5 # Copyright (c) 2008 The NetBSD Foundation, Inc.
8 # This code is derived from software contributed to The NetBSD Foundation
11 # Redistribution and use in source and binary forms, with or without
12 # modification, are permitted provided that the following conditions
14 # 1. Redistributions of source code must retain the above copyright
15 # notice, this list of conditions and the following disclaimer.
16 # 2. Redistributions in binary form must reproduce the above copyright
17 # notice, this list of conditions and the following disclaimer in the
18 # documentation and/or other materials provided with the distribution.
20 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
21 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
22 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
23 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
24 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 # POSSIBILITY OF SUCH DAMAGE.
45 # print a usage message and then die
51 -d : Download the system-vulnerabilities file before anything else
52 -u : Download the system-vulnerabilities file only
59 : ${SYSVULNDIR=@SYSVULNDIR@}
61 : ${FETCH_TOOL=@FETCH_TOOL@}
62 : ${FETCH_TOOL_ARGS="-o"}
63 scriptdir="@SCRIPT_DIR@"
68 tools="@STAT@ @OBJDUMP@ @CKSUM@ @FETCH_TOOL@ @IDENT@"
70 # check the integrity of a system-vulnerabilities file
73 # see if the file got damaged while it was being downloaded
74 recordedsum=$(${AWK} '$1 == "#CHECKSUM" { print $3 }' $1)
75 recordedalg=$(${AWK} '$1 == "#CHECKSUM" { print $2 }' $1)
77 if [ "x${recordedsum}" = "x" -o "x${recordedalg}" = "x" ]; then
78 echo "ERROR: Error in downloading"
83 calcsum=$(${AWK} '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' $1 | ${CKSUM} -a ${recordedalg})
84 if [ "x${recordedsum}" != "x${calcsum}" ]; then
85 echo "ERROR: Checksum mismatch"
91 # check all the tools we need are available
92 for t in ${tools} ; do
93 if [ ! -x ${t} ]; then
94 echo "ERROR: Required tools not found"
99 # process any command line arguments
100 while [ $# -gt 0 ]; do
103 -u) download_only=yes ;;
105 *) usage "$0" "Unknown option $1"
110 # check for incompatible command line options
111 if [ "x${download}" = "xyes" -a "x${download_only}" = "xyes" ]; then
112 echo "ERROR: Invalid command line options specified"
116 # if we have any configuration information, then read it
117 if [ -r @PKG_SYSCONFDIR@/audit-system.conf ]; then
118 if [ "x${verbose}" = "xyes" ]; then
119 echo "Reading settings from @PKG_SYSCONFDIR@/audit-system.conf"
121 . @PKG_SYSCONFDIR@/audit-system.conf
124 # check FETCH_PROTO is sane
125 case ${FETCH_PROTO} in
128 *) echo "ERROR: Unsupported FETCH_PROTO specified"
133 # setup what we know is sane so far
134 #vulsource="${FETCH_PROTO}://ftp.NetBSD.org/pub/NetBSD/misc/agc/audit-system/system-vulnerabilities"
135 vulsource="${FETCH_PROTO}://localhost/pub/NetBSD/system-vulnerabilities"
136 vuls="${SYSVULNDIR}/system-vulnerabilities"
137 newvullist="${SYSVULNDIR}/system-vulnerabilities.$$"
139 # try to download the system vulnerability list, as requested
140 # the integrity of the list is checked below
141 # so just issue a warning if there was a failure
142 if [ "x${download}" = "xyes" -o "x${download_only}" = "xyes" ]; then
144 # check we can get to ${SYSVULNDIR}
145 if [ ! -d ${SYSVULNDIR}/. ]; then
146 echo "Creating ${SYSVULNDIR}"
147 ${MKDIR} ${SYSVULNDIR}
149 echo audit-system > ${SYSVULNDIR}/.cookie
150 if [ -f ${SYSVULNDIR}/.cookie ]; then
151 ${RM} ${SYSVULNDIR}/.cookie
153 echo "ERROR: Unable to write to ${SYSVULNDIR}"
158 ${FETCH_TOOL} ${FETCH_TOOL_ARGS} "${newvullist}" "${vulsource}"
160 # see if we got a file
161 if [ ! -f "${newvullist}" ]; then
162 echo "ERROR: Download of vulnerabilities file failed"
166 check_integrity "${newvullist}"
168 # test to see if file has been changed
169 if [ -f "${vuls}" ]; then
170 oldsum=$(${AWK} '$1 == "#CHECKSUM" { print $3 }' "${vuls}")
171 if [ "x${oldsum}" != "x${calcsum}" ]; then
178 # if we need the new file, move it into position
179 if [ "x${neednew}" = "xyes" ]; then
180 echo "System vulnerabilities file has been updated"
181 ${CHMOD} a+r "${newvullist}"
182 ${MV} -f "${newvullist}" "${vuls}"
184 echo "No change from existing system vulnerabilities file"
185 ${RM} -f "${newvullist}"
189 # if download_only was specified then we end here
190 if [ "x${download_only}" = "xyes" ]; then
194 # check for missing vulnerabilities file before we continue
195 if [ ! -f "${vuls}" ]; then
196 echo "ERROR: Missing system vulnerabilities file"
200 # check for old vulnerabilities file if we're being verbose
201 if [ "x${verbose}" = "xyes" ]; then
202 if [ -n "$(${FIND} ${vuls} -ctime +7)" ]; then
203 echo "WARNING: system vulnerabilites file is more than a week old"
207 # check format version of vulnerabilities file
208 file_major=$(${AWK} '/^#[ \t]*FORMAT/ { split($NF, a, "\\."); print a[1]; exit; }' "${vuls}")
209 file_minor=$(${AWK} '/^#[ \t]*FORMAT/ { split($NF, a, "\\."); print a[2]; exit; }' "${vuls}")
210 file_teeny=$(${AWK} '/^#[ \t]*FORMAT/ { split($NF, a, "\\."); print a[3]; exit; }' "${vuls}")
212 if [ -z "${file_teeny}" ] ; then
216 if [ "x${file_major}" = "x" -o "x${file_minor}" = "x" ]; then
217 echo "ERROR: Error in downloading"
221 if [ "${file_major}" -gt "${FORMAT_MAJOR}" -o "${file_minor}" -gt "${FORMAT_MINOR}" ]; then
222 echo "ERROR: Unsupported file format version"
223 echo "Please ensure you are running the latest version of audit-system"
227 if [ "${file_major}" -lt "${FORMAT_MAJOR}" -o "${file_minor}" -lt "${FORMAT_MINOR}" ]; then
228 echo "ERROR: Old version of system-vulnerabilities file detected"
232 # check integrity of vulnerabilities file
233 check_integrity "${vuls}"
235 ${AWK} -v scriptdir="${scriptdir}" '
238 cmd = sprintf("v=$(%s/audit-%s %s) && test -e %s && test $v -lt %s && echo %c%s (version $v before %s) could have a %s vulnerability (severity %s) - see %s%c",
242 34, $1, $3, $4, $5, $6, 34);