periodic: Sync with FreeBSD current
authorAaron LI <aly@aaronly.me>
Thu, 8 Mar 2018 16:28:24 +0000 (00:28 +0800)
committerSascha Wildner <saw@online.de>
Mon, 12 Mar 2018 14:14:50 +0000 (15:14 +0100)
* Sync periodic scripts, periodic.conf, periodic.conf.5 with FreeBSD
* The "{daily,weekly,monthly}_status_security_<var>_enable" variables are
  changed to be "security_status_<var>_enable" and
  "security_status_<var>_period" (daily, weekly, monthly).
* Keep DFly-specific settings (e.g., HAMMER and HAMMER2 related)
* Ignore the FreeBSD-specific things, e.g., ZFS, GEOM

50 files changed:
Makefile_upgrade.inc
etc/defaults/periodic.conf
etc/periodic/daily/100.clean-disks
etc/periodic/daily/110.clean-tmps
etc/periodic/daily/120.clean-preserve
etc/periodic/daily/130.clean-msgs
etc/periodic/daily/140.clean-rwho
etc/periodic/daily/150.clean-hoststat
etc/periodic/daily/200.backup-passwd
etc/periodic/daily/210.backup-aliases
etc/periodic/daily/300.calendar
etc/periodic/daily/310.accounting
etc/periodic/daily/330.news
etc/periodic/daily/400.status-disks
etc/periodic/daily/410.status-mfi [new file with mode: 0644]
etc/periodic/daily/420.status-network
etc/periodic/daily/430.status-uptime [moved from etc/periodic/daily/430.status-rwho with 71% similarity]
etc/periodic/daily/440.status-mailq
etc/periodic/daily/450.status-security
etc/periodic/daily/460.status-mail-rejects
etc/periodic/daily/500.queuerun
etc/periodic/daily/999.local
etc/periodic/daily/Makefile
etc/periodic/monthly/200.accounting
etc/periodic/monthly/450.status-security [new file with mode: 0644]
etc/periodic/monthly/999.local
etc/periodic/monthly/Makefile
etc/periodic/security/100.chksetuid
etc/periodic/security/110.neggrpperm [copied from etc/periodic/security/900.tcpwrap with 67% similarity]
etc/periodic/security/200.chkmounts
etc/periodic/security/300.chkuid0
etc/periodic/security/400.passwdless
etc/periodic/security/410.logincheck
etc/periodic/security/500.ipfwdenied
etc/periodic/security/520.pfdenied
etc/periodic/security/550.ipfwlimit
etc/periodic/security/600.ip6fwdenied
etc/periodic/security/650.ip6fwlimit
etc/periodic/security/700.kernelmsg
etc/periodic/security/800.loginfail
etc/periodic/security/900.tcpwrap
etc/periodic/security/Makefile
etc/periodic/security/security.functions
etc/periodic/weekly/310.locate
etc/periodic/weekly/320.whatis
etc/periodic/weekly/340.noid
etc/periodic/weekly/450.status-security [new file with mode: 0644]
etc/periodic/weekly/999.local
etc/periodic/weekly/Makefile
share/man/man5/periodic.conf.5

index a8154ce..af639c3 100644 (file)
@@ -3376,6 +3376,7 @@ TO_REMOVE+=/usr/share/man/man2/expreadv.2.gz
 TO_REMOVE+=/etc/periodic/monthly/300.statistics
 TO_REMOVE+=/etc/periodic/weekly/120.clean-kvmdb
 TO_REMOVE+=/etc/periodic/daily/470.status-named
+TO_REMOVE+=/etc/periodic/daily/430.status-rwho
 
 .if !defined(WANT_INSTALLER)
 TO_REMOVE+=/usr/sbin/dfuibe_installer
index 019f53c..b73c288 100644 (file)
 # For a more detailed explanation of all the periodic.conf variables, please
 # refer to the periodic.conf(5) manual page.
 #
-# $FreeBSD: src/etc/defaults/periodic.conf,v 1.7.2.13 2002/11/07 19:43:16 thomas Exp $
+# $FreeBSD: head/etc/defaults/periodic.conf 324738 2017-10-19 03:17:50Z cy $
 #
 
 # What files override these defaults ?
 periodic_conf_files="/etc/periodic.conf /etc/periodic.conf.local"
 
 # periodic script dirs
-local_periodic="/usr/local/etc/periodic /usr/pkg/etc/periodic"
+local_periodic="/usr/local/etc/periodic"
 
+# Max time to sleep to avoid causing congestion on download servers
+anticongestion_sleeptime=3600
 
 # Daily options
 
@@ -46,7 +48,8 @@ daily_clean_tmps_enable="NO"                          # Delete stuff daily
 daily_clean_tmps_dirs="/tmp"                           # Delete under here
 daily_clean_tmps_days="3"                              # If not accessed for
 daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix"
-daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group"
+daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group .snap"
+daily_clean_tmps_ignore="$daily_clean_tmps_ignore .sujournal"
                                                        # Don't delete these
 daily_clean_tmps_verbose="YES"                         # Mention files deleted
 
@@ -65,7 +68,8 @@ daily_clean_rwho_days=7                                       # If not modified for
 daily_clean_rwho_verbose="YES"                         # Mention files deleted
 
 # 150.clean-hoststat
-daily_clean_hoststat_enable="NO"                       # Delete .hoststat daily
+daily_clean_hoststat_enable="YES"                      # Purge sendmail host
+                                                       # status cache daily
 
 # 160.clean-hammer
 daily_clean_hammer_enable="YES"                                # HAMMER maintenance
@@ -97,17 +101,18 @@ daily_news_expire_enable="YES"                             # Run news.expire
 
 # 400.status-disks
 daily_status_disks_enable="YES"                                # Check disk status
-daily_status_disks_df_flags="-k -l -h"                 # df(1) flags for check
+daily_status_disks_df_flags="-l -h"                    # df(1) flags for check
 
-# 410.logincheck                                       # Check /etc/login.conf
-daily_status_security_logincheck_enable="YES"
+# 410.status-mfi
+daily_status_mfi_enable="NO"                           # Check mfiutil(8)
 
 # 420.status-network
 daily_status_network_enable="YES"                      # Check network status
 daily_status_network_usedns="YES"                      # DNS lookups are ok
+daily_status_network_netstat_flags="-d"                        # netstat(1) flags
 
-# 430.status-rwho
-daily_status_rwho_enable="YES"                         # Check system status
+# 430.status-uptime
+daily_status_uptime_enable="YES"                       # Check system uptime
 
 # 440.status-mailq
 daily_status_mailq_enable="YES"                                # Check mail status
@@ -116,69 +121,23 @@ daily_status_include_submit_mailq="YES"                   # Also submit queue
 
 # 450.status-security
 daily_status_security_enable="YES"                     # Security check
-# See "Security options" below for more options
+# See also "Security options" below for more options
+daily_status_security_inline="NO"                      # Run inline ?
+daily_status_security_output="root"                    # user or /file
 
 # 460.status-mail-rejects
 daily_status_mail_rejects_enable="YES"                 # Check mail rejects
 daily_status_mail_rejects_logs=3                       # How many logs to check
+daily_status_mail_rejects_shorten="NO"                 # Shorten output
 
 # 500.queuerun
 daily_queuerun_enable="YES"                            # Run mail queue
-daily_submit_queuerun="NO"                             # Also submit queue
+daily_submit_queuerun="YES"                            # Also submit queue
 
 # 999.local
 daily_local="/etc/daily.local"                         # Local scripts
 
 
-# Security options
-
-# These options are used by the security periodic(8) scripts spawned in
-# 450.status-security above.
-daily_status_security_inline="NO"                      # Run inline ?
-daily_status_security_output="root"                    # user or /file
-daily_status_security_nomfs="NO"                       # Don't check mfs mounts
-daily_status_security_logdir="/var/log"                        # Directory for logs
-daily_status_security_diff_flags="-b"                  # flags for diff output
-
-# 100.chksetuid
-daily_status_security_chksetuid_enable="YES"
-
-# 200.chkmounts
-daily_status_security_chkmounts_enable="YES"
-#daily_status_security_chkmounts_ignore="^mfs:"                # Don't check matching
-                                                       # FS types
-
-# 300.chkuid0
-daily_status_security_chkuid0_enable="YES"
-
-# 400.passwdless
-daily_status_security_passwdless_enable="YES"
-
-# 500.ipfwdenied
-daily_status_security_ipfwdenied_enable="YES"
-
-# 520.pfdenied
-daily_status_security_pfdenied_enable="YES"
-
-# 550.ipfwlimit
-daily_status_security_ipfwlimit_enable="YES"
-
-# 600.ip6fwdenied
-daily_status_security_ip6fwdenied_enable="YES"
-
-# 650.ip6fwlimit
-daily_status_security_ip6fwlimit_enable="YES"
-
-# 700.kernelmsg
-daily_status_security_kernelmsg_enable="YES"
-
-# 800.loginfail
-daily_status_security_loginfail_enable="YES"
-
-# 900.tcpwrap
-daily_status_security_tcpwrap_enable="YES"
-
-
 # Weekly options
 
 # These options are used by periodic(8) itself to determine what to do
@@ -204,6 +163,12 @@ weekly_catman_enable="NO"                          # Preformat man pages
 weekly_noid_enable="NO"                                        # Find unowned files
 weekly_noid_dirs="/"                                   # Look here
 
+# 450.status-security
+weekly_status_security_enable="YES"                    # Security check
+# See also "Security options" below for more options
+weekly_status_security_inline="NO"                     # Run inline ?
+weekly_status_security_output="root"                   # user or /file
+
 # 999.local
 weekly_local="/etc/weekly.local"                       # Local scripts
 
@@ -223,28 +188,197 @@ monthly_show_badconfig="NO"                              # scripts returning 2
 # 200.accounting
 monthly_accounting_enable="YES"                                # Login accounting
 
+# 450.status-security
+monthly_status_security_enable="YES"                   # Security check
+# See also "Security options" below for more options
+monthly_status_security_inline="NO"                    # Run inline ?
+monthly_status_security_output="root"                  # user or /file
 
