1 files changed, 124 insertions, 23 deletions

diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf
index 4dc2478..5dd7fa9 100644
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES"			# Also submit queue
 
 # 450.status-security
 daily_status_security_enable="YES"			# Security check
-# See "Security options" below for more options
+# See also "Security options" below for more options
+daily_status_security_inline="NO"			# Run inline ?
+daily_status_security_output="root"			# user or /file
 
 # 460.status-mail-rejects
 daily_status_mail_rejects_enable="YES"			# Check mail rejects
@@ -163,59 +165,78 @@ daily_local="/etc/daily.local"				# Local scripts
 # Security options
 
 # These options are used by the security periodic(8) scripts spawned in
-# 450.status-security above.
-daily_status_security_inline="NO"			# Run inline ?
-daily_status_security_output="root"			# user or /file
-daily_status_security_logdir="/var/log"			# Directory for logs
-daily_status_security_diff_flags="-b -u"		# flags for diff output
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log"			# Directory for logs
+security_status_diff_flags="-b -u"			# flags for diff output
+
+# Each of the security_status_*_enable options below can have one of the
+# following values:
+# - NO
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
 
 # 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
+security_status_chksetuid_enable="YES"
+security_status_chksetuid_period="daily"
 
 # 110.neggrpperm
-daily_status_security_neggrpperm_enable="YES"
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
 
 # 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^amd:"		# Don't check matching
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^amd:"		# Don't check matching
 							# FS types
-daily_status_security_noamd="NO"			# Don't check amd mounts
+security_status_noamd="NO"				# Don't check amd mounts
 
 # 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
 
 # 400.passwdless
-daily_status_security_passwdless_enable="YES"
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
 
 # 410.logincheck
-daily_status_security_logincheck_enable="YES"
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
 
 # 460.chkportsum
-daily_status_security_chkportsum_enable="NO"	# Check ports w/ wrong checksum
+security_status_chkportsum_enable="NO"		# Check ports w/ wrong checksum
+security_status_chkportsum_period="daily"
 
 # 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
 
 # 510.ipfdenied
-daily_status_security_ipfdenied_enable="YES"
+security_status_ipfdenied_enable="YES"
+security_status_ipfdenied_period="daily"
 
 # 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
 
 # 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
 
 # 610.ipf6denied
-daily_status_security_ipf6denied_enable="YES"
+security_status_ipf6denied_enable="YES"
+security_status_ipf6denied_period="daily"
 
 # 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
 
 # 800.loginfail
-daily_status_security_loginfail_enable="YES"
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
 
 # 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
 
 
 # Weekly options
@@ -248,6 +269,12 @@ weekly_status_pkg_enable="NO"				# Find out-of-date pkgs
 pkg_version=pkg_version					# Use this program
 pkg_version_index=/usr/ports/INDEX-10			# Use this index file
 
+# 450.status-security
+weekly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+weekly_status_security_inline="NO"			# Run inline ?
+weekly_status_security_output="root"			# user or /file
+
 # 999.local
 weekly_local="/etc/weekly.local"			# Local scripts
 
@@ -267,6 +294,12 @@ monthly_show_badconfig="NO"				# scripts returning 2
 # 200.accounting
 monthly_accounting_enable="YES"				# Login accounting
 
+# 450.status-security
+monthly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+monthly_status_security_inline="NO"			# Run inline ?
+monthly_status_security_output="root"			# user or /file
+
 # 999.local
 monthly_local="/etc/monthly.local"			# Local scripts
 
@@ -276,6 +309,74 @@ monthly_local="/etc/monthly.local"			# Local scripts
 
 if [ -z "${source_periodic_confs_defined}" ]; then
         source_periodic_confs_defined=yes
+
+	# Compatibility with old daily variable names.
+	# They can be removed in stable/11.
+	security_daily_compat_var() {
+		local var=$1 dailyvar value
+
+		dailyvar=daily_status_security${#status_security}
+		periodvar=${var%enable}period
+		eval value=\"\$$dailyvar\"
+		[ -z "$value" ] && return
+		echo "Warning: Variable \$$dailyvar is deprecated," \
+		    "use \$$var instead." >&2
+		case "$value" in
+		[Yy][Ee][Ss])
+			$var=YES
+			$periodvar=daily
+			;;
+		*)
+			$var="$value"
+			;;
+		esac
+	}
+
+	check_yesno_period() {
+		local var="$1" periodvar value period
+
+		eval value=\"\$$var\"
+		case "$value" in
+		[Yy][Ee][Ss]) ;;
+		*) return 1 ;;
+		esac
+
+		periodvar=${var%enable}period
+		eval period=\"\$$periodvar\"
+		case "$PERIODIC" in
+		"security daily")
+			case "$period" in
+			[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security weekly")
+			case "$period" in
+			[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security monthly")
+			case "$period" in
+			[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		security)
+			# Run directly from crontab(5).
+			case "$period" in
+			[Nn][Oo]) return 1 ;;
+			*) return 0 ;;
+			esac
+			;;
+		*)
+			echo "ASSERTION FAILED: Unexpected value for " \
+			    "\$PERIODIC: '$PERIODIC'" >&2
+			exit 127
+			;;
+		esac
+	}
+
         source_periodic_confs() {
                 local i sourced_files