20 files changed, 200 insertions, 85 deletions

diff --git a/etc/periodic/monthly/450.status-security b/etc/periodic/monthly/450.status-security
new file mode 100755
index 0000000..027c896
--- /dev/null
+++ b/etc/periodic/monthly/450.status-security
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$monthly_status_security_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "Security check:"
+
+	case "$monthly_status_security_inline" in
+	    [Yy][Ee][Ss])
+		monthly_status_security_output="";;
+	esac
+
+	export security_output="${monthly_status_security_output}"
+	case "${monthly_status_security_output}" in
+	    "")
+		rc=3;;
+	    /*)
+		echo "    (output logged separately)"
+		rc=0;;
+	    *)
+		echo "    (output mailed separately)"
+		rc=0;;
+	esac
+
+	periodic security || rc=3;;
+
+    *)  rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/monthly/Makefile b/etc/periodic/monthly/Makefile
index 77c1d66..d9e4969 100644
--- a/etc/periodic/monthly/Makefile
+++ b/etc/periodic/monthly/Makefile
@@ -2,7 +2,8 @@
 
 .include <bsd.own.mk>
 
-FILES=	999.local
+FILES=	450.status-security \
+	999.local
 
 # NB: keep these sorted by MK_* knobs
 
diff --git a/etc/periodic/security/100.chksetuid b/etc/periodic/security/100.chksetuid
index 5b93b20..95920a6 100755
--- a/etc/periodic/security/100.chksetuid
+++ b/etc/periodic/security/100.chksetuid
@@ -37,10 +37,12 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_chksetuid_enable
+
 rc=0
 
-case "$daily_status_security_chksetuid_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_chksetuid_enable
+then
 	echo ""
 	echo 'Checking setuid files and devices:'
 	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@@ -49,10 +51,6 @@ case "$daily_status_security_chksetuid_enable" in
 	    \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
 	check_diff setuid - "${host} setuid diffs:"
 	rc=$?
-	;;
-    *)
-	rc=0
-	;;
-esac
+fi
 
 exit $rc
diff --git a/etc/periodic/security/110.neggrpperm b/etc/periodic/security/110.neggrpperm
index 68d1e7b..1d545ac 100755
--- a/etc/periodic/security/110.neggrpperm
+++ b/etc/periodic/security/110.neggrpperm
@@ -35,10 +35,12 @@ then
     source_periodic_confs
 fi
 
+security_daily_compat_var security_status_neggrpperm_enable
+
 rc=0
 
-case "$daily_status_security_neggrpperm_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_neggrpperm_enable
+then
 	echo ""
 	echo 'Checking negative group permissions:'
 	MP=`mount -t ufs,zfs | awk '$0 !~ /no(suid|exec)/ { print $3 }'`
@@ -48,7 +50,6 @@ case "$daily_status_security_neggrpperm_enable" in
 	    \( ! -perm +040 -and -perm +004 \) \) \
 	    -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0
-	;;
-esac
+fi
 
 exit $rc
diff --git a/etc/periodic/security/200.chkmounts b/etc/periodic/security/200.chkmounts
index 17b114e..7b14866 100755
--- a/etc/periodic/security/200.chkmounts
+++ b/etc/periodic/security/200.chkmounts
@@ -40,12 +40,16 @@ fi
 
 . /etc/periodic/security/security.functions
 
-ignore="${daily_status_security_chkmounts_ignore}"
+security_daily_compat_var security_status_chkmounts_enable
+security_daily_compat_var security_status_chkmounts_ignore
+security_daily_compat_var security_status_noamd
+
+ignore="${security_status_chkmounts_ignore}"
 rc=0
 
-case "$daily_status_security_chkmounts_enable" in
-    [Yy][Ee][Ss])
-	case "$daily_status_security_noamd" in
+if check_yesno_period security_status_chkmounts_enable
+then
+	case "$security_status_noamd" in
 	    [Yy][Ee][Ss])
 		ignore="${ignore}|^amd:"
 	esac
@@ -55,8 +59,7 @@ case "$daily_status_security_chkmounts_enable" in
 	fi
 	mount -p | sort | ${cmd} |
 	  check_diff mount - "${host} changes in mounted filesystems:"
-	rc=$?;;
-    *)	rc=0;;
-esac
+	rc=$?
+fi
 