 # 999.local
 monthly_local="/etc/monthly.local"                     # Local scripts
 
 
+# Security options
+
+security_show_success="YES"                            # scripts returning 0
+security_show_info="YES"                               # scripts returning 1
+security_show_badconfig="NO"                           # scripts returning 2
+
+# These options are used by the security periodic(8) scripts spawned in
+# daily and weekly 450.status-security.
+security_status_logdir="/var/log"                      # Directory for logs
+security_status_diff_flags="-b -u"                     # flags for diff output
+
+# Each of the security_status_*_period options below can have one of the
+# following values:
+# - NO: do not run at all
+# - daily: only run during the daily security status
+# - weekly: only run during the weekly security status
+# - monthly: only run during the monthly security status
+# Note that if periodic security scripts are run from crontab(5) directly,
+# they will be run unless _enable or _period is set to "NO".
+
+# 100.chksetuid
+security_status_chksetuid_enable="YES"
+security_status_chksetuid_period="daily"
+
+# 110.neggrpperm
+security_status_neggrpperm_enable="YES"
+security_status_neggrpperm_period="daily"
+
+# 200.chkmounts
+security_status_chkmounts_enable="YES"
+security_status_chkmounts_period="daily"
+#security_status_chkmounts_ignore="^mfs:"              # Don't check matching
+                                                       # FS types
+security_status_nomfs="NO"                             # Don't check mfs mounts
+
+# 300.chkuid0
+security_status_chkuid0_enable="YES"
+security_status_chkuid0_period="daily"
+
+# 400.passwdless
+security_status_passwdless_enable="YES"
+security_status_passwdless_period="daily"
+
+# 410.logincheck
+security_status_logincheck_enable="YES"
+security_status_logincheck_period="daily"
+
+# 500.ipfwdenied
+security_status_ipfwdenied_enable="YES"
+security_status_ipfwdenied_period="daily"
+
+# 520.pfdenied
+security_status_pfdenied_enable="YES"
+security_status_pfdenied_period="daily"
+
+# 550.ipfwlimit
+security_status_ipfwlimit_enable="YES"
+security_status_ipfwlimit_period="daily"
+
+# 600.ip6fwdenied
+security_status_ip6fwdenied_enable="YES"
+security_status_ip6fwdenied_period="daily"
+
+# 650.ip6fwlimit
+security_status_ip6fwlimit_enable="YES"
+security_status_ip6fwlimit_period="daily"
+
+# 700.kernelmsg
+security_status_kernelmsg_enable="YES"
+security_status_kernelmsg_period="daily"
+
+# 800.loginfail
+security_status_loginfail_enable="YES"
+security_status_loginfail_period="daily"
+
+# 900.tcpwrap
+security_status_tcpwrap_enable="YES"
+security_status_tcpwrap_period="daily"
+
+
+
 # Define source_periodic_confs, the mechanism used by /etc/periodic/*/*
 # scripts to source defaults/periodic.conf overrides safely.
 
 if [ -z "${source_periodic_confs_defined}" ]; then
-        source_periodic_confs_defined=yes
-        source_periodic_confs () {
-                local i sourced_files
-
-                for i in ${periodic_conf_files}; do
-                        case ${sourced_files} in
-                        *:$i:*)
-                                ;;
-                        *)
-                                sourced_files="${sourced_files}:$i:"
-                                [ -r $i ] && . $i
-                                ;;
-                        esac
-                done
-        }
+       source_periodic_confs_defined=yes
+       source_periodic_confs() {
+               local i sourced_files
+
+               for i in ${periodic_conf_files}; do
+                       case ${sourced_files} in
+                       *:$i:*)
+                               ;;
+                       *)
+                               sourced_files="${sourced_files}:$i:"
+                               [ -r $i ] && . $i
+                               ;;
+                       esac
+               done
+       }
+
+       # Sleep for a random amount of time in order to mitigate the thundering
+       # herd problem of multiple hosts running periodic simultaneously.
+       # Will not sleep when used interactively.
+       # Will sleep at most once per invocation of periodic
+       anticongestion() {
+               [ -n "$PERIODIC_IS_INTERACTIVE" ] && return
+               if [ -f "$PERIODIC_ANTICONGESTION_FILE" ]; then
+                       rm -f $PERIODIC_ANTICONGESTION_FILE
+                       sleep `jot -r 1 0 ${anticongestion_sleeptime}`
+               fi
+       }
+
+       # Compatibility with old daily variable names.
+       # They can be removed in stable/11.
+       security_daily_compat_var() {
+               local var=$1 dailyvar value
+
+               dailyvar=daily_status_security${var#security_status}
+               periodvar=${var%enable}period
+               eval value=\"\$$dailyvar\"
+               [ -z "$value" ] && return
+               echo "Warning: Variable \$$dailyvar is deprecated," \
+                   "use \$$var instead." >&2
+               case "$value" in
+               [Yy][Ee][Ss])
+                       eval $var=YES
+                       eval $periodvar=daily
+                       ;;
+               *)
+                       eval $var=\"$value\"
+                       ;;
+               esac
+       }
+
+       check_yesno_period() {
+               local var="$1" periodvar value period
+
+               eval value=\"\$$var\"
+               case "$value" in
+               [Yy][Ee][Ss]) ;;
+               *) return 1 ;;
+               esac
+
+               periodvar=${var%enable}period
+               eval period=\"\$$periodvar\"
+               case "$PERIODIC" in
+               "security daily")
+                       case "$period" in
+                       [Dd][Aa][Ii][Ll][Yy]) return 0 ;;
+                       *) return 1 ;;
+                       esac
+                       ;;
+               "security weekly")
+                       case "$period" in
+                       [Ww][Ee][Ee][Kk][Ll][Yy]) return 0 ;;
+                       *) return 1 ;;
+                       esac
+                       ;;
+               "security monthly")
+                       case "$period" in
+                       [Mm][Oo][Nn][Tt][Hh][Ll][Yy]) return 0 ;;
+                       *) return 1 ;;
+                       esac
+                       ;;
+               security)
+                       # Run directly from crontab(5).
+                       case "$period" in
+                       [Nn][Oo]) return 1 ;;
+                       *) return 0 ;;
+                       esac
+                       ;;
+               '')
+                       # Script run manually.
+                       return 0
+                       ;;
+               *)
+                       echo "ASSERTION FAILED: Unexpected value for" \
+                           "\$PERIODIC: '$PERIODIC'" >&2
+                       exit 127
+                       ;;
+               esac
+       }
 fi
index 78fd80f..9353e4e 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/100.clean-disks,v 1.3.2.6 2001/04/25 12:13:12 ru Exp $
-# $DragonFly: src/etc/periodic/daily/100.clean-disks,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/100.clean-disks 193302 2009-06-02 07:35:51Z brian $
 #
 # Remove garbage files more than $daily_clean_disks_days days old
 #
@@ -30,7 +29,7 @@ case "$daily_clean_disks_enable" in
            echo ""
            echo "Cleaning disks:"
            set -f noglob
-           args="$args -name "`echo "$daily_clean_disks_files" |
+           args="-name "`echo "$daily_clean_disks_files" |
                sed -e 's/^[    ]*//' \
                    -e 's/[     ]*$//' \
                    -e 's/[     ][      ]*/ -o -name /g'`
@@ -42,9 +41,9 @@ case "$daily_clean_disks_enable" in
                    print=;;
            esac
 
-           rc=$(find / \( ! -fstype local -o -fstype rdonly \) -a -prune -o \
-               \( $args \) -atime +$daily_clean_disks_days -delete $print |
-               tee /dev/stderr | wc -l)
+           rc=$(find / \( ! -fstype local -o -fstype rdonly \) -prune -o \
+               \( $args \) -atime +$daily_clean_disks_days \
+               -execdir rm -df {} \; $print | tee /dev/stderr | wc -l)
            [ -z "$print" ] && rc=0
            [ $rc -gt 1 ] && rc=1
            set -f glob
index 1643afe..ca8f208 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/110.clean-tmps,v 1.13 2004/02/28 04:58:40 ache Exp $
-# $DragonFly: src/etc/periodic/daily/110.clean-tmps,v 1.3 2007/12/29 21:44:44 matthias Exp $
+# $FreeBSD: head/etc/periodic/daily/110.clean-tmps 271321 2014-09-09 17:03:58Z bdrewery $
 #
 # Perform temporary directory cleaning so that long-lived systems
 # don't end up with excessively old files there.
@@ -46,8 +45,8 @@ case "$daily_clean_tmps_enable" in
            rc=$(for dir in $daily_clean_tmps_dirs
                do
                    [ ."${dir#/}" != ."$dir" -a -d $dir ] && cd $dir && {
-                       find -d . -type f $args -delete $print
-                       find -d . ! -name . -type d $dargs -delete $print
+                       find -x -d . -type f $args -delete $print
+                       find -x -d . ! -name . -type d $dargs -delete $print
                    } | sed "s,^\\.,  $dir,"
                done | tee /dev/stderr | wc -l)
            [ -z "$print" ] && rc=0
index ef83891..45518ce 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/120.clean-preserve,v 1.4.2.2 2000/09/20 02:46:15 jkh Exp $
-# $DragonFly: src/etc/periodic/daily/120.clean-preserve,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/120.clean-preserve 65843 2000-09-14 17:19:15Z brian $
 #
 # Remove stale files in /var/preserve
 #
index b30b86c..6584ca1 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/130.clean-msgs,v 1.3.2.2 2000/09/20 02:46:15 jkh Exp $
-# $DragonFly: src/etc/periodic/daily/130.clean-msgs,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/130.clean-msgs 65843 2000-09-14 17:19:15Z brian $
 #
 # Remove system        messages
 #
index 1c4ac7d..a2a1f9b 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/140.clean-rwho,v 1.4.2.2 2000/09/20 02:46:15 jkh Exp $
-# $DragonFly: src/etc/periodic/daily/140.clean-rwho,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/140.clean-rwho 65843 2000-09-14 17:19:15Z brian $
 #
 # Remove stale files in /var/rwho
 #
index c5091be..7d9e58e 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/150.clean-hoststat,v 1.8 2004/01/02 18:50:22 gshapiro Exp $
-# $DragonFly: src/etc/periodic/daily/150.clean-hoststat,v 1.3 2005/07/25 00:24:31 gshapiro Exp $
+# $FreeBSD: head/etc/periodic/daily/150.clean-hoststat 124080 2004-01-02 18:50:22Z gshapiro $
 #
 # Remove stale persistent host status files
 #
index b15f952..f85df48 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/200.backup-passwd,v 1.6.2.3 2001/11/17 22:42:46 cjc Exp $
-# $DragonFly: src/etc/periodic/daily/200.backup-passwd,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/200.backup-passwd 326074 2017-11-21 20:31:54Z emaste $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -42,8 +41,8 @@ case "$daily_backup_passwd_enable" in
            then
                [ $rc -lt 1 ] && rc=1
                echo "$host passwd diffs:"
-               diff -I '^#' $bak/master.passwd.bak /etc/master.passwd |\
-                       sed 's/^\([<>] [^:]*\):[^:]*:/\1:(password):/'
+               diff -uI '^#' $bak/master.passwd.bak /etc/master.passwd |\
+                       sed 's/^\([-+ ][^-+:]*\):[^:]*:/\1:(password):/'
                mv $bak/master.passwd.bak $bak/master.passwd.bak2
                cp -p /etc/master.passwd $bak/master.passwd.bak || rc=3
            fi
@@ -59,7 +58,7 @@ case "$daily_backup_passwd_enable" in
            then
                [ $rc -lt 1 ] && rc=1
                echo "$host group diffs:"
-               diff $bak/group.bak /etc/group
+               diff -u $bak/group.bak /etc/group
                mv $bak/group.bak $bak/group.bak2
                cp -p /etc/group $bak/group.bak || rc=3
            fi
index 656a582..9c1dc6e 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/210.backup-aliases,v 1.3.2.3 2000/09/20 02:46:15 jkh Exp $
-# $DragonFly: src/etc/periodic/daily/210.backup-aliases,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/210.backup-aliases 65843 2000-09-14 17:19:15Z brian $
 #
 
