Make the period of each periodic security script configurable.

There are now six additional variables
  weekly_status_security_enable
  weekly_status_security_inline
  weekly_status_security_output
  monthly_status_security_enable
  monthly_status_security_inline
  monthly_status_security_output
alongside their existing daily counterparts.  They all have the same
default values.

All other "daily_status_security_${scriptname}_${whatever}"
variables have been renamed to "security_status_${name}_${whatever}".
A compatibility shim has been introduced for the old variable names,
which we will be able to remove in 11.0-RELEASE.

"security_status_${name}_enable" is still a boolean but a new
"security_status_${name}_period" allows to define the period of
each script.  The value is one of "daily" (the default for backward
compatibility), "weekly", "monthly" and "NO".

Note that when the security periodic scripts are run directly from
crontab(5) (as opposed to being called by daily or weekly periodic
scripts), they will run unless the test is explicitely disabled with a
"NO", either for in the "_enable" or the "_period" variable.

When the security output is not inlined, the mail subject has been
changed from "$host $arg run output" to "$host $arg $period run output".
For instance:
  myfbsd security run output ->  myfbsd security daily run output
I don't think this is considered as a stable API, but feel free to
correct me if I'm wrong.

Finally, I will rearrange periodic.conf(5) and default/periodic.conf
to put the security options in their own section.  I left them in
place for this commit to make reviewing easier.

Reviewed by:	hackers@

etc/defaults/periodic.conf

@@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES"			# Also submit queue
 
 # 450.status-security
 daily_status_security_enable="YES"			# Security check
-# See "Security options" below for more options
+# See also "Security options" below for more options
+daily_status_security_inline="NO"			# Run inline ?
+daily_status_security_output="root"			# user or /file
 
 # 460.status-mail-rejects
 daily_status_mail_rejects_enable="YES"			# Check mail rejects
@@ -163,59 +165,78 @@ daily_local="/etc/daily.local"				# Local scripts
 # Security options
 
 # These options are used by the security periodic(8) scripts spawned in
-# 450.status-security above.
-daily_status_security_inline="NO"			# Run inline ?
-daily_status_security_output="root"			# user or /file
-daily_status_security_logdir="/var/log"			# Directory for logs
-daily_status_security_diff_flags="-b -u"		# flags for diff output
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log"			# Directory for logs
+security_status_diff_flags="-b -u"			# flags for diff output
+
+# Each of the security_status_*_enable options below can have one of the
+# following values:
+# - NO
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
 
 # 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
+security_status_chksetuid_enable="YES"
+security_status_chksetuid_period="daily"
 
 # 110.neggrpperm
-daily_status_security_neggrpperm_enable="YES"
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
 
 # 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^amd:"		# Don't check matching
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^amd:"		# Don't check matching
 							# FS types
-daily_status_security_noamd="NO"			# Don't check amd mounts
+security_status_noamd="NO"				# Don't check amd mounts
 
 # 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
 
 # 400.passwdless
-daily_status_security_passwdless_enable="YES"
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
 
 # 410.logincheck
-daily_status_security_logincheck_enable="YES"
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
 
 # 460.chkportsum
-daily_status_security_chkportsum_enable="NO"	# Check ports w/ wrong checksum
+security_status_chkportsum_enable="NO"		# Check ports w/ wrong checksum
+security_status_chkportsum_period="daily"
 
 # 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
 
 # 510.ipfdenied
-daily_status_security_ipfdenied_enable="YES"
+security_status_ipfdenied_enable="YES"
+security_status_ipfdenied_period="daily"
 
 # 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
 
 # 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
 
 # 610.ipf6denied
-daily_status_security_ipf6denied_enable="YES"
+security_status_ipf6denied_enable="YES"
+security_status_ipf6denied_period="daily"
 
 # 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
 
 # 800.loginfail
-daily_status_security_loginfail_enable="YES"
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
 
 # 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
 
 
 # Weekly options
@@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO"				# Find out-of-date pkgs
 pkg_version=pkg_version					# Use this program
 pkg_version_index=/usr/ports/INDEX-10			# Use this index file
 
+# 450.status-security
+weekly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+weekly_status_security_inline="NO"			# Run inline ?
+weekly_status_security_output="root"			# user or /file
+
 # 999.local
 weekly_local="/etc/weekly.local"			# Local scripts
 
