Long ago, there was just /etc/daily. Then /etc/security was split out

of /etc/daily. Some time later, /etc/daily became a set of periodic(8)
scripts. Now, this evolution continues, and /etc/security has been
broken into periodic(8) scripts to make local customization easier and
more maintainable.

Reviewed by:	ru
Approved by:	ru

12 files changed, 714 insertions, 0 deletions

diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid
new file mode 100755
index 0000000..df0ce8c
--- /dev/null
+++ b/etc/periodic/security/100.chksetuid
@@ -0,0 +1,75 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_chksetuid_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo 'Checking setuid files and devices:'
+	# XXX Note that there is the possibility of overrunning the args to ls
+	MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
+	set ${MP}
+	while [ $# -ge 1 ]; do
+	    mount=$1
+	    shift
+	    find $mount -xdev -type f \
+		    \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
+		    \( -perm -u+s -or -perm -g+s \) -print0
+	done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
+
+	if [ ! -f ${LOG}/setuid.today ]; then
+	    rc=1
+	    echo "No ${LOG}/setuid.today"
+	    cp ${TMP} ${LOG}/setuid.today || rc=3
+	fi
+
+	if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null
+	then
+	    [ $rc -lt 1 ] && rc=1
+	    echo "${host} setuid diffs:"
+	    diff -w ${LOG}/setuid.today ${TMP}
+	    mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
+	    mv ${TMP} ${LOG}/setuid.today || rc=3
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts
new file mode 100755
index 0000000..9b19675
--- /dev/null
+++ b/etc/periodic/security/200.chkmounts
@@ -0,0 +1,73 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show changes in the way filesystems are mounted
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+ignore="${daily_status_security_chkmounts_ignore}"
+rc=0
+
+case "$daily_status_security_chkmounts_enable" in
+    [Yy][Ee][Ss])
+	case "$daily_status_security_noamd" in
+	    [Yy][Ee][Ss])
+		ignore="${ignore}|^amd:"
+	esac
+	[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
+	if mount -p | ${cmd} > ${TMP}; then
+	    if [ ! -f ${LOG}/mount.today ]; then
+		rc=1
+		echo ""
+		echo "No ${LOG}/mount.today"
+		cp ${TMP} ${LOG}/mount.today || rc=3
+	    fi
+	    if ! cmp ${LOG}/mount.today ${TMP} >/dev/null 2>&1; then
+		[ $rc -lt 1 ] && rc=1
+		echo ""
+		echo "${host} changes in mounted filesystems:"
+		diff -b ${LOG}/mount.today ${TMP}
+		mv ${LOG}/mount.today ${LOG}/mount.yesterday || rc=3
+		mv ${TMP} ${LOG}/mount}.today || rc=3
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit "$rc"
diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0
new file mode 100755
index 0000000..32cc16c
--- /dev/null
+++ b/etc/periodic/security/300.chkuid0
@@ -0,0 +1,51 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$daily_status_security_chkuid0_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo 'Checking for uids of 0:'
+	n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
+	tee /dev/stderr |
+	sed -e '/^root 0$/d' -e '/^toor 0$/d' |
+	wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0;;
+    *)	rc=0;;
+esac
+
+exit "$rc"
diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless
new file mode 100755
index 0000000..42ece04
--- /dev/null
+++ b/etc/periodic/security/400.passwdless
@@ -0,0 +1,48 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$daily_status_security_passwdless_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo 'Checking for passwordless accounts:'
+	n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
+	    tee /dev/stderr | wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0;;
+    *)	rc=0;;
+esac
+
+exit "$rc"
diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied
new file mode 100755
index 0000000..ac08b4b
--- /dev/null
+++ b/etc/periodic/security/500.ipfwdenied
@@ -0,0 +1,69 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show denied packets
+#
+
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_ipfwdenied_enable" in
+    [Yy][Ee][Ss])
+	if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
+	    if [ ! -f ${LOG}/ipfw.today ]; then
+		rc=1
+		echo ""
+		echo "No ${LOG}/ipfw.today"
+		cp ${TMP} ${LOG}/ipfw.today || rc=3
+	    fi
+
+	    if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
+		[ $rc -lt 1 ] && rc=1
+		echo ""
+		echo "${host} denied packets:"
+		diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
+		mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
+		mv ${TMP} ${LOG}/ipfw.today || rc=3
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit
new file mode 100755
index 0000000..3bc13b8
--- /dev/null
+++ b/etc/periodic/security/550.ipfwlimit
@@ -0,0 +1,61 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show ipfw rules which have reached the log limit
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+rc=0
+
+case "$daily_status_security_ipfwlimit_enable" in
+    [Yy][Ee][Ss])