 # If there is a global system configuration file, suck it in.
index ac32a90..f962f98 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/300.calendar,v 1.3.2.2 2000/09/20 02:46:15 jkh Exp $
-# $DragonFly: src/etc/periodic/daily/300.calendar,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/300.calendar 65843 2000-09-14 17:19:15Z brian $
 #
 # `calendar -a' needs to die. Why? Because it's a bad idea, particular
 # with networked home directories, but also in general.  If you want the
index b7ff570..eaf3acd 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/310.accounting,v 1.3.2.3 2001/06/13 19:36:50 brian Exp $
-# $DragonFly: src/etc/periodic/daily/310.accounting,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/310.accounting 227482 2011-11-13 03:01:58Z dougb $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -30,9 +29,14 @@ case "$daily_accounting_enable" in
 
            cd /var/account
            rc=0
-       
-           n=$daily_accounting_save
-           rm -f acct.$n.gz acct.$n || rc=3
+
+           n=$(( $daily_accounting_save - 1 ))
+           for f in acct.*; do
+               case "$f" in acct.\*) continue ;; esac  # No files match
+               m=${f%.gz} ; m=${m#acct.}
+               [ $m -ge $n ] && { rm $f || rc=3; }
+           done
+
            m=$n
            n=$(($n - 1))
            while [ $n -ge 0 ]
@@ -42,8 +46,12 @@ case "$daily_accounting_enable" in
                m=$n
                n=$(($n - 1))
            done
-           cp -pf acct acct.0 || rc=3
-           sa -s $daily_accounting_flags || rc=3
+
+           /etc/rc.d/accounting rotate_log || rc=3
+
+           rm -f acct.merge && cp acct.0 acct.merge || rc=3
+           sa -s $daily_accounting_flags /var/account/acct.merge || rc=3
+           rm acct.merge
 
            case "$daily_accounting_compress" in
                [Yy][Ee][Ss])
index 7f300e3..736ff35 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/330.news,v 1.2.2.2 2000/09/20 02:46:15 jkh Exp $
-# $DragonFly: src/etc/periodic/daily/330.news,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/330.news 65843 2000-09-14 17:19:15Z brian $
 #
 # Expire news articles
 # (This is present only for backwards compatibility, usually the news
index 430f8f7..92a91f8 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/400.status-disks,v 1.2.2.3 2002/03/06 12:14:16 brian Exp $
-# $DragonFly: src/etc/periodic/daily/400.status-disks,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/400.status-disks 290743 2015-11-13 06:20:27Z des $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -17,12 +16,23 @@ case "$daily_status_disks_enable" in
        echo ""
        echo "Disk status:"
 
-       df $daily_status_disks_df_flags && rc=1 || rc=3
+       if [ -n "${daily_status_disks_ignore}" ] ; then
+               ignore="egrep -v ${daily_status_disks_ignore}"
+       else
+               ignore="cat"
+       fi
+       (df $daily_status_disks_df_flags | ${ignore}) && rc=1 || rc=3
 
        # display which filesystems need backing up
+       if [ -s /etc/dumpdates ]; then
+               if ! [ -f /etc/fstab ]; then
+                       export PATH_FSTAB=/dev/null
+               fi
 
-       echo ""
-       dump W || rc=3;;
+               echo ""
+               dump W || rc=3
+       fi
+       ;;
 
     *)  rc=0;;
 esac
diff --git a/etc/periodic/daily/410.status-mfi b/etc/periodic/daily/410.status-mfi
new file mode 100644 (file)
index 0000000..d33a6dd
--- /dev/null
@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+# $FreeBSD: head/etc/periodic/daily/410.status-mfi 316945 2017-04-14 22:59:14Z asomers $
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$daily_status_mfi_enable" in
+    [Yy][Ee][Ss])
+       echo
+       echo 'Checking status of mfi(4) devices:'
+
+       if mfiutil show volumes; then
+               if mfiutil show volumes | grep -q DEGRADED; then
+                       rc=3
+               else
+                       rc=0
+               fi
+       else
+               rc=2
+       fi
+       ;;
+
+    *)  rc=0;;
+esac
+
+exit $rc
index f28a33b..3da2d6b 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/420.status-network,v 1.3.2.2 2000/09/20 02:46:15 jkh Exp $
-# $DragonFly: src/etc/periodic/daily/420.status-network,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/420.status-network 280721 2015-03-27 00:37:41Z jhb $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -17,12 +16,14 @@ case "$daily_status_network_enable" in
        echo ""
        echo "Network interface status:"
 
+       flags="${daily_status_network_netstat_flags}"
        case "$daily_status_network_usedns" in
            [Yy][Ee][Ss])
-               netstat -i && rc=0 || rc=3;;
+               ;;
            *)
-               netstat -in && rc=0 || rc=3;;
-       esac;;
+               flags="${flags} -n";;
+       esac
+       netstat -i ${flags} && rc=0 || rc=3;;
 
     *)  rc=0;;
 esac
similarity index 71%
rename from etc/periodic/daily/430.status-rwho
rename to etc/periodic/daily/430.status-uptime
index b90fa27..d390a2b 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/430.status-rwho,v 1.3.2.2 2000/09/20 02:46:15 jkh Exp $
-# $DragonFly: src/etc/periodic/daily/430.status-rwho,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/430.status-uptime 290252 2015-11-02 01:05:34Z ngie $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -12,7 +11,7 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_rwho_enable" in
+case "$daily_status_uptime_enable" in
     [Yy][Ee][Ss])
        rwho=$(echo /var/rwho/*)
         if [ -f "${rwho%% *}" ]
index e60a0be..0886edb 100644 (file)
@@ -59,7 +59,7 @@ case "$daily_status_mailq_enable" in
                fi;;
            esac
        fi;;
-               
+
     *)  rc=0;;
 esac
 
index f78eda6..75913be 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/450.status-security,v 1.3.2.7 2002/05/21 03:20:49 brian Exp $
-# $DragonFly: src/etc/periodic/daily/450.status-security,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/450.status-security 316548 2017-04-06 01:37:03Z asomers $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -19,22 +18,29 @@ case "$daily_status_security_enable" in
 
        case "$daily_status_security_inline" in
            [Yy][Ee][Ss])
-               export security_output="";;
-           *)
-               export security_output="${daily_status_security_output}"
-               case "${daily_status_security_output}" in
-                   "")
-                       ;;
-                   /*)
-                       echo "    (output logged separately)";;
-                   *)
-                       echo "    (output mailed separately)";;
-               esac;;
+               daily_status_security_output="";;
        esac
 
-       periodic security
-       rc=3;;
-
+       export security_output="${daily_status_security_output}"
+       rc=0
+       case "${daily_status_security_output}" in
+           "")
+               if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX`
+               then
+                       periodic security > $tempfile || rc=3
+                       if [ -s "$tempfile" ]; then
+                               cat "$tempfile"
+                               rc=3
+                       fi
+                       rm -f "$tempfile"
+               fi;;
+           /*)
+               echo "    (output logged separately)"
+               periodic security || rc=3;;
+           *)
+               echo "    (output mailed separately)"
+               periodic security || rc=3;;
+       esac;;
     *)  rc=0;;
 esac
 
index 87cc8b3..63a6466 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/460.status-mail-rejects,v 1.20 2005/01/12 01:31:21 brian Exp $
-# $DragonFly: src/etc/periodic/daily/460.status-mail-rejects,v 1.4 2007/12/29 21:44:44 matthias Exp $
+# $FreeBSD: head/etc/periodic/daily/460.status-mail-rejects 192970 2009-05-28 07:43:06Z brian $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -12,6 +11,11 @@ then
     source_periodic_confs
 fi
 
+case "$daily_status_mail_rejects_shorten" in
+[Yy][Ee][Ss])  shorten='cut -d" " -f2,3';;
+*)             shorten=cat;;
+esac
+
 case "$daily_status_mail_rejects_enable" in
     [Yy][Ee][Ss])
        if [ ! -d /etc/mail ]
@@ -33,7 +37,8 @@ case "$daily_status_mail_rejects_enable" in
            echo
            echo Checking for rejected mail hosts:
 