@@ -267,6 +294,12 @@ monthly_show_badconfig="NO"				# scripts returning 2
 # 200.accounting
 monthly_accounting_enable="YES"				# Login accounting
 
+# 450.status-security
+monthly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+monthly_status_security_inline="NO"			# Run inline ?
+monthly_status_security_output="root"			# user or /file
+
 # 999.local
 monthly_local="/etc/monthly.local"			# Local scripts
 
@@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local"			# Local scripts
 
 if [ -z "${source_periodic_confs_defined}" ]; then
         source_periodic_confs_defined=yes
+
+	# Compatibility with old daily variable names.
+	# They can be removed in stable/11.
+	security_daily_compat_var() {
+		local var=$1 dailyvar value
+
+		dailyvar=daily_status_security${#status_security}
+		periodvar=${var%enable}period
+		eval value=\"\$$dailyvar\"
+		[ -z "$value" ] && return
+		echo "Warning: Variable \$$dailyvar is deprecated," \
+		    "use \$$var instead." >&2
+		case "$value" in
+		[Yy][Ee][Ss])
+			$var=YES
+			$periodvar=daily
+			;;
+		*)
+			$var="$value"
+			;;
+		esac
+	}
+
+	check_yesno_period() {
+		local var="$1" periodvar value period
+
+		eval value=\"\$$var\"
+		case "$value" in
+		[Yy][Ee][Ss]) ;;
+		*) return 1 ;;
+		esac
+
+		periodvar=${var%enable}period
+		eval period=\"\$$periodvar\"
+		case "$PERIODIC" in
+		"security daily")
+			case "$period" in
+			[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security weekly")
+			case "$period" in
+			[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security monthly")
+			case "$period" in
+			[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		security)
+			# Run directly from crontab(5).
+			case "$period" in
+			[Nn][Oo]) return 1 ;;
+			*) return 0 ;;
+			esac
+			;;
+		*)
+			echo "ASSERTION FAILED: Unexpected value for " \
+			    "\$PERIODIC: '$PERIODIC'" >&2
+			exit 127
+			;;
+		esac
+	}
+
         source_periodic_confs() {
                 local i sourced_files
 

etc/periodic/monthly/450.status-security

@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$monthly_status_security_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "Security check:"
+
+	case "$monthly_status_security_inline" in
+	    [Yy][Ee][Ss])
+		monthly_status_security_output="";;
+	esac
+
+	export security_output="${monthly_status_security_output}"
+	case "${monthly_status_security_output}" in
+	    "")
+		rc=3;;
+	    /*)
+		echo "    (output logged separately)"
+		rc=0;;
+	    *)
+		echo "    (output mailed separately)"
+		rc=0;;
+	esac
+
+	periodic security || rc=3;;
+
+    *)  rc=0;;
+esac
+
+exit $rc

etc/periodic/security/100.chksetuid

@@ -37,10 +37,12 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_chksetuid_enable
+
 rc=0
 
-case "$daily_status_security_chksetuid_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_chksetuid_enable
+then
 	echo ""
 	echo 'Checking setuid files and devices:'
 	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_enable" in
 	    \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
 	check_diff setuid - "${host} setuid diffs:"
 	rc=$?
-	;;
-    *)
-	rc=0
-	;;
-esac
+fi
 
 exit $rc

etc/periodic/security/110.neggrpperm

@@ -35,10 +35,12 @@ then
     source_periodic_confs
 fi
 
+security_daily_compat_var security_status_neggrpperm_enable
+
 rc=0
 
-case "$daily_status_security_neggrpperm_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_neggrpperm_enable
+then
 	echo ""
 	echo 'Checking negative group permissions:'
 	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_enable" in
 	    \( ! -perm +040 -and -perm +004 \) \) \
 	    -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0
-	;;
-esac
+fi
 
 exit $rc

etc/periodic/security/200.chkmounts

@@ -40,12 +40,16 @@ fi
 
 . /etc/periodic/security/security.functions
 
-ignore="${daily_status_security_chkmounts_ignore}"
+security_daily_compat_var security_status_chkmounts_enable
+security_daily_compat_var security_status_chkmounts_ignore
+security_daily_compat_var security_status_noamd
+
+ignore="${security_status_chkmounts_ignore}"
 rc=0
 
