Attachment #174284 for bug #212306

View | Details | Raw Unified | Return to bug 212306
Collapse All | Expand All

Lines 3-9 Link Here

(-)pkg/Makefile (-1 / +6 lines)
3	PORTNAME= pkg	3	PORTNAME= pkg
4	DISTVERSION= 1.8.7	4	DISTVERSION= 1.8.7
5	_PKG_VERSION= ${DISTVERSION}	5	_PKG_VERSION= ${DISTVERSION}
6	PORTREVISION= 1	6	PORTREVISION= 2
7	CATEGORIES= ports-mgmt	7	CATEGORIES= ports-mgmt
8	MASTER_SITES= \	8	MASTER_SITES= \
9	http://files.etoilebsd.net/${PORTNAME}/ \	9	http://files.etoilebsd.net/${PORTNAME}/ \
Lines 21-26 Link Here
21	CONFIGURE_ARGS= --disable-maintainer-mode	21	CONFIGURE_ARGS= --disable-maintainer-mode
22	INSTALL_TARGET= install-strip	22	INSTALL_TARGET= install-strip
23		23
		24	SUB_FILES= 405.pkg-base-audit
		25
24	# Use a submake as 'deinstall install' needs to reevaluate PKG_CMD	26	# Use a submake as 'deinstall install' needs to reevaluate PKG_CMD
25	# so that pkg-static is used from the wrkdir	27	# so that pkg-static is used from the wrkdir
26	USE_SUBMAKE= yes	28	USE_SUBMAKE= yes
Lines 74-78 Link Here
74	post-install:	76	post-install:
75	@${MV} ${STAGEDIR}${PREFIX}/lib/libpkg_static.a \	77	@${MV} ${STAGEDIR}${PREFIX}/lib/libpkg_static.a \
76	${STAGEDIR}${PREFIX}/lib/libpkg.a	78	${STAGEDIR}${PREFIX}/lib/libpkg.a
		79	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/security
		80	${INSTALL_SCRIPT} ${WRKDIR}/405.pkg-base-audit \
		81	${STAGEDIR}${PREFIX}/etc/periodic/security
77		82
78	.include <bsd.port.post.mk>	83	.include <bsd.port.post.mk>




#!/bin/sh -f
#
# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
# Copyright (c) 2014 Matthew Seaman <matthew@FreeBSD.org>
# Copyright (c) 2016 Miroslav Lachman <000.fbsd@quip.cz>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# 1. Redistributions of source code must retain the above copyright notice
#    this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the author nor the names of its contributors may be
#    used to endorse or promote products derived from this software without
#    specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# $FreeBSD$
#

if [ -r /etc/defaults/periodic.conf ]; then
	. /etc/defaults/periodic.conf
	source_periodic_confs
fi

# Compute PKG_DBDIR from the config file.
pkgcmd=%%PREFIX%%/sbin/pkg
PKG_DBDIR=`${pkgcmd} config PKG_DBDIR`
auditfile="${PKG_DBDIR}/vuln.xml"

audit_base() {
	local pkgargs="$1"
	local basedir="$2"
	local rc
	local then
	local now
	local usrlv
	local krnlv
	local strlen
	local chrootv
	local jailv
	local jid
	
	## get version from chroot
	if [ -n "`echo "$pkgargs" | egrep '^-c'`" ]; then
		if [ -x "$basedir/bin/freebsd-version" ]; then
			chrootv=$($basedir/bin/freebsd-version -u)
			## safety check - strlen
			strlen=$(echo "$chrootv" | wc -c)
			if [ $strlen -gt 17 -o $strlen -lt 11 ]; then
				echo "Wrong version string, cannot run audit"
				return 3
			fi
			usrlv=$(echo $chrootv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
		else
			echo "Cannot guess chroot version"
			return 3
		fi
	## get version from jail
	elif [ -n "`echo "$pkgargs" | egrep '^-j'`" ]; then
		jid=$(echo "$pkgargs" | awk '$1 ~ /^-[j]/ { print $2 }')
		jailv=$(jexec $jid freebsd-version -u)
		## safety check - strlen
		strlen=$(echo "$jailv" | wc -c)
		if [ $strlen -gt 17 -o $strlen -lt 11 ]; then
			echo "Wrong version string, cannot run audit"
			return 3
		fi
		usrlv=$(echo $jailv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
	## get version from host
	else
		usrlv=$(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
	fi