-           start=`date -v-1d '+%b %e'`
+           yesterday=$(date -v-1d '+%b %e')
+           today=$(date '+%b %e')
            n=$(($daily_status_mail_rejects_logs - 2))
            rc=$({
                while [ $n -ge 0 ]
@@ -51,9 +56,14 @@ case "$daily_status_mail_rejects_enable" in
                    n=$(($n - 1))
                done
                cat /var/log/maillog
-           } |
-               sed -n -E "s/^$start"'.*ruleset=check_[^ ]+, +arg1=<?([^@]+@)?([^>,]+).*reject=([^ ]+) .* ([^ ]+)$/\2 (\3... \4)/p' |
-               sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l)
+           } | sed -Ene "/^$today/q" -e "/^$yesterday/{"'
+                   s/.*ruleset=check_relay,.* relay=([^,]+), reject=([^ ]*).*/\2 check_relay \1/p
+                   t end
+                    s/.*ruleset=check_rcpt,.* arg1=<?([^>,]+).* reject=([^ ]+) .* ([^ ]+)/\2 check_rcpt \1 \3/p
+                   t end
+                    s/.*ruleset=check_([^,]+),.* arg1=<?([^@]+@)?([^>,]+).* reject=([^ ]+) .* ([^ ]+)/\4 check_\1 \3 \5/p
+                   :end
+               }' | eval $shorten | sort -f | uniq -ic | sort -fnr | tee /dev/stderr | wc -l)
            [ $rc -gt 0 ] && rc=1
        fi;;
 
index 7e2c8fa..24c9663 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/500.queuerun,v 1.1.2.3 2002/04/15 01:56:15 gshapiro Exp $
-# $DragonFly: src/etc/periodic/daily/500.queuerun,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/500.queuerun 94342 2002-04-10 03:58:40Z gshapiro $
 #
 
 # If there is a global system configuration file, suck it in.
index 63e9a3a..17358ec 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# $FreeBSD: src/etc/periodic/daily/999.local,v 1.2.2.3 2001/08/01 20:38:03 obrien Exp $
-# $DragonFly: src/etc/periodic/daily/999.local,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/daily/999.local 313069 2017-02-01 23:22:54Z asomers $
 #
 # Run the old /etc/daily.local script.  This is really for backwards
 # compatibility more than anything else.
@@ -21,7 +20,12 @@ do
     echo ''
     case "$script" in
        /*)
-           if [ -f "$script" ]
+           if [ -x "$script" ]
+           then
+               echo "Running $script:"
+
+               $script || rc=3
+           elif [ -f "$script" ]
            then
                echo "Running $script:"
 
index 466fd9b..ccc68ea 100644 (file)
@@ -15,7 +15,7 @@ FILES=        100.clean-disks \
        330.news \
        400.status-disks \
        420.status-network \
-       430.status-rwho \
+       430.status-uptime \
        440.status-mailq \
        450.status-security \
        460.status-mail-rejects \
index c5b3724..6071a13 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh -
 #
-# $FreeBSD: src/etc/periodic/monthly/200.accounting,v 1.4.2.5 2002/05/21 03:17:08 brian Exp $
-# $DragonFly: src/etc/periodic/monthly/200.accounting,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/monthly/200.accounting 202218 2010-01-13 19:07:48Z ed $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -40,7 +39,7 @@ case "$monthly_accounting_enable" in
            echo ""
            echo "Doing login accounting:"
 
-           rc=$(ac -p -w $W.0 | sort -nr +1 | tee /dev/stderr | wc -l)
+           rc=$(ac -p -w $W.0 | sort -nr -k 2 | tee /dev/stderr | wc -l)
            [ $rc -gt 0 ] && rc=1
        fi
        [ $remove = YES ] && rm -f $W.0;;
diff --git a/etc/periodic/monthly/450.status-security b/etc/periodic/monthly/450.status-security
new file mode 100644 (file)
index 0000000..25712e0
--- /dev/null
@@ -0,0 +1,47 @@
+#!/bin/sh
+#
+# $FreeBSD: head/etc/periodic/monthly/450.status-security 316548 2017-04-06 01:37:03Z asomers $
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$monthly_status_security_enable" in
+    [Yy][Ee][Ss])
+       echo ""
+       echo "Security check:"
+
+       case "$monthly_status_security_inline" in
+           [Yy][Ee][Ss])
+               monthly_status_security_output="";;
+       esac
+
+       export security_output="${monthly_status_security_output}"
+       rc=0
+       case "${monthly_status_security_output}" in
+           "")
+               if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX`
+               then
+                       periodic security > $tempfile || rc=3
+                       if [ -s "$tempfile" ]; then
+                               cat "$tempfile"
+                               rc=3
+                       fi
+                       rm -f "$tempfile"
+               fi;;
+           /*)
+               echo "    (output logged separately)"
+               periodic security || rc=3;;
+           *)
+               echo "    (output mailed separately)"
+               periodic security || rc=3;;
+       esac;;
+    *)  rc=0;;
+esac
+
+exit $rc
index ec1f016..67de68d 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh -
 #
-# $FreeBSD: src/etc/periodic/monthly/999.local,v 1.2.2.3 2001/08/01 20:38:39 obrien Exp $
-# $DragonFly: src/etc/periodic/monthly/999.local,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/monthly/999.local 313069 2017-02-01 23:22:54Z asomers $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -18,7 +17,12 @@ do
     echo ''
     case "$script" in
        /*)
-           if [ -f "$script" ]
+           if [ -x "$script" ]
+           then
+               echo "Running $script:"
+
+               $script || rc=3
+           elif [ -f "$script" ]
            then
                echo "Running $script:"
 
index ad7d870..7961e17 100644 (file)
@@ -1,6 +1,7 @@
 # $FreeBSD: src/etc/periodic/monthly/Makefile,v 1.2.2.1 2002/07/18 12:36:07 ru Exp $
 
 FILES= 200.accounting \
+       450.status-security \
        999.local
 
 .include <bsd.prog.mk>
index 875dff3..9620d9b 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/100.chksetuid,v 1.1.2.6 2002/11/07 19:38:46 thomas Exp $
-# $DragonFly: src/etc/periodic/security/100.chksetuid,v 1.3 2008/07/09 20:33:32 swildner Exp $
+# $FreeBSD: head/etc/periodic/security/100.chksetuid 322868 2017-08-25 00:28:56Z asomers $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -38,28 +37,26 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_chksetuid_enable
+
 rc=0
 
-case "$daily_status_security_chksetuid_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_chksetuid_enable
+then
        echo ""
        echo 'Checking setuid files and devices:'
-       # XXX Note that there is the possibility of overrunning the args to ls
-       MP=`mount -t hammer,ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
-       if [ -n "${MP}" ]
-       then
-           set ${MP}
-           while [ $# -ge 1 ]; do
-               mount=$1
-               shift
-               find $mount -xdev -type f \
-                       \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
-                       \( -perm -u+s -or -perm -g+s \) -print0
-           done | xargs -0 -n 20 ls -liTd | sed 's/^ *//' | sort -k 11 |
-             check_diff setuid - "${host} setuid diffs:"
-           rc=$?
-       fi;;
-    *) rc=0;;
-esac
+       IFS=$'\n'       # Don't split mount points with spaces or tabs
+       MP=`mount -t ufs,hammer,hammer2 | awk '
+               $0 !~ /no(suid|exec)/ {
+                       sub(/^.* on \//, "/");
+                       sub(/ \(.*\)/, "");
+                       print $0
+               }'`
+       find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \
+           \( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
+           \( -perm -u+s -or -perm -g+s \) -exec ls -liTd \{\} \+ |
+       check_diff setuid - "${host} setuid diffs:"
+       rc=$?
+fi
 
 exit $rc
similarity index 67%
copy from etc/periodic/security/900.tcpwrap
copy to etc/periodic/security/110.neggrpperm
index 13ee770..9ede664 100644 (file)
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/900.tcpwrap,v 1.1.2.1 2002/02/25 10:53:47 cjc Exp $
-# $DragonFly: src/etc/periodic/security/900.tcpwrap,v 1.2 2003/06/17 04:24:48 dillon Exp $
-#
-
-# Show tcp_wrapper warning messages
+# $FreeBSD: head/etc/periodic/security/110.neggrpperm 322868 2017-08-25 00:28:56Z asomers $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -39,25 +35,27 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
-
-yesterday=`date -v-1d "+%b %e "`
+security_daily_compat_var security_status_neggrpperm_enable
 
-catmsgs() {
-       find ${LOG} -name 'messages.*' -mtime -2 |
-           sort -t. -r -n +1 -2 |
-           xargs zcat -f
-       [ -f ${LOG}/messages ] && cat $LOG/messages
-}
+rc=0
 
-case "$daily_status_security_tcpwrap_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_neggrpperm_enable
+then
        echo ""
-       echo "${host} refused connections:"
-       n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
-           tee /dev/stderr | wc -l)
-       [ $n -gt 0 ] && rc=1 || rc=0;;
-    *) rc=0;;
-esac
+       echo 'Checking negative group permissions:'
+       IFS=$'\n'       # Don't split mount points with spaces or tabs
+       MP=`mount -t ufs,hammer,hammer2 | awk '
+               $0 !~ /no(suid|exec)/ {
+                       sub(/^.* on \//, "/");
+                       sub(/ \(.*\)/, "");
+                       print $0
+               }'`
+       n=$(find -sx $MP /dev/null \( ! -fstype local \) -prune -o -type f \
+           \( \( ! -perm +010 -and -perm +001 \) -or \
+           \( ! -perm +020 -and -perm +002 \) -or \
+           \( ! -perm +040 -and -perm +004 \) \) \
+           -exec ls -liTd \{\} \+ | tee /dev/stderr | wc -l)
+       [ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit $rc
index 42df9a1..c1cfbf4 100644 (file)
@@ -24,7 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/200.chkmounts,v 1.2.2.4 2002/11/07 19:38:46 thomas Exp $
+# $FreeBSD: head/etc/periodic/security/200.chkmounts 254974 2013-08-27 21:20:28Z jlh $
 #
 
 # Show changes in the way filesystems are mounted
@@ -40,20 +40,26 @@ fi
 
 . /etc/periodic/security/security.functions
 
-ignore="${daily_status_security_chkmounts_ignore}"
+security_daily_compat_var security_status_chkmounts_enable
+security_daily_compat_var security_status_chkmounts_ignore
+security_daily_compat_var security_status_nomfs
+
+ignore="${security_status_chkmounts_ignore}"
 rc=0
 
