--- pkg/Makefile	2016-07-31 13:52:22.000000000 +0200
+++ pkg/Makefile	2016-09-01 14:09:31.251006604 +0200
@@ -3,7 +3,7 @@ 
 PORTNAME=	pkg
 DISTVERSION=	1.8.7
 _PKG_VERSION=	${DISTVERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	ports-mgmt
 MASTER_SITES=	\
 		http://files.etoilebsd.net/${PORTNAME}/ \
@@ -21,6 +21,8 @@ 
 CONFIGURE_ARGS=	--disable-maintainer-mode
 INSTALL_TARGET=	install-strip
 
+SUB_FILES=	405.pkg-base-audit
+
 # Use a submake as 'deinstall install' needs to reevaluate PKG_CMD
 # so that pkg-static is used from the wrkdir
 USE_SUBMAKE=	yes
@@ -74,5 +76,8 @@ 
 post-install:
 	@${MV} ${STAGEDIR}${PREFIX}/lib/libpkg_static.a \
 		${STAGEDIR}${PREFIX}/lib/libpkg.a
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/security
+	${INSTALL_SCRIPT} ${WRKDIR}/405.pkg-base-audit \
+		${STAGEDIR}${PREFIX}/etc/periodic/security
 
 .include <bsd.port.post.mk>
--- pkg/files/405.pkg-base-audit.in	1970-01-01 01:00:00.000000000 +0100
+++ pkg/files/405.pkg-base-audit.in	2016-09-01 13:41:18.329776495 +0200
@@ -0,0 +1,206 @@ 
+#!/bin/sh -f
+#
+# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
+# Copyright (c) 2014 Matthew Seaman <matthew@FreeBSD.org>
+# Copyright (c) 2016 Miroslav Lachman <000.fbsd@quip.cz>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# 1. Redistributions of source code must retain the above copyright notice
+#    this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the author nor the names of its contributors may be
+#    used to endorse or promote products derived from this software without
+#    specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+if [ -r /etc/defaults/periodic.conf ]; then
+	. /etc/defaults/periodic.conf
+	source_periodic_confs
+fi
+
+# Compute PKG_DBDIR from the config file.
+pkgcmd=%%PREFIX%%/sbin/pkg
+PKG_DBDIR=`${pkgcmd} config PKG_DBDIR`
+auditfile="${PKG_DBDIR}/vuln.xml"
+
+audit_base() {
+	local pkgargs="$1"
+	local basedir="$2"
+	local rc
+	local then
+	local now
+	local usrlv
+	local krnlv
+	local strlen
+	local chrootv
+	local jailv
+	local jid
+	
+	## get version from chroot
+	if [ -n "`echo "$pkgargs" | egrep '^-c'`" ]; then
+		if [ -x "$basedir/bin/freebsd-version" ]; then
+			chrootv=$($basedir/bin/freebsd-version -u)
+			## safety check - strlen
+			strlen=$(echo "$chrootv" | wc -c)
+			if [ $strlen -gt 17 -o $strlen -lt 11 ]; then
+				echo "Wrong version string, cannot run audit"
+				return 3
+			fi
+			usrlv=$(echo $chrootv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
+		else
+			echo "Cannot guess chroot version"
+			return 3
+		fi
+	## get version from jail
+	elif [ -n "`echo "$pkgargs" | egrep '^-j'`" ]; then
+		jid=$(echo "$pkgargs" | awk '$1 ~ /^-[j]/ { print $2 }')
+		jailv=$(jexec $jid freebsd-version -u)
+		## safety check - strlen
+		strlen=$(echo "$jailv" | wc -c)
+		if [ $strlen -gt 17 -o $strlen -lt 11 ]; then
+			echo "Wrong version string, cannot run audit"
+			return 3
+		fi
+		usrlv=$(echo $jailv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
+	## get version from host
+	else
+		usrlv=$(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
+	fi
+
+	then=`stat -f '%m' "${basedir}${auditfile}" 2> /dev/null` || rc=3
+	now=`date +%s` || rc=3
+	## Add 10 minutes of padding since the check is in seconds.