-case "$daily_status_security_chkmounts_enable" in
-    [Yy][Ee][Ss])
-	case "$daily_status_security_noamd" in
+if check_yesno_period security_status_chkmounts_enable
+then
+	case "$security_status_noamd" in
 	    [Yy][Ee][Ss])
 		ignore="${ignore}|^amd:"
 	esac
@@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_enable" in
 	fi
 	mount -p | sort | ${cmd} |
 	  check_diff mount - "${host} changes in mounted filesystems:"
-	rc=$?;;
-    *)	rc=0;;
-esac
+	rc=$?
+fi
 
 exit "$rc"

etc/periodic/security/300.chkuid0

@@ -36,16 +36,19 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_chkuid0_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_chkuid0_enable
+
+rc=0
+
+if check_yesno_period security_status_chkuid0_enable
+then
 	echo ""
 	echo 'Checking for uids of 0:'
 	n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
 	tee /dev/stderr |
 	sed -e '/^root 0$/d' -e '/^toor 0$/d' |
 	wc -l)
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"

etc/periodic/security/400.passwdless

@@ -35,14 +35,17 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_passwdless_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_passwdless_enable
+
+rc=0
+
+if check_yesno_period security_status_passwdless_enable
+then
 	echo ""
 	echo 'Checking for passwordless accounts:'
 	n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
 	    tee /dev/stderr | wc -l)
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"

etc/periodic/security/410.logincheck

@@ -35,8 +35,12 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_logincheck_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_logincheck_enable
+
+rc=0
+
+if check_yesno_period security_status_logincheck_enable
+then
 	echo ""
 	echo 'Checking login.conf permissions:'
 	if [ -G /etc/login.conf -a -O /etc/login.conf ]; then
@@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in
 	    echo "Bad ownership of /etc/login.conf"
 	    n=1
 	fi
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"

etc/periodic/security/460.chkportsum

@@ -35,13 +35,15 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_chkportsum_enable
+
 rc=0
 
 echo ""
 echo 'Checking for ports with mismatched checksums:'
 
-case "${daily_status_security_chkportsum_enable}" in
-	[Yy][Ee][Ss])
+if check_yesno_period security_status_chkportsum_enable
+then
 	set -f
 	pkg_info -ga 2>/dev/null | \
 	while IFS= read -r line; do
@@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum_enable}" in
 			;;
 		esac
 	done
-	;;
-	*)
-	rc=0
-	;;
-esac
+fi
 
 exit $rc

etc/periodic/security/500.ipfwdenied

@@ -37,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_ipfwdenied_enable
+
 rc=0
 
-case "$daily_status_security_ipfwdenied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwdenied_enable
+then
 	TMP=`mktemp -t security`
 	if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
 	  check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
 	fi
 	rc=$?
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc

etc/periodic/security/510.ipfdenied

@@ -37,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_ipfdenied_enable
+
 rc=0
 
-case "$daily_status_security_ipfdenied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfdenied_enable
+then
 	TMP=`mktemp -t security`
 	if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then
 	  check_diff new_only ipf ${TMP} "${host} ipf denied packets:"
 	fi
 	rc=$?
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc

etc/periodic/security/520.pfdenied

@@ -37,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_pfdenied_enable
+
 rc=0
 
-case "$daily_status_security_pfdenied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_pfdenied_enable
+then
 	TMP=`mktemp -t security`
 	if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
 	  check_diff new_only pf ${TMP} "${host} pf denied packets:"
 	fi
 	rc=$?
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc

etc/periodic/security/550.ipfwlimit

@@ -38,10 +38,12 @@ then
     source_periodic_confs
 fi
 
+security_daily_compat_var security_status_ipfwlimit_enable
+
 rc=0
 
-case "$daily_status_security_ipfwlimit_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwlimit_enable
+then
 	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
 	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
 		exit 0
@@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_enable" in
 		echo 'ipfw log limit reached:'
 		cat ${TMP}
 	fi
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc

etc/periodic/security/610.ipf6denied

@@ -37,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_ipf6denied_enable
+
 rc=0
 
-case "$daily_status_security_ipf6denied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipf6denied_enable
+then
 	TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
 	if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then
 	 check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:"
 	fi
 	rc=$?
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc

etc/periodic/security/700.kernelmsg

@@ -40,14 +40,15 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_kernelmsg_enable
+
 rc=0
 