-case "$daily_status_security_chkmounts_enable" in
-    [Yy][Ee][Ss])
-       case "$daily_status_security_nomfs" in
+if check_yesno_period security_status_chkmounts_enable
+then
+       case "$security_status_nomfs" in
            [Yy][Ee][Ss])
                ignore="${ignore}|^mfs:"
        esac
        [ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
-       mount -p | ${cmd} |
+       if ! [ -f /etc/fstab ]; then
+               export PATH_FSTAB=/dev/null
+       fi
+       mount -p | sort | ${cmd} |
          check_diff mount - "${host} changes in mounted filesystems:"
-       rc=$?;;
-    *) rc=0;;
-esac
+       rc=$?
+fi
 
 exit "$rc"
index bc26724..beabb7c 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/300.chkuid0,v 1.1.2.1 2002/02/25 10:53:47 cjc Exp $
-# $DragonFly: src/etc/periodic/security/300.chkuid0,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/security/300.chkuid0 254974 2013-08-27 21:20:28Z jlh $
 #
 
 
@@ -37,16 +36,19 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_chkuid0_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_chkuid0_enable
+
+rc=0
+
+if check_yesno_period security_status_chkuid0_enable
+then
        echo ""
        echo 'Checking for uids of 0:'
        n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
        tee /dev/stderr |
        sed -e '/^root 0$/d' -e '/^toor 0$/d' |
        wc -l)
-       [ $n -gt 0 ] && rc=1 || rc=0;;
-    *) rc=0;;
-esac
+       [ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"
index ed9af7a..aa4fc2e 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/400.passwdless,v 1.1.2.1 2002/02/25 10:53:47 cjc Exp $
-# $DragonFly: src/etc/periodic/security/400.passwdless,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/security/400.passwdless 254974 2013-08-27 21:20:28Z jlh $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -36,14 +35,17 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_passwdless_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_passwdless_enable
+
+rc=0
+
+if check_yesno_period security_status_passwdless_enable
+then
        echo ""
        echo 'Checking for passwordless accounts:'
        n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}' /etc/master.passwd |
            tee /dev/stderr | wc -l)
-       [ $n -gt 0 ] && rc=1 || rc=0;;
-    *) rc=0;;
-esac
+       [ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"
index 2690c89..b480e10 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/410.logincheck,v 1.1 2006/08/25 07:34:36 trhodes Exp $
-# $DragonFly: src/etc/periodic/security/410.logincheck,v 1.2 2008/06/14 15:30:19 matthias Exp $
+# $FreeBSD: head/etc/periodic/security/410.logincheck 254974 2013-08-27 21:20:28Z jlh $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -36,8 +35,12 @@ then
     source_periodic_confs
 fi
 
-case "$daily_status_security_logincheck_enable" in
-    [Yy][Ee][Ss])
+security_daily_compat_var security_status_logincheck_enable
+
+rc=0
+
+if check_yesno_period security_status_logincheck_enable
+then
        echo ""
        echo 'Checking login.conf permissions:'
        if [ -G /etc/login.conf -a -O /etc/login.conf ]; then
@@ -46,8 +49,7 @@ case "$daily_status_security_logincheck_enable" in
            echo "Bad ownership of /etc/login.conf"
            n=1
        fi
-       [ $n -gt 0 ] && rc=1 || rc=0;;
-    *) rc=0;;
-esac
+       [ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit "$rc"
index fa4b2d7..59265e9 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/500.ipfwdenied,v 1.1.2.4 2002/11/07 19:38:46 thomas Exp $
-# $DragonFly: src/etc/periodic/security/500.ipfwdenied,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/security/500.ipfwdenied 254974 2013-08-27 21:20:28Z jlh $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -38,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_ipfwdenied_enable
+
 rc=0
 
-case "$daily_status_security_ipfwdenied_enable" in
-    [Yy][Ee][Ss])
-       TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
-       if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
+if check_yesno_period security_status_ipfwdenied_enable
+then
+       TMP=`mktemp -t security`
+       if ipfw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
          check_diff new_only ipfw ${TMP} "${host} ipfw denied packets:"
        fi
        rc=$?
-       rm -f ${TMP};;
-    *) rc=0;;
-esac
+       rm -f ${TMP}
+fi
 
 exit $rc
index 1e5b949..e313117 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/520.pfdenied,v 1.1.2.1 2004/12/08 00:37:50 mlaier Exp $
-# $DragonFly: src/etc/periodic/security/520.pfdenied,v 1.1 2007/12/29 21:44:44 matthias Exp $
+# $FreeBSD: head/etc/periodic/security/520.pfdenied 306696 2016-10-04 23:12:35Z lidl $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -38,17 +37,28 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_pfdenied_enable
+
 rc=0
 
-case "$daily_status_security_pfdenied_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_pfdenied_enable
+then
        TMP=`mktemp -t security`
-       if pfctl -sr -v 2>/dev/null | awk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
-         check_diff new_only pf ${TMP} "${host} pf denied packets:"
+       pfctl -sr -v -z 2>/dev/null | \
+           awk '{
+               if (/^block/) {
+                   buf=$0
+                   getline
+                   gsub(" +"," ",$0)
+                   if ($5 > 0)
+                       print buf$0
+               }
+           }' > ${TMP}
+       if [ -s ${TMP} ]; then
+               check_diff new_only pf ${TMP} "${host} pf denied packets:"
        fi
        rc=$?
-       rm -f ${TMP};;
-    *) rc=0;;
-esac
+       rm -f ${TMP}
+fi
 
 exit $rc
index 3a06a07..a263b5d 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/550.ipfwlimit,v 1.6 2003/06/30 22:06:26 mtm Exp $
-# $DragonFly: src/etc/periodic/security/550.ipfwlimit,v 1.3 2004/11/15 08:11:59 joerg Exp $
+# $FreeBSD: head/etc/periodic/security/550.ipfwlimit 254974 2013-08-27 21:20:28Z jlh $
 #
 
 # Show ipfw rules which have reached the log limit
@@ -39,26 +38,32 @@ then
     source_periodic_confs
 fi
 
+security_daily_compat_var security_status_ipfwlimit_enable
+
 rc=0
 
-case "$daily_status_security_ipfwlimit_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ipfwlimit_enable
+then
+       IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
+       if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
+               exit 0
+       fi
        TMP=`mktemp -t security`
-       IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-       if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
-           ipfw -a l | grep " log " | \
-           grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
-           awk -v limit="$IPFW_LOG_LIMIT" \
-               '{if ($2 > limit) {print $0}}' > ${TMP}
-           if [ -s "${TMP}" ]; then
+       ipfw -a list | grep " log " | \
+       grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
+       awk \
+               '{if ($6 == "logamount") {
+                       if ($2 > $7)
+                               {print $0}}
+               }' > ${TMP}
+
+       if [ -s "${TMP}" ]; then
                rc=1
                echo ""
                echo 'ipfw log limit reached:'
                cat ${TMP}
-           fi
        fi
-       rm -f ${TMP};;
-    *) rc=0;;
-esac
+       rm -f ${TMP}
+fi
 
 exit $rc
index a89b551..64530c4 100644 (file)
@@ -25,7 +25,6 @@
 # SUCH DAMAGE.
 #
 # $FreeBSD: src/etc/periodic/security/600.ip6fwdenied,v 1.1.2.4 2002/11/07 19:38:46 thomas Exp $
-# $DragonFly: src/etc/periodic/security/600.ip6fwdenied,v 1.2 2003/06/17 04:24:48 dillon Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -38,17 +37,18 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_ip6fwdenied_enable
+
 rc=0
 
-case "$daily_status_security_ip6fwdenied_enable" in
-    [Yy][Ee][Ss])
-       TMP=`mktemp ${TMPDIR:-/tmp}/security.XXXXXXXXXX`
-       if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
+if check_yesno_period security_status_ip6fwdenied_enable
+then
+       TMP=`mktemp -t security`
+       if ip6fw -a list 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
          check_diff new_only ip6fw ${TMP} "${host} ip6fw denied packets:"
        fi
        rc=$?
-       rm -f ${TMP};;
-    *) rc=0;;
-esac
+       rm -f ${TMP}
+fi
 
 exit $rc
index 63a5415..c1febe8 100644 (file)
@@ -25,7 +25,6 @@
 # SUCH DAMAGE.
 #
 # $FreeBSD: src/etc/periodic/security/650.ip6fwlimit,v 1.6 2003/06/30 22:06:26 mtm Exp $
-# $DragonFly: src/etc/periodic/security/650.ip6fwlimit,v 1.3 2004/11/15 08:11:59 joerg Exp $
 #
 
 # Show ip6fw rules which have reached the log limit
@@ -39,26 +38,32 @@ then
     source_periodic_confs
 fi
 
+security_daily_compat_var security_status_ip6fwlimit_enable
+
 rc=0
 
-case "$daily_status_security_ip6fwlimit_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_ip6fwlimit_enable
+then
+       IP6FW_VERBOSE=`sysctl -n net.inet6.ip6.fw.verbose 2> /dev/null`
+       if [ $? -ne 0 ] || [ "$IP6FW_VERBOSE" -eq 0 ]; then
+               exit 0
+       fi
        TMP=`mktemp -t security`
-       IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
-       if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
-           ip6fw -a l | grep " log " | \
-           grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
-           awk -v limit="$IPFW_LOG_LIMIT" \
-               '{if ($2 > limit) {print $0}}' > ${TMP}
-           if [ -s "${TMP}" ]; then
+       ip6fw -a list | grep " log " | \
+       grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
+       awk \
+               '{if ($6 == "logamount") {
+                       if ($2 > $7)
+                               {print $0}}
+               }' > ${TMP}
+
+       if [ -s "${TMP}" ]; then
                rc=1
                echo ""
                echo 'ip6fw log limit reached:'
                cat ${TMP}
-           fi
        fi
-       rm -f ${TMP};;
-    *) rc=0;;
-esac
+       rm -f ${TMP}
+fi
 
 exit $rc
index cc069d1..4a5fc94 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/700.kernelmsg,v 1.1.2.7 2002/11/19 18:54:54 thomas Exp $
-# $DragonFly: src/etc/periodic/security/700.kernelmsg,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/security/700.kernelmsg 254974 2013-08-27 21:20:28Z jlh $
 #
 
