diff options
| author | eik <eik@FreeBSD.org> | 2004-02-21 21:19:41 +0000 |
|---|---|---|
| committer | eik <eik@FreeBSD.org> | 2004-02-21 21:19:41 +0000 |
| commit | da981388e66d1427a30dd01703c6570d0fb821e4 (patch) | |
| tree | 60c84593413ccfa83e823f92a5ae807f52bca188 /security | |
| parent | 9347a4dd74ca1c72723fe2917294aa3e0661e8dc (diff) | |
| download | FreeBSD-ports-da981388e66d1427a30dd01703c6570d0fb821e4.zip FreeBSD-ports-da981388e66d1427a30dd01703c6570d0fb821e4.tar.gz | |
update to 0.2:
- new command line tool
- new man page
- reworked database update code, incorporating feedback from
Max Khon <fjoe>, Radim Kolar <hsn@netmag.cz> (PR 63066) and
Ion-Mihai Tetcu <itetcu@apropo.ro> (PR 62655)
Diffstat (limited to 'security')
| -rw-r--r-- | security/portaudit/Makefile | 11 | ||||
| -rw-r--r-- | security/portaudit/files/fetchaudit.sh | 88 | ||||
| -rw-r--r-- | security/portaudit/files/portaudit-cmd.sh | 67 | ||||
| -rw-r--r-- | security/portaudit/files/portaudit.1 | 137 | ||||
| -rw-r--r-- | security/portaudit/files/portaudit.functions | 199 | ||||
| -rw-r--r-- | security/portaudit/files/portaudit.sh | 86 | ||||
| -rw-r--r-- | security/portaudit/pkg-descr | 17 | ||||
| -rw-r--r-- | security/portaudit/pkg-plist | 1 |
8 files changed, 480 insertions, 126 deletions
diff --git a/security/portaudit/Makefile b/security/portaudit/Makefile index ff09854..b19fbd4 100644 --- a/security/portaudit/Makefile +++ b/security/portaudit/Makefile @@ -6,13 +6,15 @@ # PORTNAME= portaudit -PORTVERSION= 0.1 +PORTVERSION= 0.2 CATEGORIES= security DISTFILES= MAINTAINER= eik@FreeBSD.org COMMENT= Checks installed ports against a list of security vulnerabilities +MAN1= portaudit.1 + PERIODICDIR?= ${PREFIX}/etc/periodic DATABASEDIR?= /var/db/portaudit @@ -33,13 +35,18 @@ IGNORE= "You need tar with bzip support to run portaudit" .endif do-build: -.for f in portaudit.sh fetchaudit.sh portaudit.functions +.for f in portaudit-cmd.sh portaudit.sh fetchaudit.sh portaudit.functions portaudit.1 @${SED} -e "s|%%DATADIR%%|${DATADIR}|g" \ -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" \ + -e "s|%%PREFIX%%|${PREFIX}|g" \ + -e "s|%%LOCALBASE%%|${LOCALBASE}|g" \ + -e "s|%%PORTVERSION%%|${PORTVERSION}|g" \ ${FILESDIR}/${f} > ${WRKDIR}/${f} .endfor do-install: + @${INSTALL_SCRIPT} ${WRKDIR}/portaudit-cmd.sh ${PREFIX}/bin/portaudit + @${INSTALL_MAN} ${WRKDIR}/portaudit.1 ${MAN1PREFIX}/man/man1 @${MKDIR} ${PERIODICDIR}/security @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/910.portaudit @${MKDIR} ${PERIODICDIR}/daily diff --git a/security/portaudit/files/fetchaudit.sh b/security/portaudit/files/fetchaudit.sh index d7137ca..7a6ed53 100644 --- a/security/portaudit/files/fetchaudit.sh +++ b/security/portaudit/files/fetchaudit.sh @@ -1,12 +1,38 @@ #!/bin/sh - +# +# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the author nor the names of its contributors may be +# used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # $FreeBSD$ # # defaults daily_status_portaudit_enable="YES" -portaudit_dir="%%DATABASEDIR%%" # If there is a global system configuration file, suck it in. # @@ -17,65 +43,19 @@ then fi . %%DATADIR%%/portaudit.functions +portaudit_confs -MASTER_SITE_LOCAL=" - ${MASTER_SITE_LOCAL} - ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - " - -MASTER_SITE_SUBDIR=eik - -DISTNAME=auditfile -EXTRACT_SUFX=.tbz - -portaudit_file="${portaudit_dir}/${DISTNAME}${EXTRACT_SUFX}" - -# site sort order is not overly smart -LOCATIONS=`echo "${MASTER_SITE_LOCAL}" | awk " - BEGIN { srand() } - /^[ \t]*\$/ { next } - { - gsub(/[ \t]/, \\"\\") - gsub(/%SUBDIR%/, \\"${MASTER_SITE_SUBDIR}\\") - print rand() \\"\t\\" \\$0 \\"${DISTNAME}${EXTRACT_SUFX}\\" - } - " | sort -n | cut -f 2` - +rc=0 case "$daily_status_portaudit_enable" in ""|[Yy][Ee][Ss]) - if [ ! -f "${portaudit_file}" ] || checkexpiry_auditfile 5; then + if [ ! -f "${portaudit_dir}/${portaudit_filename}" ] || ! checkexpiry_auditfile 3; then echo "" echo "Updating audit database." - cd "${portaudit_dir}" - fetch -1am ${LOCATIONS} - if [ ! $? ]; then - echo "Couldn't fetch database." - rc=2 - elif [ ! -f "${portaudit_file}" ] ; then - echo "no database." - rc=2 - elif checksum_auditfile; then - echo "database corrupt." - rc=2 - elif checkexpiry_auditfile 7; then - echo "database too old." - rc=2 - else - echo "done" - rc=1 - fi - else - rc=0 + fetch_auditfile && rc=1 || rc=2 fi - ;; + ;; *) - rc=0 - ;; + ;; esac exit "${rc}" diff --git a/security/portaudit/files/portaudit-cmd.sh b/security/portaudit/files/portaudit-cmd.sh new file mode 100644 index 0000000..76b43ec --- /dev/null +++ b/security/portaudit/files/portaudit-cmd.sh @@ -0,0 +1,67 @@ +#!/bin/sh -ef +# +# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the author nor the names of its contributors may be +# used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# $FreeBSD$ +# + +. %%DATADIR%%/portaudit.functions +portaudit_confs + +if [ $# -eq 0 ] ; then + portaudit_prerequisites + audit_installed || true +fi + +while [ $# -gt 0 ]; do + case "$1" in + -a) + portaudit_prerequisites + audit_installed || true + ;; + -V) + echo "portaudit version %%PORTVERSION%%" + ;; + -d) + if [ ! -f "${portaudit_dir}/${portaudit_filename}" ]; then + echo "portaudit: database missing. run \`portaudit -F' to update." + exit 2 + fi + if ! checksum_auditfile; then + echo "portaudit: database corrupt." + exit 2 + fi + echo "database created: `getcreated_auditfile`" + ;; + -F) + fetch_auditfile || echo "failed." + ;; + esac + shift +done diff --git a/security/portaudit/files/portaudit.1 b/security/portaudit/files/portaudit.1 new file mode 100644 index 0000000..c5e6e94 --- /dev/null +++ b/security/portaudit/files/portaudit.1 @@ -0,0 +1,137 @@ +.\" Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions are +.\" met: +.\" +.\" 1. Redistributions of source code must retain the above copyright notice +.\" this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the author nor the names of its contributors may be +.\" used to endorse or promote products derived from this software without +.\" specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +.\" COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd February 21, 2004 +.Os FreeBSD +.Dt PORTAUDIT \&1 "FreeBSD ports collection" +. +. +.Sh NAME +. +.Nm portaudit +.Nd system to check installed packages for known vulnerabilities +. +. +.Sh SYNOPSIS +. +.Nm +.Op Fl a +.Op Fl V +.Op Fl d +.Op Fl F +. +. +.Sh DESCRIPTION +. +.Nm +checks installed packages for known vulnerabilities and generates reports +including references to security advisories. Its audience are system +administrators or individual users. +.Pp +It uses a database maintained by port committers and the FreeBSD security team +to check if security advisories for any installed packages exist. Note that a +current ports tree (or any local copy of the ports tree) is not required for +operation. +.Pp +This package also installs two scripts into %%PREFIX%%/periodic that regularly +update this database and include the report of vulnerable packages in the +daily security report. +.Pp +If you have a vulnerable package installed, you are advised to update or +deinstalled it immediately. +. +. +.Sh OPTIONS +. +The following options are supported: +.Bl -tag -width ".Fl X" +.It Fl a +Print a vulnerability report for all installed packages +.It Fl F +Fetch the current database from the +.Fx servers +.It Fl d +Print the creation date of the database +.It Fl V +Print the version of +.Nm . +.El +. +. +.Sh EXAMPLES +. +.Bl -item +.It +Fetch the current database and print its creation date: +.Pp +.Dl "portaudit -F -d" +.It +Print a vulnerability report for all installed packages: +.Pp +.Dl "portaudit" +.El +. +. +.Sh FILES +. +.Pa %%PREFIX%%/etc/portaudit.conf , +.Pa %%DATABASEDIR%%/auditfile.tbz +. +. +.Sh SEE ALSO +. +.Xr ports 7 , +.Xr periodic 8 , +.Xr periodic.conf 5 , +.Li Aq http://www.freebsd.org/security/#adv . +.Li Aq http://www.vuxml.org/ . +. +. +.Sh CAVEATS +. +.Nm +is in develpoment and should currently not be relied upon +as an extensive security auditing tool. +. +. +.Sh BUGS +. +Sure to be some. +. +. +.Sh AUTHOR +. +.An Oliver Eikemeier Aq eik@FreeBSD.org +. +. +.Sh HISTORY +. +package auditing first appeared in +.Nx 1.4.3 . diff --git a/security/portaudit/files/portaudit.functions b/security/portaudit/files/portaudit.functions index 29d09ba..1b6a0fe 100644 --- a/security/portaudit/files/portaudit.functions +++ b/security/portaudit/files/portaudit.functions @@ -1,8 +1,69 @@ #!/bin/sh +# +# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the author nor the names of its contributors may be +# used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# $FreeBSD$ +# + +portaudit_confs() +{ + portaudit_dir=${portaudit_dir:-"%%DATABASEDIR%%"} + portaudit_filename=${portaudit_filename:-"auditfile.tbz"} + + FETCH_ENV= + FETCH_CMD="fetch -1am" + FETCH_BEFORE_ARGS= + FETCH_AFTER_ARGS= + + MASTER_SITE_LOCAL=" + ${MASTER_SITE_LOCAL} + ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + " + + MASTER_SITE_SUBDIR=eik + + #MASTER_SORT_REGEX="\.uk[.\/]" + MASTER_SORT_REGEX="#" + + if [ -r %%PREFIX%%/etc/portaudit.conf ]; then + . %%PREFIX%%/etc/portaudit.conf + fi +} extract_auditfile() { - tar -jxOf "${portaudit_file}" auditfile + tar -jxOf "${portaudit_dir}/${portaudit_filename}" auditfile } checksum_auditfile() @@ -10,14 +71,142 @@ checksum_auditfile() chksum1=`extract_auditfile | sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'` chksum2=`extract_auditfile | sed -e '$d' | md5` - [ "${chksum1}" != "${chksum2}" ]; + [ "${chksum1}" = "${chksum2}" ]; +} + +getcreated_auditfile() +{ + extract_auditfile | + sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' } checkexpiry_auditfile() { - created=`extract_auditfile | - sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'` + created=`getcreated_auditfile` expiry=`date -u -v-$1d '+%Y%m%d'` - [ "${created}" -lt "${expiry}" ]; + [ "${created}" -ge "${expiry}" ]; } +portaudit_prerequisites() +{ + if [ -z "${PKG_INFO}" ]; then + if [ -x %%LOCALBASE%%/sbin/pkg_info ]; then + PKG_INFO=%%LOCALBASE%%/sbin/pkg_info + else + PKG_INFO=/usr/sbin/pkg_info + fi + fi + + if [ ! -x "${PKG_INFO}" ]; then + echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel" + return 1 + fi + + PKG_INSTALL_VER=`${PKG_INFO} -qP 2>/dev/null` + if [ -z "${PKG_INSTALL_VER}" -o "${PKG_INSTALL_VER}" -lt 20040125 ]; then + echo "${PKG_INFO} is too old, please update port sysutils/pkg_install-devel" + return 1 + fi + + if [ ! -r "${portaudit_dir}/${portaudit_filename}" ]; then + echo "portaudit: database missing, run \`portaudit -F' to update." + return 1 + fi + if ! checksum_auditfile; then + echo "portaudit: corrupt database." + return 1 + fi + if ! checkexpiry_auditfile 14; then + echo "portaudit: database too old." + return 1 + fi + + return 0 +} + +audit_installed() +{ + extract_auditfile | awk -F\| " + BEGIN { vul=0 } + /^(#|\$)/ { next } + { + cmd=\"${PKG_INFO} -E \\\"\" \$1 \"\\\"\" + while((cmd | getline pkg) > 0) { + vul++ + print \"Affected package: \" pkg \"\\n\" \ + \"Type of problem: \" \$3 \".\\n\" \ + \"Reference: <\" \$2 \">\\n\" + } + close(cmd) + } + END { + print vul \" problem(s) in your installed packages found.\" + if (vul > 0) { + print \"\nYou are advised to update or deinstall\" \ + \" the affected package(s) immediately.\" + exit(1) + } + } + " +} + +fetch_locations() +{ + # site sort order is not overly smart + echo "${MASTER_SITE_LOCAL}" | awk " + BEGIN { RS=\"[ \\t\\n]\"; IGNORECASE=1; srand() } + /^$/ { next } + { + if (\$0 ~ /${MASTER_SORT_REGEX}/ ) rank=0; else rank=rand() + gsub(/%SUBDIR%/, \"${MASTER_SITE_SUBDIR}\") + print rank \"\\t\" \$0 + } + " | sort -n | cut -f 2 +} + +fetch_auditfile() +{ + rc=1 + + if [ ! -d "${portaudit_dir}" ]; then + mkdir -p "${portaudit_dir}" + fi + if [ ! -w "${portaudit_dir}" ]; then + echo "Couldn't write to ${portaudit_dir}" + return 1 + + fi + cd "${portaudit_dir}" + if [ -r "${portaudit_filename}" ]; then + cp "${portaudit_filename}" "${portaudit_filename}.old" + fi + + for site in `fetch_locations`; do + echo ">> Attempting to fetch from ${site}." + args="${site}/${portaudit_filename}" + env ${FETCH_ENV} ${FETCH_CMD} ${FETCH_BEFORE_ARGS} ${args} ${FETCH_AFTER_ARGS} + if [ $? -ne 0 ]; then + echo "Couldn't fetch database." + elif [ ! -f "${portaudit_dir}/${portaudit_filename}" ] ; then + echo "no database fetched." + elif ! checksum_auditfile; then + echo "fetched database corrupt." + elif ! checkexpiry_auditfile 7; then + echo "fetched database too old." + else + echo "new database installed." + rc=0 + break + fi + done + if [ -f "${portaudit_filename}.old" ]; then + if [ ${rc} -eq 0 ]; then + rm -f "${portaudit_filename}.old" + else + mv -f "${portaudit_filename}.old" "${portaudit_filename}" + echo "old database restored." + fi + fi + chmod a=r "${portaudit_filename}" + return ${rc} +} diff --git a/security/portaudit/files/portaudit.sh b/security/portaudit/files/portaudit.sh index e4cab24..9747444 100644 --- a/security/portaudit/files/portaudit.sh +++ b/security/portaudit/files/portaudit.sh @@ -1,12 +1,38 @@ #!