periodic/security: Add check for pkgsrc vulnerabilities

	* adds /etc/periodic/security/670.pkgsrcaudit
	* adds switches to /etc/default/periodic.conf

	Recklessly-stolen-from: NetBSD

	Suggested-by: Justin C. Sherrill

diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf
index fca3fd1..b2d5350 100644 (file)
--- a/etc/defaults/periodic.conf
+++ b/etc/defaults/periodic.conf
@@ -178,6 +178,11 @@ daily_status_security_ip6fwdenied_enable="YES"
 # 650.ip6fwlimit
 daily_status_security_ip6fwlimit_enable="YES"
 
+# 670.pkgsrcaudit
+daily_status_pkgsrc_fetch_vulnerabilities="YES"
+daily_status_pkgsrc_audit_enable="YES"
+daily_status_pkgsrc_check_signatures="YES"
+
 # 700.kernelmsg
 daily_status_security_kernelmsg_enable="YES"
 

diff --git a/etc/periodic/security/670.pkgsrcaudit b/etc/periodic/security/670.pkgsrcaudit
new file mode 100644 (file)
index 0000000..f8e9cfc
--- /dev/null
+++ b/etc/periodic/security/670.pkgsrcaudit
@@ -0,0 +1,70 @@
+#!/bin/sh -
+#
+# Copyright (c) 2010  The DragonFly Project
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+    . /etc/defaults/periodic.conf
+    source_periodic_confs
+fi
+
+pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
+
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+       case "$daily_status_pkgsrc_fetch_vulnerabilities" in
+         [Yy][Ee][Ss])
+               echo ""
+               echo 'Fetching package vulnerabilities database:'
+               pkg_admin -K ${pkgdb_dir} fetch-pkg-vulnerabilities -su
+               rc0=$?
+               ;;
+       *) rc0=0;
+       esac
+       case "$daily_status_pkgsrc_audit_enable" in
+         [Yy][Ee][Ss])
+               echo ""
+               echo 'Checking pkgsrc packages for vulnerabilities:'
+               pkg_admin -K ${pkgdb_dir} audit
+               rc1=$?
+               ;;
+       *) rc1=0;
+       esac
+       case "$daily_status_pkgsrc_check_signatures" in
+         [Yy][Ee][Ss])
+               echo ""
+               echo 'Checking pkgsrc file signatures:'
+               pkg_admin -K ${pkgdb_dir} check
+               rc2=$?
+               ;;
+       *) rc2=0
+       esac
+fi
+if [ $rc0 -gt 0 ] || [ $rc1 -gt 0 ] || [ $rc2 -gt 0 ]; then
+       rc=1
+fi
+exit "$rc"

diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile
index 4e16ba5..4f0df05 100644 (file)
--- a/etc/periodic/security/Makefile
+++ b/etc/periodic/security/Makefile
@@ -12,6 +12,7 @@ FILES=        100.chksetuid \
        550.ipfwlimit \
        600.ip6fwdenied \
        650.ip6fwlimit \
+       670.pkgsrcaudit \
        700.kernelmsg \
        800.loginfail \
        900.tcpwrap \