 exit "$rc"
diff --git a/etc/periodic/security/300.chkuid0 b/etc/periodic/security/300.chkuid0
index 32cc16c..73578e2 100755
--- a/etc/periodic/security/300.chkuid0
+++ b/etc/periodic/security/300.chkuid0
@@ -36,16 +36,19 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_chkuid0_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_chkuid0_enable
+
+rc=0
+
+if check_yesno_period security_status_chkuid0_enable
+then
 	echo ""
 	echo 'Checking for uids of 0:'
 	n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
 	tee /dev/stderr |
 	sed -e '/^root 0$/d' -e '/^toor 0$/d' |
 	wc -l)
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"
diff --git a/etc/periodic/security/400.passwdless b/etc/periodic/security/400.passwdless
index 42ece04..5e851ac 100755
--- a/etc/periodic/security/400.passwdless
+++ b/etc/periodic/security/400.passwdless
@@ -35,14 +35,17 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_passwdless_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_passwdless_enable
+
+rc=0
+
+if check_yesno_period security_status_passwdless_enable
+then
 	echo ""
 	echo 'Checking for passwordless accounts:'
 	n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
 	    tee /dev/stderr | wc -l)
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"
diff --git a/etc/periodic/security/410.logincheck b/etc/periodic/security/410.logincheck
index f6cf405..41e7f65 100755
--- a/etc/periodic/security/410.logincheck
+++ b/etc/periodic/security/410.logincheck
@@ -35,8 +35,12 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_logincheck_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_logincheck_enable
+
+rc=0
+
+if check_yesno_period security_status_logincheck_enable
+then
 	echo ""
 	echo 'Checking login.conf permissions:'
 	if [ -G /etc/login.conf -a -O /etc/login.conf ]; then
@@ -45,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in
 	    echo "Bad ownership of /etc/login.conf"
 	    n=1
 	fi
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"
diff --git a/etc/periodic/security/460.chkportsum b/etc/periodic/security/460.chkportsum
index 3a39c84..18a12ec 100755
--- a/etc/periodic/security/460.chkportsum
+++ b/etc/periodic/security/460.chkportsum
@@ -35,13 +35,15 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_chkportsum_enable
+
 rc=0
 
 echo ""
 echo 'Checking for ports with mismatched checksums:'
 
-case "${daily_status_security_chkportsum_enable}" in
-	[Yy][Ee][Ss])
+if check_yesno_period security_status_chkportsum_enable
+then
 	set -f
 	pkg_info -ga 2>/dev/null | \
 	while IFS= read -r line; do
@@ -59,10 +61,6 @@ case "${daily_status_security_chkportsum_enable}" in
 			;;
 		esac
 	done
-	;;
-	*)
-	rc=0
-	;;
-esac
+fi
 
 exit $rc
diff --git a/etc/periodic/security/500.ipfwdenied b/etc/periodic/security/500.ipfwdenied
index 6a6fb8b4..f39ca0e 100755
--- a/etc/periodic/security/500.ipfwdenied
+++ b/etc/periodic/security/500.ipfwdenied
@@ -37,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_ipfwdenied_enable
+
 rc=0
 
-case "$daily_status_security_ipfwdenied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwdenied_enable
+then
 	TMP=`mktemp -t security`
 	if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
 	  check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
 	fi
 	rc=$?
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc
diff --git a/etc/periodic/security/510.ipfdenied b/etc/periodic/security/510.ipfdenied
index 2058d2b..bed75e6 100755
--- a/etc/periodic/security/510.ipfdenied
+++ b/etc/periodic/security/510.ipfdenied
@@ -37,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_ipfdenied_enable
+
 rc=0
 
-case "$daily_status_security_ipfdenied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfdenied_enable
+then
 	TMP=`mktemp -t security`
 	if ipfstat -nhio 2>/dev/null | grep block > ${TMP}; then
 	  check_diff new_only ipf ${TMP} "${host} ipf denied packets:"
 	fi
 	rc=$?
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc
diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied
index 5e51393..7a32bf2 100755
--- a/etc/periodic/security/520.pfdenied
+++ b/etc/periodic/security/520.pfdenied
@@ -37,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_pfdenied_enable
+
 rc=0
 
-case "$daily_status_security_pfdenied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_pfdenied_enable
+then
 	TMP=`mktemp -t security`
 	if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
 	  check_diff new_only pf ${TMP} "${host} pf denied packets:"
 	fi
 	rc=$?
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc
diff --git a/etc/periodic/security/550.ipfwlimit b/etc/periodic/security/550.ipfwlimit
index daa0f86..86932c6 100755
--- a/etc/periodic/security/550.ipfwlimit
+++ b/etc/periodic/security/550.ipfwlimit
@@ -38,10 +38,12 @@ then
     source_periodic_confs
 fi
 
+security_daily_compat_var security_status_ipfwlimit_enable
+
 rc=0
 
-case "$daily_status_security_ipfwlimit_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwlimit_enable
+then
 	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
 	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
 		exit 0
@@ -61,8 +63,7 @@ case "$daily_status_security_ipfwlimit_enable" in
 		echo 'ipfw log limit reached:'
 		cat ${TMP}
 	fi
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc
diff --git a/etc/periodic/security/610.ipf6denied b/etc/periodic/security/610.ipf6denied
index 6c64d92..7e02cfc 100755
--- a/etc/periodic/security/610.ipf6denied
+++ b/etc/periodic/security/610.ipf6denied
@@ -37,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_ipf6denied_enable
+
 rc=0
 