	then=`stat -f '%m' "${basedir}${auditfile}" 2> /dev/null` || rc=3
	now=`date +%s` || rc=3
	## Add 10 minutes of padding since the check is in seconds.
	if [ $rc -ne 0 -o \
		$(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \
		-le $(( ${now} - ${then} + 600 )) ]; then
		## Random delay so the mirrors do not get slammed when run by periodic(8)
		if [ ! -t 0 ]; then
			sleep `jot -r 1 0 600`
		fi
		f="-F"
	else
		echo -n 'Database fetched: '
		date -r "${then}" || rc=3
	fi

	## cannot check kernel in jail or chroot
	if [ -z "`echo "$pkgargs" | egrep '^-[cj]'`" -a `sysctl -n security.jail.jailed` = 0 ]; then
		krnlv=$(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
		${pkgcmd} audit $f $q $krnlv || { rc=$?; [ $rc -lt 3 ] && rc=3; }
	fi

	${pkgcmd} audit $f $q $usrlv || { rc=$?; [ $rc -lt 3 ] && rc=3; }

	return $rc
}

# Use $pkg_chroots to provide a default list of chroots, and
# $pkg_jails to provide a default list of jails (or '*' for all jails)
# for all pkg periodic scripts, or set
# $daily_status_security_baseaudit_chroots and
# $daily_status_security_baseaudit_jails for this script only.

audit_base_all() {
	local rc
	local last_rc
	local jails

	: ${daily_status_security_baseaudit_chroots=$pkg_chroots}
	: ${daily_status_security_baseaudit_jails=$pkg_jails}

	# We always show audit results for the base system, but only print
	# a banner line if we're also showing audit results for any
	# chroots or jails.

	if [ -n "${daily_status_security_baseaudit_chroots}" -o \
		-n "${daily_status_security_baseaudit_jails}" ]; then
		echo "Host system:"
	fi

	audit_base '' ''
	last_rc=$?
	[ $last_rc -gt 1 ] && rc=$last_rc

	for c in $daily_status_security_baseaudit_chroots ; do
		echo
		echo "chroot: $c"
		audit_base "-c $c" $c
		last_rc=$?
		[ $last_rc -gt 1 ] && rc=$last_rc
	done

	case $daily_status_security_baseaudit_jails in
	\*)
		jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/')
		;;
	'')
		jails=
		;;
	*)
		# Given the jail name or jid, find the jail path
		jails=
		for j in $daily_status_security_baseaudit_jails ; do
			p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/')
			jails="${jails} ${p}"
		done
		;;
	esac

	for j in $jails ; do
		echo
		echo "jail: ${j%|*}"
		audit_base "-j ${j%|*}" ${j##*|}
		last_rc=$?
		[ $last_rc -gt 1 ] && rc=$last_rc
	done

	return $rc
}

rc=0

case "${daily_status_security_baseaudit_enable:-YES}" in
[Nn][Oo]) ;;
*)
	echo
	echo 'Checking for security vulnerabilities in base (userland & kernel):'

	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
		echo 'pkg-audit is enabled but pkg is not used'
		rc=2
	else
		case "${daily_status_security_baseaudit_quiet:-NO}" in
		[Yy][Ee][Ss])
			q='-q'
			;;
		*)
			q=
			;;
		esac

		audit_base_all ; rc=$?
	fi
	;;
esac

exit "$rc"