 # Show kernel log messages
@@ -41,14 +40,15 @@ fi
 
 . /etc/periodic/security/security.functions
 
+security_daily_compat_var security_status_kernelmsg_enable
+
 rc=0
 
-case "$daily_status_security_kernelmsg_enable" in
-    [Yy][Ee][Ss])
+if check_yesno_period security_status_kernelmsg_enable
+then
        dmesg 2>/dev/null |
            check_diff new_only dmesg - "${host} kernel log messages:"
-       rc=$?;;
-    *) rc=0;;
-esac
+       rc=$?
+fi
 
 exit $rc
index c86736a..9449e33 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/800.loginfail,v 1.8 2007/02/23 21:42:54 remko Exp $
-# $DragonFly: src/etc/periodic/security/800.loginfail,v 1.3 2007/12/29 21:44:44 matthias Exp $
+# $FreeBSD: head/etc/periodic/security/800.loginfail 262273 2014-02-20 23:43:49Z brueffer $
 #
 
 # Show login failures
@@ -39,7 +38,10 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_loginfail_enable
+
+LOG="${security_status_logdir}"
 
 yesterday=`date -v-1d "+%b %e "`
 
@@ -56,14 +58,15 @@ catmsgs() {
        [ -f ${LOG}/auth.log ] && cat $LOG/auth.log
 }
 
-case "$daily_status_security_loginfail_enable" in
-    [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_loginfail_enable
+then
        echo ""
        echo "${host} login failures:"
-       n=$(catmsgs | egrep -ia "^$yesterday.*: .* (fail|invalid|bad|illegal)" |
+       n=$(catmsgs | egrep -ia "^$yesterday.*: .*\b(fail(ures?|ed)?|invalid|bad|illegal|auth.*error)\b" |
            tee /dev/stderr | wc -l)
-       [ $n -gt 0 ] && rc=1 || rc=0;;
-    *) rc=0;;
-esac
+       [ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit $rc
index 13ee770..4a9e282 100644 (file)
@@ -24,8 +24,7 @@
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/900.tcpwrap,v 1.1.2.1 2002/02/25 10:53:47 cjc Exp $
-# $DragonFly: src/etc/periodic/security/900.tcpwrap,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/security/900.tcpwrap 254974 2013-08-27 21:20:28Z jlh $
 #
 
 # Show tcp_wrapper warning messages
@@ -39,25 +38,35 @@ then
     source_periodic_confs
 fi
 
-LOG="${daily_status_security_logdir}"
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_tcpwrap_enable
+
+LOG="${security_status_logdir}"
 
 yesterday=`date -v-1d "+%b %e "`
 
 catmsgs() {
        find ${LOG} -name 'messages.*' -mtime -2 |
-           sort -t. -r -n +1 -2 |
-           xargs zcat -f
+           sort -t. -r -n -k 2,2 |
+           while read f
+           do
+               case $f in
+                   *.gz)       zcat -f $f;;
+                   *.bz2)      bzcat -f $f;;
+               esac
+           done
        [ -f ${LOG}/messages ] && cat $LOG/messages
 }
 
-case "$daily_status_security_tcpwrap_enable" in
-    [Yy][Ee][Ss])
+rc=0
+
+if check_yesno_period security_status_tcpwrap_enable
+then
        echo ""
        echo "${host} refused connections:"
        n=$(catmsgs | grep -i "^$yesterday.*refused connect" |
            tee /dev/stderr | wc -l)
-       [ $n -gt 0 ] && rc=1 || rc=0;;
-    *) rc=0;;
-esac
+       [ $n -gt 0 ] && rc=1 || rc=0
+fi
 
 exit $rc
index 92e74e2..8ef847c 100644 (file)
@@ -1,6 +1,7 @@
 # $FreeBSD: src/etc/periodic/security/Makefile,v 1.6 2006/08/25 07:34:36 trhodes Exp $
 
 FILES= 100.chksetuid \
+       110.neggrpperm \
        200.chkmounts \
        300.chkuid0 \
        400.passwdless \
index deb7ef2..49011ee 100644 (file)
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
-# $FreeBSD: src/etc/periodic/security/security.functions,v 1.5 2005/08/22 09:33:36 cperciva Exp $
-# $DragonFly: src/etc/periodic/security/security.functions,v 1.3 2007/12/29 21:44:44 matthias Exp $
+# $FreeBSD: head/etc/periodic/security/security.functions 322868 2017-08-25 00:28:56Z asomers $
 #
 
+# This is a library file, so we only try to do something when sourced.
+case "$0" in
+*/security.functions) exit 0 ;;
+esac
+
+security_daily_compat_var security_status_logdir
+security_daily_compat_var security_status_diff_flags
+
 #
 # Show differences in the output of an audit command
 #
 
-LOG="${daily_status_security_logdir}"
+LOG="${security_status_logdir}"
 rc=0
 
 # Usage: COMMAND | check_diff [new_only] LABEL - MSG
@@ -41,10 +48,11 @@ rc=0
 #   LABEL is the base name of the ${LOG}/${label}.{today,yesterday} files.
 
 check_diff() {
+  unset IFS
   rc=0
   if [ "$1" = "new_only" ]; then
     shift
-    filter="grep '^[>+]'"
+    filter="grep '^[>+][^+]'"
   else
     filter="cat"
   fi
@@ -68,7 +76,7 @@ check_diff() {
     [ $rc -lt 1 ] && rc=1
     echo ""
     echo "${msg}"
-    diff ${daily_status_security_diff_flags} ${LOG}/${label}.today \
+    diff ${security_status_diff_flags} ${LOG}/${label}.today \
        ${tmpf} | eval "${filter}"
     mv ${LOG}/${label}.today ${LOG}/${label}.yesterday || rc=3
     mv ${tmpf} ${LOG}/${label}.today || rc=3
index b4eff9e..82c7ceb 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh -
 #
-# $FreeBSD: src/etc/periodic/weekly/310.locate,v 1.7 2007/02/23 18:44:20 remko Exp $
-# $DragonFly: src/etc/periodic/weekly/310.locate,v 1.3 2007/12/29 21:44:44 matthias Exp $
+# $FreeBSD: head/etc/periodic/weekly/310.locate 166912 2007-02-23 18:44:20Z remko $
 #
 
 # If there is a global system configuration file, suck it in.
index e2dfcd7..fd6949f 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh -
 #
-# $FreeBSD: src/etc/periodic/weekly/320.whatis,v 1.5.2.3 2001/03/05 13:08:37 ru Exp $
-# $DragonFly: src/etc/periodic/weekly/320.whatis,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/weekly/320.whatis 73349 2001-03-02 16:52:14Z ru $
 #
 
 # If there is a global system configuration file, suck it in.
index 305e668..2611d44 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh -
 #
-# $FreeBSD: src/etc/periodic/weekly/340.noid,v 1.2.2.4 2002/04/15 00:44:17 dougb Exp $
-# $DragonFly: src/etc/periodic/weekly/340.noid,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/weekly/340.noid 220048 2011-03-27 03:03:29Z dougb $
 #
 
 # If there is a global system configuration file, suck it in.
diff --git a/etc/periodic/weekly/450.status-security b/etc/periodic/weekly/450.status-security
new file mode 100644 (file)
index 0000000..72903f7
--- /dev/null
@@ -0,0 +1,47 @@
+#!/bin/sh
+#
+# $FreeBSD: head/etc/periodic/weekly/450.status-security 316548 2017-04-06 01:37:03Z asomers $
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+case "$weekly_status_security_enable" in
+    [Yy][Ee][Ss])
+       echo ""
+       echo "Security check:"
+
+       case "$weekly_status_security_inline" in
+           [Yy][Ee][Ss])
+               weekly_status_security_output="";;
+       esac
+
+       export security_output="${weekly_status_security_output}"
+       rc=0
+       case "${weekly_status_security_output}" in
+           "")
+               if tempfile=`mktemp ${TMPDIR:-/tmp}/450.status-security.XXXXXX`
+               then
+                       periodic security > $tempfile || rc=3
+                       if [ -s "$tempfile" ]; then
+                               cat "$tempfile"
+                               rc=3
+                       fi
+                       rm -f "$tempfile"
+               fi;;
+           /*)
+               echo "    (output logged separately)"
+               periodic security || rc=3;;
+           *)
+               echo "    (output mailed separately)"
+               periodic security || rc=3;;
+       esac;;
+    *)  rc=0;;
+esac
+
+exit $rc
index 5ef9340..7fd6a9e 100644 (file)
@@ -1,7 +1,6 @@
 #!/bin/sh -
 #
-# $FreeBSD: src/etc/periodic/weekly/999.local,v 1.3.2.3 2001/08/01 20:41:28 obrien Exp $
-# $DragonFly: src/etc/periodic/weekly/999.local,v 1.2 2003/06/17 04:24:48 dillon Exp $
+# $FreeBSD: head/etc/periodic/weekly/999.local 313069 2017-02-01 23:22:54Z asomers $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -18,7 +17,12 @@ do
     echo ''
     case "$script" in
        /*)
-           if [ -f "$script" ]
+           if [ -x "$script" ]
+           then
+               echo "Running $script:"
+
+               $script || rc=3
+           elif [ -f "$script" ]
            then
                echo "Running $script:"
 
index 3300a64..251b202 100644 (file)
@@ -4,6 +4,7 @@ FILES=  310.locate \
        320.whatis \
        330.catman \
        340.noid \
+       450.status-security \
        999.local
 
