2 files changed, 165 insertions, 64 deletions

diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf
index e630e1d..9fb6859 100644
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@@ -128,7 +128,9 @@ daily_status_include_submit_mailq="YES"			# Also submit queue
 
 # 450.status-security
 daily_status_security_enable="YES"			# Security check
-# See "Security options" below for more options
+# See also "Security options" below for more options
+daily_status_security_inline="NO"			# Run inline ?
+daily_status_security_output="root"			# user or /file
 
 # 460.status-mail-rejects
 daily_status_mail_rejects_enable="YES"			# Check mail rejects
@@ -160,64 +162,6 @@ daily_scrub_zfs_default_threshold="35"		# days between scrubs
 daily_local="/etc/daily.local"				# Local scripts
 
 
-# Security options
-
-# These options are used by the security periodic(8) scripts spawned in
-# 450.status-security above.
-daily_status_security_inline="NO"			# Run inline ?
-daily_status_security_output="root"			# user or /file
-daily_status_security_noamd="NO"			# Don't check amd mounts
-daily_status_security_logdir="/var/log"			# Directory for logs
-daily_status_security_diff_flags="-b -u"		# flags for diff output
-
-# 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
-
-# 110.neggrpperm
-daily_status_security_neggrpperm_enable="YES"
-
-# 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^amd:"		# Don't check matching
-							# FS types
-
-# 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
-
-# 400.passwdless
-daily_status_security_passwdless_enable="YES"
-
-# 410.logincheck
-daily_status_security_logincheck_enable="YES"
-
-# 460.chkportsum
-daily_status_security_chkportsum_enable="NO"	# Check ports w/ wrong checksum
-
-# 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
-
-# 510.ipfdenied
-daily_status_security_ipfdenied_enable="YES"
-
-# 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
-
-# 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
-
-# 610.ipf6denied
-daily_status_security_ipf6denied_enable="YES"
-
-# 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
-
-# 800.loginfail
-daily_status_security_loginfail_enable="YES"
-
-# 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
-
-
 # Weekly options
 
 # These options are used by periodic(8) itself to determine what to do
@@ -248,6 +192,12 @@ weekly_status_pkg_enable="NO"				# Find out-of-date pkgs
 pkg_version=pkg_version					# Use this program
 pkg_version_index=/usr/ports/INDEX-10			# Use this index file
 
+# 450.status-security
+weekly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+weekly_status_security_inline="NO"			# Run inline ?
+weekly_status_security_output="root"			# user or /file
+
 # 999.local
 weekly_local="/etc/weekly.local"			# Local scripts
 
@@ -267,15 +217,170 @@ monthly_show_badconfig="NO"				# scripts returning 2
 # 200.accounting
 monthly_accounting_enable="YES"				# Login accounting
 
+# 450.status-security
+monthly_status_security_enable="YES"			# Security check
+# See also "Security options" above for more options
+monthly_status_security_inline="NO"			# Run inline ?
+monthly_status_security_output="root"			# user or /file
+
 # 999.local
 monthly_local="/etc/monthly.local"			# Local scripts
 
 
+# Security options
+
+# These options are used by the security periodic(8) scripts spawned in
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log"			# Directory for logs
+security_status_diff_flags="-b -u"			# flags for diff output
+
+# Each of the security_status_*_period options below can have one of the
+# following values:
+# - NO: do not run at all
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
+# - monthly: only run during the monthly security status
+# Note that if periodic security scripts are run from crontab(5) directly,
+# they will be run unless _enable or _period is set to "NO".
+
+# 100.chksetuid
+security_status_chksetuid_enable="YES"
+security_status_chksetuid_period="daily"
+
+# 110.neggrpperm
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
+
+# 200.chkmounts
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^amd:"		# Don't check matching
+							# FS types
+security_status_noamd="NO"				# Don't check amd mounts
+
+# 300.chkuid0
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
+
+# 400.passwdless
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
+
+# 410.logincheck
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
+
+# 460.chkportsum
+security_status_chkportsum_enable="NO"		# Check ports w/ wrong checksum
+security_status_chkportsum_period="daily"
+
+# 500.ipfwdenied
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
+
+# 510.ipfdenied
+security_status_ipfdenied_enable="YES"
+security_status_ipfdenied_period="daily"
+
+# 520.pfdenied
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
+
+# 550.ipfwlimit
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
+
+# 610.ipf6denied
+security_status_ipf6denied_enable="YES"
+security_status_ipf6denied_period="daily"
+
+# 700.kernelmsg
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
+
+# 800.loginfail
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
+
+# 900.tcpwrap
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
+
+
+
 # Define source_periodic_confs, the mechanism used by /etc/periodic/*/*
 # scripts to source defaults/periodic.conf overrides safely.
 