Lines 1-6 Link Here

(-)pkg/pkg-plist (+1 lines)
1	etc/bash_completion.d/_pkg.bash	1	etc/bash_completion.d/_pkg.bash
2	etc/periodic/daily/411.pkg-backup	2	etc/periodic/daily/411.pkg-backup
3	etc/periodic/daily/490.status-pkg-changes	3	etc/periodic/daily/490.status-pkg-changes
		4	etc/periodic/security/405.pkg-base-audit
4	etc/periodic/security/410.pkg-audit	5	etc/periodic/security/410.pkg-audit
5	etc/periodic/security/460.pkg-checksum	6	etc/periodic/security/460.pkg-checksum
6	etc/periodic/weekly/400.status-pkg	7	etc/periodic/weekly/400.status-pkg

Return to bug 212306

Line 0 Link Here

(-)pkg/files/405.pkg-base-audit.in (+206 lines)
		1	#!/bin/sh -f
		2	#
		3	# Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
		4	# Copyright (c) 2014 Matthew Seaman <matthew@FreeBSD.org>
		5	# Copyright (c) 2016 Miroslav Lachman <000.fbsd@quip.cz>
		6	#
		7	# Redistribution and use in source and binary forms, with or without
		8	# modification, are permitted provided that the following conditions are
		9	# met:
		10	#
		11	# 1. Redistributions of source code must retain the above copyright notice
		12	# this list of conditions and the following disclaimer.
		13	#
		14	# 2. Redistributions in binary form must reproduce the above copyright
		15	# notice, this list of conditions and the following disclaimer in the
		16	# documentation and/or other materials provided with the distribution.
		17	#
		18	# 3. Neither the name of the author nor the names of its contributors may be
		19	# used to endorse or promote products derived from this software without
		20	# specific prior written permission.
		21	#
		22	# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
		23	# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
		24	# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
		25	# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
		26	# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		27	# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		28	# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		29	# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		30	# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		31	# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		32	#
		33	# $FreeBSD$
		34	#
		35
		36	if [ -r /etc/defaults/periodic.conf ]; then
		37	. /etc/defaults/periodic.conf
		38	source_periodic_confs
		39	fi
		40
		41	# Compute PKG_DBDIR from the config file.
		42	pkgcmd=%%PREFIX%%/sbin/pkg
		43	PKG_DBDIR=`${pkgcmd} config PKG_DBDIR`
		44	auditfile="${PKG_DBDIR}/vuln.xml"
		45
		46	audit_base() {
		47	local pkgargs="$1"
		48	local basedir="$2"
		49	local rc
		50	local then
		51	local now
		52	local usrlv
		53	local krnlv
		54	local strlen
		55	local chrootv
		56	local jailv
		57	local jid
		58
		59	## get version from chroot
		60	if [ -n "`echo "$pkgargs" \| egrep '^-c'`" ]; then
		61	if [ -x "$basedir/bin/freebsd-version" ]; then
		62	chrootv=$($basedir/bin/freebsd-version -u)
		63	## safety check - strlen
		64	strlen=$(echo "$chrootv" \| wc -c)
65	if [ $strlen -gt 17 -o $strlen -lt 11 ]; then
66	echo "Wrong version string, cannot run audit"
67	return 3
68	fi
69	usrlv=$(echo $chrootv \| sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
70	else
71	echo "Cannot guess chroot version"
72	return 3
73	fi
74	## get version from jail
75	elif [ -n "`echo "$pkgargs" \| egrep '^-j'`" ]; then
76	jid=$(echo "$pkgargs" \| awk '$1 ~ /^-[j]/ { print $2 }')
77	jailv=$(jexec $jid freebsd-version -u)
78	## safety check - strlen