/bin/sh - +# +# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the author nor the names of its contributors may be +# used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # $FreeBSD$ # # defaults daily_status_portaudit_enable="YES" -portaudit_dir="%%DATABASEDIR%%" # If there is a global system configuration file, suck it in. # @@ -17,8 +43,7 @@ then fi . %%DATADIR%%/portaudit.functions - -portaudit_file="${portaudit_dir}/auditfile.tbz" +portaudit_confs rc=0 case "$daily_status_portaudit_enable" in @@ -27,58 +52,11 @@ case "$daily_status_portaudit_enable" in echo "Checking for packages with security vulnerabilities:" echo "" - if [ -z "${PKG_INFO}" ]; then - if [ -x /usr/local/sbin/pkg_info ]; then - PKG_INFO=/usr/local/sbin/pkg_info - else - PKG_INFO=/usr/sbin/pkg_info - fi - fi - - if [ ! -x "${PKG_INFO}" ]; then - echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel" - exit 2 - fi - - PKG_INSTALL_VER=`${PKG_INFO} -qP 2>/dev/null` - if [ -z "${PKG_INSTALL_VER}" -o "${PKG_INSTALL_VER}" -lt 20040125 ]; then - echo "${PKG_INFO} is too old, please update port sysutils/pkg_install-devel" - exit 2 - fi - - if [ ! -f "${portaudit_file}" ]; then - echo "portaudit: database missing." - echo " run fetchaudit to update." - exit 2 - fi - if checksum_auditfile; then - echo "portaudit: corrupt database." - exit 2 - fi - if checkexpiry_auditfile 14; then - echo "portaudit: database too old." - echo "" + if portaudit_prerequisites; then + audit_installed || rc=1 + else rc=2 fi - - extract_auditfile | awk -F\| " - BEGIN { vul=0 } - /^(#|\$)/ { next } - { - cmd=\"${PKG_INFO} -E \\\"\" \$1 \"\\\"\" - while((cmd | getline pkg) > 0) { - vul++ - print \"Affected package: \" pkg \"\\n\" \ - \"Type of problem: \" \$3 \".\\n\" \ - \"Reference: <\" \$2 \">\\n\" - } - close(cmd) - } - END { - print vul \" problem(s) in your installed packages found.\" - if (vul > 0) exit(1) - } - " || rc=1 ;; *) ;; diff --git a/security/portaudit/pkg-descr b/security/portaudit/pkg-descr index f42c45d..8c6e9ab 100644 --- a/security/portaudit/pkg-descr +++ b/security/portaudit/pkg-descr @@ -1,16 +1,11 @@ -portaudit provides a list of published security vulnerabilities -of FreeBSD ports and tools to check if installed ports are listed. +portaudit provides a system to check if installed ports are listed in a +database of published security vulnerabilities. -After installation it will update the security database automatically -and include its reports in the output of the daily security run. +After installation it will update this security database automatically and +include its reports in the output of the daily security run. -Since this is a prerelease version, it is mostly usable for -committers that want to contribute to the project, and can currently -not be relied upon as an extensive security auditing tool. - -Credits go to Roland Dowdeswell <elric@NetBSD.org> and Bill -Sommerfeld <sommerfeld@NetBSD.org> for the idea and Alistair -Crooks <agc@NetBSD.org> for the initial implementation. +Since this system is in development it can currently not be relied upon as an +extensive security auditing tool. WWW: http://sourceforge.net/projects/portaudit/ diff --git a/security/portaudit/pkg-plist b/security/portaudit/pkg-plist index f91562c..4262caf 100644 --- a/security/portaudit/pkg-plist +++ b/security/portaudit/pkg-plist @@ -1,3 +1,4 @@ +bin/portaudit %%PERIODICDIR%%/security/910.portaudit %%PERIODICDIR%%/daily/330.fetchaudit %%DATADIR%%/portaudit.functions |