 .include <bsd.prog.mk>
index 1ad0e85..dd6fec2 100644 (file)
@@ -23,9 +23,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $FreeBSD: src/share/man/man5/periodic.conf.5,v 1.8.2.22 2003/02/08 21:42:01 gshapiro Exp $
+.\" $FreeBSD: head/share/man/man5/periodic.conf.5 323550 2017-09-13 16:35:16Z gordon $
 .\"
-.Dd September 3, 2017
+.Dd March 12, 2018
 .Dt PERIODIC.CONF 5
 .Os
 .Sh NAME
@@ -44,7 +44,9 @@ which itself may be overridden by the
 .Pa /etc/periodic.conf.local
 file.
 .Pp
+The
 .Nm
+file
 is actually sourced as a shell script from each of the periodic scripts
 and is intended to simply provide default configuration variables.
 .Pp
@@ -60,9 +62,9 @@ This list is always prefixed with
 and is only used when an argument to
 .Xr periodic 8
 is not an absolute directory name.
-.It Va dir Ns No _output
+.It Ao Ar dir Ac Ns Va _output
 .Pq Vt path No or Vt list
-What to do with the output of the scripts envoked from
+What to do with the output of the scripts executed from
 the directory
 .Ar dir .
 If this variable is set to an absolute path name, output is logged to
@@ -76,61 +78,65 @@ For an unattended machine, suitable values for
 and
 .Va monthly_output
 might be
-.Pa /var/log/daily.log ,
-.Pa /var/log/weekly.log ,
+.Dq Li /var/log/daily.log ,
+.Dq Li /var/log/weekly.log ,
 and
-.Pa /var/log/monthly.log
+.Dq Li /var/log/monthly.log
 respectively, as
 .Xr newsyslog 8
 will rotate these files (if they exists) at the appropriate times.
-.It Va dir Ns No _show_success
-.It Va dir Ns No _show_info
-.It Va dir Ns No _show_badconfig
+.It Ao Ar dir Ac Ns Va _show_success
+.It Ao Ar dir Ac Ns Va _show_info
+.It Ao Ar dir Ac Ns Va _show_badconfig
 .Pq Vt bool
 These variables control whether
 .Xr periodic 8
-will mask the output of the envoked scripts based on their return code
+will mask the output of the executed scripts based on their return code
 (where
 .Ar dir
 is the base directory name in which each script resides).
 If the return code of a script is
 .Sq 0
 and
-.Va dir Ns No _show_success
+.Ao Ar dir Ac Ns Va _show_success
 is set to
-.Dq NO ,
+.Dq Li NO ,
 .Xr periodic 8
 will mask the script's output.
 If the return code of a script is
 .Sq 1
 and
-.Va dir Ns No _show_info
+.Ao Ar dir Ac Ns Va _show_info
 is set to
-.Dq NO ,
+.Dq Li NO ,
 .Xr periodic 8
 will mask the script's output.
 If the return code of a script is
 .Sq 2
 and
-.Va dir Ns No _show_badconfig
+.Ao Ar dir Ac Ns Va _show_badconfig
 is set to
-.Dq NO ,
+.Dq Li NO ,
 .Xr periodic 8
 will mask the script's output.
 If these variables are set to neither
-.Dq YES
+.Dq Li YES
 nor
-.Dq NO ,
+.Dq Li NO ,
 they default to
-.Dq YES ,
-.Dq YES
+.Dq Li YES ,
+.Dq Li YES
 and
-.Dq NO
+.Dq Li NO
 respectively.
 .Pp
 Refer to the
 .Xr periodic 8
-man page for how script return codes are interpreted.
+manual page for how script return codes are interpreted.
+.It Va anticongestion_sleeptime
+.Pq Vt int
+The maximum number of seconds to randomly sleep in order to smooth bursty loads
+on a shared resource, such as a download mirror.
 .El
 .Pp
 The following variables are used by the standard scripts that reside in
@@ -139,7 +145,7 @@ The following variables are used by the standard scripts that reside in
 .It Va daily_clean_disks_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to remove all files matching
 .Va daily_clean_disks_files
 daily.
@@ -152,47 +158,47 @@ Wild cards are permitted.
 When
 .Va daily_clean_disks_enable
 is set to
-.Dq YES ,
+.Dq Li YES ,
 this must also be set to the number of days old that a file's access
-and modification times must be before it's deleted.
+and modification times must be before it is deleted.
 .It Va daily_clean_disks_verbose
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want the removed files to be reported in your daily output.
 .It Va daily_clean_tmps_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to clear temporary directories daily.
 .It Va daily_clean_tmps_dirs
 .Pq Vt str
 Set to the list of directories to clear if
 .Va daily_clean_tmps_enable
 is set to
-.Dq YES .
+.Dq Li YES .
 .It Va daily_clean_tmps_days
 .Pq Vt num
 When
 .Va daily_clean_tmps_enable
 is set, this must also be set to the number of days old that a file's access
-and modification times must be before it's deleted.
+and modification times must be before it is deleted.
 .It Va daily_clean_tmps_ignore
 .Pq Vt str
 Set to the list of files that should not be deleted when
 .Va daily_clean_tmps_enable
 is set to
-.Dq YES .
+.Dq Li YES .
 Wild card characters are permitted.
 .It Va daily_clean_tmps_verbose
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want the removed files to be reported in your daily output.
 .It Va daily_clean_preserve_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you wish to remove old files from
 .Pa /var/preserve .
 .It Va daily_clean_preserve_days
@@ -202,12 +208,12 @@ they are deleted.
 .It Va daily_clean_preserve_verbose
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want the removed files to be reported in your daily output.
 .It Va daily_clean_msgs_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you wish old system messages to be purged.
 .It Va daily_clean_msgs_days
 .Pq Vt num
@@ -219,7 +225,7 @@ default is used.
 .It Va daily_clean_rwho_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you wish old files in
 .Pa /var/who
 to be purged.
@@ -230,12 +236,12 @@ they are deleted.
 .It Va daily_clean_rwho_verbose
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want the removed files to be reported in your daily output.
 .It Va daily_clean_hoststat_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 to run
 .Nm sendmail Fl bH
 to automatically purge stale entries from
@@ -249,14 +255,14 @@ as configured in
 .It Va daily_clean_hammer_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want
 .Xr HAMMER 5
 file systems to be snapshot, pruned and reblocked.
 .It Va daily_clean_hammer_verbose
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you wish more verbose output.
 .It Va daily_clean_hammer_pfslist
 .Pq Vt str
@@ -270,7 +276,7 @@ actions occur.
 .It Va daily_clean_hammer2_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want
 to run
 .Xr hammer2 8
@@ -282,7 +288,7 @@ file systems.
 .It Va daily_clean_hammer2_verbose
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you wish more verbose output.
 .It Va daily_clean_hammer2_pfslist
 .Pq Vt str
@@ -296,7 +302,7 @@ actions occur.
 .It Va daily_backup_passwd_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want the
 .Pa /etc/master.passwd
 and
@@ -310,21 +316,21 @@ file.
 .It Va daily_backup_aliases_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want the
 .Pa /etc/mail/aliases
 file backed up and modifications to be displayed in your daily output.
 .It Va daily_calendar_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
-.Ic calendar -a
+.Nm calendar Fl a
 daily.
 .It Va daily_accounting_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to rotate your daily accounting files.
 No rotations are necessary unless
 .Va accounting_enable
@@ -333,7 +339,7 @@ is enabled in
 .It Va daily_accounting_compress
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want your daily accounting files to be compressed using
 .Xr gzip 1 .
 .It Va daily_accounting_save
@@ -343,7 +349,7 @@ When
 is set, this may also be set to the number of daily accounting files that are
 to be saved.
 The default is
-.Dq 3 .
+.Dq Li 3 .
 .It Va daily_accounting_flags
 .Pq Vt str
 Set to the arguments to pass to the
@@ -353,25 +359,25 @@ utility (in addition to
 when
 .Va daily_accounting_enable
 is set to
-.Dq YES .
+.Dq Li YES .
 The default is
 .Fl q .
 .It Va daily_news_expire_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
 .Pa /etc/news.expire .
 .It Va daily_status_disks_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
 .Xr df 1
 (with the arguments supplied in
 .Va daily_status_disks_df_flags )
 and
-.Ic dump -W .
+.Nm dump Fl W .
 .It Va daily_status_disks_df_flags
 .Pq Vt str
 Set to the arguments for the
@@ -379,26 +385,36 @@ Set to the arguments for the
 utility when
 .Va daily_status_disks_enable
 is set to
-.Dq YES .
+.Dq Li YES .
 .It Va daily_status_network_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
-.Ic netstat -i .
+.Nm netstat Fl i .
+.It Va daily_status_network_netstat_flags
+.Pq Vt str
+Set to additional arguments for the
+.Xr netstat 1
+utility when
+.Va daily_status_network_enable
+is set to
+.Dq Li YES .
+The default is
+.Fl d .
 .It Va daily_status_network_usedns
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
 .Xr netstat 1
 without the
 .Fl n
 option (to do DNS lookups).
-.It Va daily_status_rwho_enable
+.It Va daily_status_uptime_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
 .Xr uptime 1
 (or
@@ -406,41 +422,41 @@ if you want to run
 if
 .Va rwhod_enable
 is set to
-.Dq YES
+.Dq Li YES
 in
 .Pa /etc/rc.conf ) .
 .It Va daily_status_mailq_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
 .Xr mailq 1 .
 .It Va daily_status_mailq_shorten
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to shorten the
-.Nm mailq
+.Xr mailq 1
 output when
 .Va daily_status_mailq_enable
 is set to
-.Dq YES .
+.Dq Li YES .
 .It Va daily_status_include_submit_mailq
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you also want to run
 .Xr mailq 1
 on the submit mail queue when
 .Va daily_status_mailq_enable
 is set to
-.Dq YES .
+.Dq Li YES .
 This may not work with MTAs other than
 .Xr sendmail 8 .
 .It Va daily_status_security_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run the security check.
 The security check is another set of
 .Xr periodic 8
@@ -455,140 +471,24 @@ manual page for more information.
 .It Va daily_status_security_inline
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want the security check output inline.
 The default is to either mail or log the output according to the value of
 .Va daily_status_security_output .
-.It Va daily_status_security_logdir
-.Pq Vt str
-The directory where the security scripts expect the system's log files.
 .It Va daily_status_security_output
 .Pq Vt str
 Where to send the output of the security check if
 .Va daily_status_security_inline
 is set to
-.Dq NO .
+.Dq Li NO .
 This variable behaves in the same way as the
 .Va *_output
 variables above, namely it can be set either to one or more email addresses
 or to an absolute file name.
-.It Va daily_status_security_diff_flags
-.Pq Vt str
-Set to the arguments to pass to the
-.Xr diff 1
-utility when generating differences.
-The default is
-.Fl u .
-.It Va daily_status_security_chksetuid_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to compare the modes and modification times of setuid executables with