-case "$daily_status_security_kernelmsg_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_kernelmsg_enable
+then
 	dmesg 2>/dev/null |
 	    check_diff new_only dmesg - "${host} kernel log messages:"
-	rc=$?;;
-    *)	rc=0;;
-esac
+	rc=$?
+fi
 
 exit $rc

etc/periodic/security/800.loginfail

@@ -38,7 +38,10 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_loginfail_enable
+
+LOG="${security_status_logdir}"
 
 yesterday=`date -v-1d "+%b %e "`
 
@@ -55,14 +58,15 @@ catmsgs() {
 	[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
 }
 
-case "$daily_status_security_loginfail_enable" in
-    [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_loginfail_enable
+then
 	echo ""
 	echo "${host} login failures:"
 	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
 	    tee /dev/stderr | wc -l)
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit $rc

etc/periodic/security/900.tcpwrap

@@ -38,7 +38,10 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_tcpwrap_enable
+
+LOG="${security_status_logdir}"
 
 yesterday=`date -v-1d "+%b %e "`
 
@@ -55,14 +58,15 @@ catmsgs() {
 	[ -f ${LOG}/messages ] && cat $LOG/messages
 }
 
-case "$daily_status_security_tcpwrap_enable" in
-    [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_tcpwrap_enable
+then
 	echo ""
 	echo "${host} refused connections:"
 	n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
 	    tee /dev/stderr | wc -l)
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit $rc

etc/periodic/security/security.functions

@@ -27,11 +27,19 @@
 # $FreeBSD$
 #
 
+# This is a library file, so we only try to do something when sourced.
+case "$0" in
+*/security.functions) exit 0 ;;
+esac
+
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_diff_flags
+
 #
 # Show differences in the output of an audit command
 #
 
-LOG="${daily_status_security_logdir}"
+LOG="${security_status_logdir}"
 rc=0
 
 # Usage: COMMAND | check_diff [new_only] LABEL - MSG
@@ -67,7 +75,7 @@ check_diff() {
     [ $rc -lt 1 ] && rc=1
     echo ""
     echo "${msg}"
-    diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \
+    diff ${security_status_diff_flags} ${LOG}/${label}.today \
 	${tmpf} | eval "${filter}"
     mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
     mv ${tmpf} ${LOG}/${label}.today || rc=3

etc/periodic/weekly/450.status-security

@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$weekly_status_security_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "Security check:"
+
+	case "$weekly_status_security_inline" in
+	    [Yy][Ee][Ss])
+		weekly_status_security_output="";;
+	esac
+
+	export security_output="${weekly_status_security_output}"
+	case "${weekly_status_security_output}" in
+	    "")
+		rc=3;;
+	    /*)
+		echo "    (output logged separately)"
+		rc=0;;
+	    *)
+		echo "    (output mailed separately)"
+		rc=0;;
+	esac
+
+	periodic security || rc=3;;
+
+    *)  rc=0;;
+esac
+
+exit $rc