+	if [ $rc -ne 0 -o \
+		$(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \
+		-le $(( ${now} - ${then} + 600 )) ]; then
+		## Random delay so the mirrors do not get slammed when run by periodic(8)
+		if [ ! -t 0 ]; then
+			sleep `jot -r 1 0 600`
+		fi
+		f="-F"
+	else
+		echo -n 'Database fetched: '
+		date -r "${then}" || rc=3
+	fi
+
+	## cannot check kernel in jail or chroot
+	if [ -z "`echo "$pkgargs" | egrep '^-[cj]'`" -a `sysctl -n security.jail.jailed` = 0 ]; then
+		krnlv=$(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
+		${pkgcmd} audit $f $q $krnlv || { rc=$?; [ $rc -lt 3 ] && rc=3; }
+	fi
+
+	${pkgcmd} audit $f $q $usrlv || { rc=$?; [ $rc -lt 3 ] && rc=3; }
+
+	return $rc
+}
+
+# Use $pkg_chroots to provide a default list of chroots, and
+# $pkg_jails to provide a default list of jails (or '*' for all jails)
+# for all pkg periodic scripts, or set
+# $daily_status_security_baseaudit_chroots and
+# $daily_status_security_baseaudit_jails for this script only.
+
+audit_base_all() {
+	local rc
+	local last_rc
+	local jails
+
+	: ${daily_status_security_baseaudit_chroots=$pkg_chroots}
+	: ${daily_status_security_baseaudit_jails=$pkg_jails}
+
+	# We always show audit results for the base system, but only print
+	# a banner line if we're also showing audit results for any
+	# chroots or jails.
+
+	if [ -n "${daily_status_security_baseaudit_chroots}" -o \
+		-n "${daily_status_security_baseaudit_jails}" ]; then
+		echo "Host system:"
+	fi
+
+	audit_base '' ''
+	last_rc=$?
+	[ $last_rc -gt 1 ] && rc=$last_rc
+
+	for c in $daily_status_security_baseaudit_chroots ; do
+		echo
+		echo "chroot: $c"
+		audit_base "-c $c" $c
+		last_rc=$?
+		[ $last_rc -gt 1 ] && rc=$last_rc
+	done
+
+	case $daily_status_security_baseaudit_jails in
+	\*)
+		jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/')
+		;;
+	'')
+		jails=
+		;;
+	*)
+		# Given the jail name or jid, find the jail path
+		jails=
+		for j in $daily_status_security_baseaudit_jails ; do
+			p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/')
+			jails="${jails} ${p}"
+		done
+		;;
+	esac
+
+	for j in $jails ; do
+		echo
+		echo "jail: ${j%|*}"
+		audit_base "-j ${j%|*}" ${j##*|}
+		last_rc=$?
+		[ $last_rc -gt 1 ] && rc=$last_rc
+	done
+
+	return $rc
+}
+
+rc=0
+
+case "${daily_status_security_baseaudit_enable:-YES}" in
+[Nn][Oo]) ;;
+*)
+	echo
+	echo 'Checking for security vulnerabilities in base (userland & kernel):'
+
+	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
+		echo 'pkg-audit is enabled but pkg is not used'
+		rc=2
+	else
+		case "${daily_status_security_baseaudit_quiet:-NO}" in
+		[Yy][Ee][Ss])
+			q='-q'
+			;;
+		*)
+			q=
+			;;
+		esac
+
+		audit_base_all ; rc=$?
+	fi
+	;;
+esac
+
+exit "$rc"
--- pkg/pkg-plist	2015-10-31 16:13:01.000000000 +0100
+++ pkg/pkg-plist	2016-09-01 13:34:46.213005176 +0200
@@ -1,6 +1,7 @@ 
 etc/bash_completion.d/_pkg.bash
 etc/periodic/daily/411.pkg-backup
 etc/periodic/daily/490.status-pkg-changes
+etc/periodic/security/405.pkg-base-audit
 etc/periodic/security/410.pkg-audit
 etc/periodic/security/460.pkg-checksum
 etc/periodic/weekly/400.status-pkg