From 4e0f4f9c9ae92669ff3a0017edfbb4217b80e377 Mon Sep 17 00:00:00 2001 From: Jan Lentfer Date: Sat, 23 Jan 2010 21:46:00 +0100 Subject: [PATCH] periodic/security: Add check for pkgsrc vulnerabilities * adds /etc/periodic/security/670.pkgsrcaudit * adds switches to /etc/default/periodic.conf Recklessly-stolen-from: NetBSD Suggested-by: Justin C. Sherrill --- etc/defaults/periodic.conf | 5 ++ etc/periodic/security/670.pkgsrcaudit | 70 +++++++++++++++++++++++++++ etc/periodic/security/Makefile | 1 + 3 files changed, 76 insertions(+) create mode 100644 etc/periodic/security/670.pkgsrcaudit diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index fca3fd12b7..b2d535006d 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -178,6 +178,11 @@ daily_status_security_ip6fwdenied_enable="YES" # 650.ip6fwlimit daily_status_security_ip6fwlimit_enable="YES" +# 670.pkgsrcaudit +daily_status_pkgsrc_fetch_vulnerabilities="YES" +daily_status_pkgsrc_audit_enable="YES" +daily_status_pkgsrc_check_signatures="YES" + # 700.kernelmsg daily_status_security_kernelmsg_enable="YES" diff --git a/etc/periodic/security/670.pkgsrcaudit b/etc/periodic/security/670.pkgsrcaudit new file mode 100644 index 0000000000..f8e9cfc65a --- /dev/null +++ b/etc/periodic/security/670.pkgsrcaudit @@ -0,0 +1,70 @@ +#!/bin/sh - +# +# Copyright (c) 2010 The DragonFly Project +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +pkgdb_dir=${pkgdb_dir:-/var/db/pkg} + +if pkg_info -K ${pkgdb_dir} -q -E '*'; then + case "$daily_status_pkgsrc_fetch_vulnerabilities" in + [Yy][Ee][Ss]) + echo "" + echo 'Fetching package vulnerabilities database:' + pkg_admin -K ${pkgdb_dir} fetch-pkg-vulnerabilities -su + rc0=$? + ;; + *) rc0=0; + esac + case "$daily_status_pkgsrc_audit_enable" in + [Yy][Ee][Ss]) + echo "" + echo 'Checking pkgsrc packages for vulnerabilities:' + pkg_admin -K ${pkgdb_dir} audit + rc1=$? + ;; + *) rc1=0; + esac + case "$daily_status_pkgsrc_check_signatures" in + [Yy][Ee][Ss]) + echo "" + echo 'Checking pkgsrc file signatures:' + pkg_admin -K ${pkgdb_dir} check + rc2=$? + ;; + *) rc2=0 + esac +fi +if [ $rc0 -gt 0 ] || [ $rc1 -gt 0 ] || [ $rc2 -gt 0 ]; then + rc=1 +fi +exit "$rc" diff --git a/etc/periodic/security/Makefile b/etc/periodic/security/Makefile index 4e16ba51ec..4f0df0544d 100644 --- a/etc/periodic/security/Makefile +++ b/etc/periodic/security/Makefile @@ -12,6 +12,7 @@ FILES= 100.chksetuid \ 550.ipfwlimit \ 600.ip6fwdenied \ 650.ip6fwlimit \ + 670.pkgsrcaudit \ 700.kernelmsg \ 800.loginfail \ 900.tcpwrap \ -- 2.41.0