etc/periodic/weekly/Makefile

@@ -3,6 +3,7 @@
 .include <bsd.own.mk>
 
 FILES=	340.noid \
+	450.status-security \
 	999.local
 
 # NB: keep these sorted by MK_* knobs

share/man/man5/periodic.conf.5

@@ -1,4 +1,4 @@
-.\"-
+\"-
 .\" Copyright (c) 2000 Brian Somers <brian@Awfulhak.org>
 .\" All rights reserved.
 .\"
@@ -482,26 +482,42 @@ This variable behaves in the same way as the
 .Va *_output
 variables above, namely it can be set either to one or more email addresses
 or to an absolute file name.
-.It Va daily_status_security_diff_flags
+.It Va security_status_diff_flags
 .Pq Vt str
 Set to the arguments to pass to the
 .Xr diff 1
 utility when generating differences.
 The default is
 .Fl b u .
-.It Va daily_status_security_chksetuid_enable
+.It Va security_status_chksetuid_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to compare the modes and modification times of setuid executables with
 the previous day's values.
-.It Va daily_status_security_chkportsum_enable
+.It Va security_status_chksetuid_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_chkportsum_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to verify checksums of all installed packages against the known checksums in
 .Pa /var/db/pkg .
-.It Va daily_status_security_neggrpperm_enable
+.It Va security_status_chkportsum_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_neggrpperm_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
@@ -509,35 +525,67 @@ to check for files where the group of a file has less permissions than
 the world at large.
 When users are in more than 14 supplemental groups these negative
 permissions may not be enforced via NFS shares.
-.It Va daily_status_security_chkmounts_enable
+.It Va security_status_neggrpperm_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_chkmounts_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to check for changes mounted file systems to the previous day's values.
-.It Va daily_status_security_noamd
+.It Va security_status_chkmounts_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_noamd
 .Pq Vt bool
 Set to
 .Dq Li YES
 if you want to ignore
 .Xr amd 8
 mounts when comparing against yesterday's file system mounts in the
-.Va daily_status_security_chkmounts_enable
+.Va security_status_chkmounts_enable
 check.
-.It Va daily_status_security_chkuid0_enable
+.It Va security_status_chkuid0_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to check
 .Pa /etc/master.passwd
 for accounts with UID 0.
-.It Va daily_status_security_passwdless_enable
+.It Va security_status_chkuid0_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_passwdless_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to check
 .Pa /etc/master.passwd
 for accounts with empty passwords.
-.It Va daily_status_security_logincheck_enable
+.It Va security_status_passwdless_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_logincheck_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
@@ -546,49 +594,105 @@ to check
 ownership, see
 .Xr login.conf 5
 for more information.
-.It Va daily_status_security_ipfwdenied_enable
+.It Va security_status_logincheck_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_ipfwdenied_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to show log entries for packets denied by
 .Xr ipfw 8
 since yesterday's check.
-.It Va daily_status_security_ipfdenied_enable
+.It Va security_status_ipfwdenied_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_ipfdenied_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to show log entries for packets denied by
 .Xr ipf 8
 since yesterday's check.
-.It Va daily_status_security_pfdenied_enable
+.It Va security_status_ipfdenied_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_pfdenied_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to show log entries for packets denied by
 .Xr pf 4
 since yesterday's check.
-.It Va daily_status_security_ipfwlimit_enable
+.It Va security_status_pfdenied_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_ipfwlimit_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to display
 .Xr ipfw 8
 rules that have reached their verbosity limit.
-.It Va daily_status_security_kernelmsg_enable
+.It Va security_status_ipfwlimit_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_kernelmsg_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to show new
 .Xr dmesg 8
 entries since yesterday's check.
-.It Va daily_status_security_loginfail_enable
+.It Va security_status_kernelmsg_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_loginfail_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
 to display failed logins from
 .Pa /var/log/messages
 in the previous day.
-.It Va daily_status_security_tcpwrap_enable
+.It Va security_status_loginfail_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_tcpwrap_enable
 .Pq Vt bool
 Set to
 .Dq Li YES
@@ -597,6 +701,14 @@ to display connections denied by tcpwrappers (see
 from
 .Pa /var/log/messages
 during the previous day.
+.It Va security_status_tcpwrap_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
 .It Va daily_status_mail_rejects_enable
 .Pq Vt bool
 Set to
@@ -709,6 +821,18 @@ An orphaned file is one with an invalid owner or group.
 A list of directories under which orphaned files are searched for.
 This would usually be set to
 .Pa / .
+.It Va weekly_status_security_enable
+.Pq Vt bool
+Weekly counterpart of
+.Va daily_status_securiy_enable .
+.It Va weekly_status_security_inline
+.Pq Vt bool
+Weekly counterpart of
+.Va daily_status_securiy_inline .
+.It Va weekly_status_security_output
+.Pq Vt str
+Weekly counterpart of
+.Va daily_status_securiy_output .
 .It Va weekly_status_pkg_enable
 .Pq Vt bool
 Set to
@@ -776,6 +900,18 @@ Set to
 if you want to do login accounting using the
 .Xr ac 8
 command.
+.It Va monthly_status_security_enable
+.Pq Vt bool
+Monthly counterpart of
+.Va daily_status_securiy_enable .
+.It Va monthly_status_security_inline
+.Pq Vt bool
+Monthly counterpart of
+.Va daily_status_securiy_inline .
+.It Va monthly_status_security_output
+.Pq Vt str
+Monthly counterpart of
+.Va daily_status_securiy_output .
 .It Va monthly_local
 .Pq Vt str
 Set to a list of extra scripts that should be run after all other