-the previous day's values.
-.It Va daily_status_security_chkmounts_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to check for changes in mounted filesystems to the previous day's values.
-.It Va daily_status_security_chkmounts_ignore
-Set to the list of filesystem types that should not be checked when
-.Va daily_status_security_chkmounts_enable
-is set to
-.Dq YES .
-.It Va daily_status_security_nomfs
-.Pq Vt bool
-Set to
-.Dq YES
-if you want to ignore
-.Xr mfs 8
-mounts when comparing against yesterdays filesystem mounts in the
-.Va daily_status_security_chkmounts_enable
-check.
-.It Va daily_status_security_chkuid0_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to check
-.Pa /etc/master.passwd
-for accounts with uid 0.
-.It Va daily_status_security_passwdless_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to check
-.Pa /etc/master.passwd
-for accounts with empty passwords.
-.It Va daily_status_security_logincheck_enable
-.Pq Vt bool
-Set to
-.Dq Li YES
-to check
-.Pa /etc/login.conf
-ownership, see
-.Xr login.conf 5
-for more information.
-.It Va daily_status_security_ipfwdenied_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to show log entries for packets denied by
-.Xr ipfw 8
-since yesterday's check.
-.It Va daily_status_security_pfdenied_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to show log entries for packets denied by
-.Xr pf 4
-since yesterday's check.
-.It Va daily_status_security_ipfwlimit_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to display
-.Xr ipfw 8
-rules that have reached their verbosity limit.
-.It Va daily_status_security_ip6fwdenied_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to show log entries for packets denied by
-.Xr ip6fw 8
-since yesterday's check.
-.It Va daily_status_security_ip6fwlimit_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to display
-.Xr ip6fw 8
-rules that have reached their verbosity limit.
-.It Va daily_status_security_kernelmsg_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to show new
-.Xr dmesg 8
-entries since yesterday's check.
-.It Va daily_status_security_loginfail_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to display failed logins from
-.Pa /var/log/messages
-in the previous day.
-.It Va daily_status_security_tcpwrap_enable
-.Pq Vt bool
-Set to
-.Dq YES
-to display connections denied by tcpwrappers (see
-.Xr hosts_access 5 )
-from
-.Pa /var/log/messages
-during the previous day.
 .It Va daily_status_mail_rejects_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to summarise mail rejections logged to
 .Pa /var/log/maillog
 for the previous day.
@@ -599,17 +499,17 @@ for yesterday's mail rejects.
 .It Va daily_queuerun_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to manually run the mail queue at least once a day.
 .It Va daily_submit_queuerun
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you also want to manually run the submit mail queue at least once a day
 when
 .Va daily_queuerun_enable
 is set to
-.Dq YES .
+.Dq Li YES .
 .It Va daily_local
 .Pq Vt str
 Set to a list of extra scripts that should be run after all other
@@ -623,20 +523,20 @@ The following variables are used by the standard scripts that reside in
 .It Va weekly_locate_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
 .Pa /usr/libexec/locate.updatedb .
 This script is run using
-.Ic nice -5
+.Nm nice Fl 5
 as user
-.An nobody ,
+.Dq Li nobody ,
 and generates the table used by the
 .Xr locate 1
 command.
 .It Va weekly_whatis_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to run
 .Pa /usr/libexec/makewhatis.local .
 This script regenerates the database used by the
@@ -654,7 +554,7 @@ command at the expense of disk space.
 .It Va weekly_noid_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to locate orphaned files on the system.
 An orphaned file is one with an invalid owner or group.
 .It Va weekly_noid_dirs
@@ -662,6 +562,18 @@ An orphaned file is one with an invalid owner or group.
 A list of directories under which orphaned files are searched for.
 This would usually be set to
 .Pa / .
+.It Va weekly_status_security_enable
+.Pq Vt bool
+Weekly counterpart of
+.Va daily_status_security_enable .
+.It Va weekly_status_security_inline
+.Pq Vt bool
+Weekly counterpart of
+.Va daily_status_security_inline .
+.It Va weekly_status_security_output
+.Pq Vt str
+Weekly counterpart of
+.Va daily_status_security_output .
 .It Va weekly_local
 .Pq Vt str
 Set to a list of extra scripts that should be run after all other
@@ -675,30 +587,291 @@ The following variables are used by the standard scripts that reside in
 .It Va monthly_accounting_enable
 .Pq Vt bool
 Set to
-.Dq YES
+.Dq Li YES
 if you want to do login accounting using the
 .Xr ac 8
 command.
-.It Va monthly_statistics_enable
+.It Va monthly_status_security_enable
 .Pq Vt bool
-Set to
-.Dq YES
-if you want to report non-identifying information about the OS to the
-.Pa http://www.bsdstats.org
-community site on the internet.
-.It Va monthly_statistics_report_devices
+Monthly counterpart of
+.Va daily_status_security_enable .
+.It Va monthly_status_security_inline
 .Pq Vt bool
-When
-.Va monthly_statistics_report_devices
-is set, this may also be set to report additional device statistics.
+Monthly counterpart of
+.Va daily_status_security_inline .
+.It Va monthly_status_security_output
+.Pq Vt str
+Monthly counterpart of
+.Va daily_status_security_output .
 .It Va monthly_local
 .Pq Vt str
 Set to a list of extra scripts that should be run after all other
 monthly scripts.
 All scripts must be absolute path names.
 .El
+.Pp
+The following variables are used by the standard scripts that reside in
+.Pa /etc/periodic/security .
+Those scripts are usually run from daily
+.Pq Va daily_status_security_enable ,
+weekly
+.Pq Va weekly_status_security_enable ,
+and monthly
+.Pq Va monthly_status_security_enable
+periodic hooks.
+The
+.Va ..._period
+of each script can be configured as
+.Dq daily ,
+.Dq weekly ,
+.Dq monthly
+or
+.Dq NO .
+Note that when periodic security scripts are run from
+.Xr crontab 5 ,
+they will be always run unless their
+.Va ..._enable
+or
+.Va ..._period
+variable is set to
+.Dq NO .
+.Bl -tag -offset 4n -width 2n
+.It Va security_status_logdir
+.Pq Vt str
+The directory where the security scripts expect the system's log files.
+The default is
+.Pa /var/log .
+.It Va security_status_diff_flags
+.Pq Vt str
+Set to the arguments to pass to the
+.Xr diff 1
+utility when generating differences.
+The default is
+.Fl b u .
+.It Va security_status_chksetuid_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to compare the modes and modification times of setuid executables with
+the previous day's values.
+.It Va security_status_chksetuid_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_neggrpperm_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check for files where the group of a file has less permissions than
+the world at large.
+When users are in more than 14 supplemental groups these negative
+permissions may not be enforced via NFS shares.
+.It Va security_status_neggrpperm_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_chkmounts_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check for changes mounted file systems to the previous day's values.
+.It Va security_status_chkmounts_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_nomfs
+.Pq Vt bool
+Set to
+.Dq Li YES
+if you want to ignore
+.Xr mfs 8
+mounts when comparing against yesterday's file system mounts in the
+.Va security_status_chkmounts_enable
+check.
+.It Va security_status_chkuid0_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check
+.Pa /etc/master.passwd
+for accounts with UID 0.
+.It Va security_status_chkuid0_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_passwdless_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check
+.Pa /etc/master.passwd
+for accounts with empty passwords.
+.It Va security_status_passwdless_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_logincheck_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to check
+.Pa /etc/login.conf
+ownership, see
+.Xr login.conf 5
+for more information.
+.It Va security_status_logincheck_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_ipfwdenied_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to show log entries for packets denied by
+.Xr ipfw 8
+since yesterday's check.
+.It Va security_status_ipfwdenied_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_pfdenied_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to show log entries for packets denied by
+.Xr pf 4
+since yesterday's check.
+.It Va security_status_pfdenied_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_ipfwlimit_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to display
+.Xr ipfw 8
+rules that have reached their verbosity limit.
+.It Va security_status_ipfwlimit_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_ip6fwdenied_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to show log entries for packets denied by
+.Xr ip6fw 8
+since yesterday's check.
+.It Va security_status_ip6fwdenied_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_ip6fwlimit_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to display
+.Xr ip6fw 8
+rules that have reached their verbosity limit.
+.It Va security_status_ip6fwlimit_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_kernelmsg_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to show new
+.Xr dmesg 8
+entries since yesterday's check.
+.It Va security_status_kernelmsg_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_loginfail_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to display failed logins from
+.Pa /var/log/messages
+in the previous day.
+.It Va security_status_loginfail_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.It Va security_status_tcpwrap_enable
+.Pq Vt bool
+Set to
+.Dq Li YES
+to display connections denied by tcpwrappers (see
+.Xr hosts_access 5 )
+from
+.Pa /var/log/messages
+during the previous day.
+.It Va security_status_tcpwrap_period
+.Pq Vt str
+Set to either
+.Dq Li daily ,
+.Dq Li weekly ,
+.Dq Li monthly
+or
+.Dq Li NO .
+.El
 .Sh FILES
-.Bl -tag -width /etc/defaults/periodic.conf
+.Bl -tag -width ".Pa /etc/defaults/periodic.conf"
 .It Pa /etc/defaults/periodic.conf
 The default configuration file.
 This file contains all default variables and values.
@@ -721,6 +894,7 @@ is shared or distributed.
 .Xr netstat 1 ,
 .Xr nice 1 ,
 .Xr HAMMER 5 ,
+.Xr login.conf 5 ,
 .Xr rc.conf 5 ,
 .Xr ac 8 ,
 .Xr chkgrp 8 ,
@@ -737,4 +911,4 @@ The
 file appeared in
 .Fx 4.1 .
 .Sh AUTHORS
-.An Brian Somers Aq Mt brian@Awfulhak.org .
+.An Brian Somers Aq Mt brian@Awfulhak.org