+	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
+	if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
+	    ipfw -a l | grep " log " | perl -n -e \
+		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
+	    if [ -s "${TMP}" ]; then
+		rc=1
+		echo ""
+		echo 'ipfw log limit reached:'
+		cat ${TMP}
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/600.ip6fwdenied b/etc/periodic/security/600.ip6fwdenied
new file mode 100755
index 0000000..36315c2
--- /dev/null
+++ b/etc/periodic/security/600.ip6fwdenied
@@ -0,0 +1,69 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show IPv6 denied packets
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_ip6fwdenied_enable" in
+    [Yy][Ee][Ss])
+	if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
+	    if [ ! -f ${LOG}/ip6fw.today ]; then
+		rc=1
+		echo ""
+		echo "No ${LOG}/ip6fw.today"
+		cp ${TMP} ${LOG}/ip6fw.today || rc=3
+	    fi
+
+	    if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
+		[ $rc -lt 1 ] && rc=1
+		echo ""
+		echo "${host} IPv6 denied packets:"
+		diff -b ${LOG}/ip6fw.today ${TMP} |
+		    egrep "^>"
+		mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
+		mv ${TMP} ${LOG}/ip6fw.today || rc=3
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/650.ip6fwlimit b/etc/periodic/security/650.ip6fwlimit
new file mode 100755
index 0000000..96af389
--- /dev/null
+++ b/etc/periodic/security/650.ip6fwlimit
@@ -0,0 +1,61 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show ip6fw rules which have reached the log limit
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+rc=0
+
+case "$daily_status_security_ip6fwlimit_enable" in
+    [Yy][Ee][Ss])
+	IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
+	if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
+	    ip6fw -a l | grep " log " | perl -n -e \
+		'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
+	    if [ -s "${TMP}" ]; then
+		rc=1
+		echo ""
+		echo 'ip6fw log limit reached:'
+		cat ${TMP}
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg
new file mode 100755
index 0000000..a0b6a00
--- /dev/null
+++ b/etc/periodic/security/700.kernelmsg
@@ -0,0 +1,68 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show kernel log messages
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+TMP=/var/run/_secure.$$
+LOG="${daily_status_security_logdir}"
+rc=0
+
+case "$daily_status_security_kernelmsg_enable" in
+    [Yy][Ee][Ss])
+	if dmesg -a 2>/dev/null > ${TMP}; then
+	    if [ ! -f ${LOG}/dmesg.today ]; then
+		rc=1
+		echo ""
+		echo "No ${LOG}/dmesg.today"
+		cp ${TMP} ${LOG}/dmesg.today || rc=3
+	    fi
+
+	    if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
+		[ $rc -lt 1 ] && rc=1
+		echo ""
+		echo "${host} kernel log messages:"
+		diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
+		mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
+		mv ${TMP} ${LOG}/dmesg.today || rc=3
+	    fi
+	fi
+	rm -f ${TMP};;
+    *)	rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail
new file mode 100755
index 0000000..c4446f5
--- /dev/null
+++ b/etc/periodic/security/800.loginfail
@@ -0,0 +1,62 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show login failures
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+LOG="${daily_status_security_logdir}"
+
+yesterday=`date -v-1d "+%b %e "`
+
+catmsgs() {
+	find ${LOG} -name 'messages.*' -mtime -2 |
+	    sort -t. -r -n +1 -2 |
+	    xargs zcat -f
+	[ -f ${LOG}/messages ] && cat $LOG/messages
+}
+
+case "$daily_status_security_loginfail_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "${host} login failures:"
+	n=$(catmsgs | grep -ia "^$yesterday.*login failure" |
+	    tee /dev/stderr | wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0;;
+    *)	rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap
new file mode 100755
index 0000000..0dc61dc
--- /dev/null
+++ b/etc/periodic/security/900.tcpwrap
@@ -0,0 +1,62 @@
+#!/bin/sh -
+#
+# Copyright (c) 2001  The FreeBSD Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+# Show tcp_wrapper warning messages
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+LOG="${daily_status_security_logdir}"
+
+yesterday=`date -v-1d "+%b %e "`
+
+catmsgs() {
+	find ${LOG} -name 'messages.*' -mtime -2 |
+	    sort -t. -r -n +1 -2 |
+	    xargs zcat -f
+	[ -f ${LOG}/messages ] && cat $LOG/messages
+}
+
+case "$daily_status_security_tcpwrap_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "${host} refused connections:"
+	n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
+	    tee /dev/stderr | wc -l)
+	[ $n -gt 0 ] && rc=1 || rc=0;;
+    *)	rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile
new file mode 100644
index 0000000..da4152f
--- /dev/null
+++ b/etc/periodic/security/Makefile
@@ -0,0 +1,15 @@
+# $FreeBSD$
+
+BIN=	100.chksetuid \
+	200.chkmounts \
+	300.chkuid0 \
+	400.passwdless \
+	500.ipfwdenied \
+	550.ipfwlimit \
+	600.ip6fwdenied \
+	650.ip6fwlimit \
+	700.kernelmsg \
+	800.loginfail \
+	900.tcpwrap
+
+.include <bsd.prog.mk>