 if [ -z "${source_periodic_confs_defined}" ]; then
         source_periodic_confs_defined=yes
+
+	# Compatibility with old daily variable names.
+	# They can be removed in stable/11.
+	security_daily_compat_var() {
+		local var=$1 dailyvar value
+
+		dailyvar=daily_status_security${#status_security}
+		periodvar=${var%enable}period
+		eval value=\"\$$dailyvar\"
+		[ -z "$value" ] && return
+		echo "Warning: Variable \$$dailyvar is deprecated," \
+		    "use \$$var instead." >&2
+		case "$value" in
+		[Yy][Ee][Ss])
+			$var=YES
+			$periodvar=daily
+			;;
+		*)
+			$var="$value"
+			;;
+		esac
+	}
+
+	check_yesno_period() {
+		local var="$1" periodvar value period
+
+		eval value=\"\$$var\"
+		case "$value" in
+		[Yy][Ee][Ss]) ;;
+		*) return 1 ;;
+		esac
+
+		periodvar=${var%enable}period
+		eval period=\"\$$periodvar\"
+		case "$PERIODIC" in
+		"security daily")
+			case "$period" in
+			[Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security weekly")
+			case "$period" in
+			[Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		"security monthly")
+			case "$period" in
+			[Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+			*) return 1 ;;
+			esac
+			;;
+		security)
+			# Run directly from crontab(5).
+			case "$period" in
+			[Nn][Oo]) return 1 ;;
+			*) return 0 ;;
+			esac
+			;;
+		*)
+			echo "ASSERTION FAILED: Unexpected value for " \
+			    "\$PERIODIC: '$PERIODIC'" >&2
+			exit 127
+			;;
+		esac
+	}
+
         source_periodic_confs() {
                 local i sourced_files
 
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 3760fc0..47d5145 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -32,7 +32,6 @@ early_late_divider="FILESYSTEMS"	# Script that separates early/late
 always_force_depends="NO"	# Set to check that indicated dependencies are
 				# running during boot (can increase boot time).
 
-swapfile="NO"		# Set to name of swapfile if aux swapfile desired.
 apm_enable="NO"		# Set to YES to enable APM BIOS functions (or NO).
 apmd_enable="NO"	# Run apmd to handle APM event from userland.
 apmd_flags=""		# Flags to apmd (if enabled).
@@ -84,15 +83,12 @@ geli_autodetach="YES"	# Automatically detach on last close.
 #geli_da1_autodetach="NO"
 #geli_mirror_home_flags="-k /etc/geli/home.keys"
 
-geli_swap_flags="-e aes -l 256 -s 4096 -d"	# Options for GELI-encrypted
-						# swap partitions.
-
 root_rw_mount="YES"	# Set to NO to inhibit remounting root read-write.
 fsck_y_enable="NO"	# Set to YES to do fsck -y if the initial preen fails.
 fsck_y_flags=""		# Additional flags for fsck -y
 background_fsck="YES"	# Attempt to run fsck in the background where possible.
 background_fsck_delay="60" # Time to wait (seconds) before starting the fsck.
-netfs_types="nfs:NFS oldnfs:OLDNFS" # Net filesystems.
+netfs_types="nfs:NFS oldnfs:OLDNFS smbfs:SMB" # Net filesystems.
 extra_netfs_types="NO"	# List of network extra filesystem types for delayed
 			# mount at startup (or NO).