}/ip6fw.today ]; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo "No ${LOG}/ip6fw.today"
-		cp ${TMP} ${LOG}/ip6fw.today || rc=3
-	fi
-
-	if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo "${host} IPv6 denied packets:"
-		diff -b ${LOG}/ip6fw.today ${TMP} | egrep "^>"
-		mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
-		mv ${TMP} ${LOG}/ip6fw.today || rc=3
-	fi
-fi
-
-# Show ip6fw rules which have reached the log limit
-#
-IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
-if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
-	ip6fw -a l | grep " log " | perl -n -e \
-		'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
-	if [ -s "${TMP}" ]; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo 'ip6fw log limit reached:'
-		cat ${TMP}
-	fi
-fi
-
-# Show kernel log messages
-#
-if dmesg -a 2>/dev/null > ${TMP}; then
-	if [ ! -f ${LOG}/dmesg.today ]; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo "No ${LOG}/dmesg.today"
-		cp ${TMP} ${LOG}/dmesg.today || rc=3
-	fi
-
-	if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
-		[ $rc -lt 1 ] && rc=1
-		separator
-		echo "${host} kernel log messages:"
-		diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
-		mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
-		mv ${TMP} ${LOG}/dmesg.today || rc=3
-	fi
-fi
-
-# Show login failures
-#
-separator
-echo "${host} login failures:"
-n=$(catmsgs | grep -ia "^$yesterday.*login failure" | tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
-# Show tcp_wrapper warning messages
-#
-separator
-echo "${host} refused connections:"
-n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr | wc -l)
-[ $n -gt 0 -a $rc -lt 1 ] && rc=1
-
-rm -f ${TMP}
-
-exit $rc
--- a/share/man/man5/periodic.conf.5
+++ b/share/man/man5/periodic.conf.5
@ -401,22 +401,27 @@ is set to
 .Pq Vt bool
 Set to
 .Dq YES
-if you want to run
-.Pa /etc/security .
+if you want to run the security check.
+The security check is another set of
+.Xr periodic 8
+scripts.
+The system defaults are in
+.Pa /etc/periodic/security .
+Local scripts should be placed in
+.Pa /usr/local/etc/periodic/security .
+See the
+.Xr periodic 8
+manual page for more information.
 .It Va daily_status_security_inline
 .Pq Vt bool
 Set to
 .Dq YES
-if you want to run
-.Pa /etc/security
-inline.
+if you want the security check output inline.
 The default is to either mail or log the output according to the value of
 .Va daily_status_security_output .
 .It Va daily_status_security_output
 .Pq Vt str
-Where to send the output of
-.Pa /etc/security
-if
+Where to send the output of the security check if
 .Va daily_status_security_inline
 is set to
 .Dq NO .
@ -424,13 +429,91 @@ This variable behaves in the same way as the
 .Va *_output
 variables above, namely it can be set either to one or more email addresses
 or to an absolute file name.
+.It Va daily_status_security_chksetuid_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to compare the modes and modification times of setuid executables with
+the previous day's values.
+.It Va daily_status_security_chkmounts_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to check for changes mounted filesystems to the previous day's values.
 .It Va daily_status_security_noamd
 .Pq Vt bool
 Set to
 .Dq YES
 if you want to ignore
 .Xr amd 8
-mounts when comparing against yesterdays filesystem mounts.
+mounts when comparing against yesterdays filesystem mounts in the
+.Va daily_status_security_chkmounts_enable
+check.
+.It Va daily_status_security_chkuid0_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to check
+.Pa /etc/master.passwd
+for accounts with uid 0.
+.It Va daily_status_security_passwdless_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to check
+.Pa /etc/master.passwd
+for accounts with empty passwords.
+.It Va daily_status_security_ipfwdenied_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to show log entries for packets denied by
+.Xr ipfw 8
+since yesterday's check.
+.It Va daily_status_security_ipfwlimit_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to display
+.Xr ipfw 8
+rules that have reached their verbosity limit.
+.It Va daily_status_security_ip6fwdenied_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to show log entries for packets denied by
+.Xr ip6fw 8
+since yesterday's check.
+.It Va daily_status_security_ip6fwlimit_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to display
+.Xr ip6fw 8
+rules that have reached their verbosity limit.
+.It Va daily_status_security_kernelmsg_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to show new
+.Xr dmesg 8
+entries since yesterday's check.
+.It Va daily_status_security_loginfail_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to display failed logins from
+.Pa /var/log/messages
+in the previous day.
+.It Va daily_status_security_tcpwrap_enable
+.Pq Vt bool
+Set to
+.Dq YES
+to display connections denied by tcpwrappers (see
+.Xr hosts_access 5 )
+from
+.Pa /var/log/messages
+during the previous day.
 .It Va daily_status_mail_rejects_enable
 .Pq Vt bool
 Set to
--- a/usr.sbin/periodic/periodic.8
+++ b/usr.sbin/periodic/periodic.8
@ -52,6 +52,11 @@ This usually occurs on Sunday mornings.
 .It Pa monthly
 Perform the standard monthly periodic executable run.
 This usually occurs on the first day of the month.
+.It Pa security
+Perform the standard daily security checks.
+This is usually spawned by the
+.Pa daily
+run.
 .It Ar path
 An arbitrary directory containing a set of executables to be run.
 .El