79	strlen=$(echo "$jailv" \| wc -c)
80	if [ $strlen -gt 17 -o $strlen -lt 11 ]; then
81	echo "Wrong version string, cannot run audit"
82	return 3
83	fi
84	usrlv=$(echo $jailv \| sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
85	## get version from host
86	else
87	usrlv=$(freebsd-version -u \| sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
88	fi
89
90	then=`stat -f '%m' "${basedir}${auditfile}" 2> /dev/null` \|\| rc=3
91	now=`date +%s` \|\| rc=3
92	## Add 10 minutes of padding since the check is in seconds.
93	if [ $rc -ne 0 -o \
94	$(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \
95	-le $(( ${now} - ${then} + 600 )) ]; then
96	## Random delay so the mirrors do not get slammed when run by periodic(8)
97	if [ ! -t 0 ]; then
98	sleep `jot -r 1 0 600`
99	fi
100	f="-F"
101	else
102	echo -n 'Database fetched: '
103	date -r "${then}" \|\| rc=3
104	fi
105
106	## cannot check kernel in jail or chroot
107	if [ -z "`echo "$pkgargs" \| egrep '^-[cj]'`" -a `sysctl -n security.jail.jailed` = 0 ]; then
108	krnlv=$(freebsd-version -k \| sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,')
109	${pkgcmd} audit $f $q $krnlv \|\| { rc=$?; [ $rc -lt 3 ] && rc=3; }
110	fi
111
112	${pkgcmd} audit $f $q $usrlv \|\| { rc=$?; [ $rc -lt 3 ] && rc=3; }
113
114	return $rc
115	}
116
117	# Use $pkg_chroots to provide a default list of chroots, and
118	# $pkg_jails to provide a default list of jails (or '*' for all jails)
119	# for all pkg periodic scripts, or set
120	# $daily_status_security_baseaudit_chroots and
121	# $daily_status_security_baseaudit_jails for this script only.
122
123	audit_base_all() {
124	local rc
125	local last_rc
126	local jails
127
128	: ${daily_status_security_baseaudit_chroots=$pkg_chroots}
129	: ${daily_status_security_baseaudit_jails=$pkg_jails}
130
131	# We always show audit results for the base system, but only print
132	# a banner line if we're also showing audit results for any
133	# chroots or jails.
134
135	if [ -n "${daily_status_security_baseaudit_chroots}" -o \
136	-n "${daily_status_security_baseaudit_jails}" ]; then
137	echo "Host system:"
138	fi
139
140	audit_base '' ''
141	last_rc=$?
142	[ $last_rc -gt 1 ] && rc=$last_rc
143
144	for c in $daily_status_security_baseaudit_chroots ; do
145	echo
146	echo "chroot: $c"
147	audit_base "-c $c" $c
148	last_rc=$?
149	[ $last_rc -gt 1 ] && rc=$last_rc
150	done
151
152	case $daily_status_security_baseaudit_jails in
153	\*)
154	jails=$(jls -q -h name path \| sed -e 1d -e 's/ /\|/')
155	;;
156	'')
157	jails=
158	;;
159	*)
160	# Given the jail name or jid, find the jail path
161	jails=
162	for j in $daily_status_security_baseaudit_jails ; do
163	p=$(jls -j $j -h name path \| sed -e 1d -e 's/ /\|/')
164	jails="${jails} ${p}"
165	done
166	;;
167	esac
168
169	for j in $jails ; do
170	echo
171	echo "jail: ${j%\|*}"
172	audit_base "-j ${j%\|}" ${j##\|}
173	last_rc=$?
174	[ $last_rc -gt 1 ] && rc=$last_rc
175	done
176
177	return $rc
178	}
179
180	rc=0
181
182	case "${daily_status_security_baseaudit_enable:-YES}" in
183	[Nn][Oo]) ;;
184	*)
185	echo
186	echo 'Checking for security vulnerabilities in base (userland & kernel):'
187
188	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
189	echo 'pkg-audit is enabled but pkg is not used'
190	rc=2
191	else
192	case "${daily_status_security_baseaudit_quiet:-NO}" in
193	[Yy][Ee][Ss])
194	q='-q'
195	;;
196	*)
197	q=
198	;;
199	esac
200
201	audit_base_all ; rc=$?
202	fi
203	;;
204	esac
205
206	exit "$rc"