-case "$daily_status_security_ipf6denied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipf6denied_enable
+then
 	TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
 	if ipfstat -nhio6 2>/dev/null | grep block > ${TMP}; then
 	 check_diff new_only ipf6 ${TMP} "${host} ipf6 denied packets:"
 	fi
 	rc=$?
-	rm -f ${TMP};;
-    *)	rc=0;;
-esac
+	rm -f ${TMP}
+fi
 
 exit $rc
diff --git a/etc/periodic/security/700.kernelmsg b/etc/periodic/security/700.kernelmsg
index fb5ed63..8bf6491 100755
--- a/etc/periodic/security/700.kernelmsg
+++ b/etc/periodic/security/700.kernelmsg
@@ -40,14 +40,15 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_kernelmsg_enable
+
 rc=0
 
-case "$daily_status_security_kernelmsg_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_kernelmsg_enable
+then
 	dmesg 2>/dev/null |
 	    check_diff new_only dmesg - "${host} kernel log messages:"
-	rc=$?;;
-    *)	rc=0;;
-esac
+	rc=$?
+fi
 
 exit $rc
diff --git a/etc/periodic/security/800.loginfail b/etc/periodic/security/800.loginfail
index 767b959..a0de96d 100755
--- a/etc/periodic/security/800.loginfail
+++ b/etc/periodic/security/800.loginfail
@@ -38,7 +38,10 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_loginfail_enable
+
+LOG="${security_status_logdir}"
 
 yesterday=`date -v-1d "+%b %e "`
 
@@ -55,14 +58,15 @@ catmsgs() {
 	[ -f ${LOG}/auth.log ] && cat $LOG/auth.log
 }
 
-case "$daily_status_security_loginfail_enable" in
-    [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_loginfail_enable
+then
 	echo ""
 	echo "${host} login failures:"
 	n=$(catmsgs | egrep -ia "^$yesterday.*: .*(fail|invalid|bad|illegal)" |
 	    tee /dev/stderr | wc -l)
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit $rc
diff --git a/etc/periodic/security/900.tcpwrap b/etc/periodic/security/900.tcpwrap
index 55f7709..10b02e9 100755
--- a/etc/periodic/security/900.tcpwrap
+++ b/etc/periodic/security/900.tcpwrap
@@ -38,7 +38,10 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_tcpwrap_enable
+
+LOG="${security_status_logdir}"
 
 yesterday=`date -v-1d "+%b %e "`
 
@@ -55,14 +58,15 @@ catmsgs() {
 	[ -f ${LOG}/messages ] && cat $LOG/messages
 }
 
-case "$daily_status_security_tcpwrap_enable" in
-    [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_tcpwrap_enable
+then
 	echo ""
 	echo "${host} refused connections:"
 	n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
 	    tee /dev/stderr | wc -l)
-	[ $n -gt 0 ] && rc=1 || rc=0;;
-    *)	rc=0;;
-esac
+	[ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit $rc
diff --git a/etc/periodic/security/security.functions b/etc/periodic/security/security.functions
index f5b8dcd..bc2bcba 100644
--- a/etc/periodic/security/security.functions
+++ b/etc/periodic/security/security.functions
@@ -27,11 +27,19 @@
 # $FreeBSD$
 #
 
+# This is a library file, so we only try to do something when sourced.
+case "$0" in
+*/security.functions) exit 0 ;;
+esac
+
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_diff_flags
+
 #
 # Show differences in the output of an audit command
 #
 
-LOG="${daily_status_security_logdir}"
+LOG="${security_status_logdir}"
 rc=0
 
 # Usage: COMMAND | check_diff [new_only] LABEL - MSG
@@ -67,7 +75,7 @@ check_diff() {
     [ $rc -lt 1 ] && rc=1
     echo ""
     echo "${msg}"
-    diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \
+    diff ${security_status_diff_flags} ${LOG}/${label}.today \
 	${tmpf} | eval "${filter}"
     mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
     mv ${tmpf} ${LOG}/${label}.today || rc=3
diff --git a/etc/periodic/weekly/450.status-security b/etc/periodic/weekly/450.status-security
new file mode 100755
index 0000000..513fbda
--- /dev/null
+++ b/etc/periodic/weekly/450.status-security
@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$weekly_status_security_enable" in
+    [Yy][Ee][Ss])
+	echo ""
+	echo "Security check:"
+
+	case "$weekly_status_security_inline" in
+	    [Yy][Ee][Ss])
+		weekly_status_security_output="";;
+	esac
+
+	export security_output="${weekly_status_security_output}"
+	case "${weekly_status_security_output}" in
+	    "")
+		rc=3;;
+	    /*)
+		echo "    (output logged separately)"
+		rc=0;;
+	    *)
+		echo "    (output mailed separately)"
+		rc=0;;
+	esac
+
+	periodic security || rc=3;;
+
+    *)  rc=0;;
+esac
+
+exit $rc
diff --git a/etc/periodic/weekly/Makefile b/etc/periodic/weekly/Makefile
index 7f2eae2..057653d 100644
--- a/etc/periodic/weekly/Makefile
+++ b/etc/periodic/weekly/Makefile
@@ -3,6 +3,7 @@
 .include <bsd.own.mk>
 
 FILES=	340.noid \
+	450.status-security \
 	999.local
 
 # NB: keep these sorted by MK_* knobs