|
Lines 38-43
Link Here
|
| 38 |
source_periodic_confs |
38 |
source_periodic_confs |
| 39 |
fi |
39 |
fi |
| 40 |
|
40 |
|
|
|
41 |
: ${security_status_baseaudit_enable:=YES} |
| 42 |
: ${security_status_baseaudit_period:=daily} |
| 43 |
: ${security_status_baseaudit_quiet:=NO} |
| 44 |
: ${security_status_baseaudit_chroots=$pkg_chroots} |
| 45 |
: ${security_status_baseaudit_jails=$pkg_jails} |
| 46 |
: ${security_status_baseaudit_expiry:=2} |
| 47 |
|
| 41 |
# Compute PKG_DBDIR from the config file. |
48 |
# Compute PKG_DBDIR from the config file. |
| 42 |
pkgcmd=%%PREFIX%%/sbin/pkg |
49 |
pkgcmd=%%PREFIX%%/sbin/pkg |
| 43 |
PKG_DBDIR=`${pkgcmd} config PKG_DBDIR` |
50 |
PKG_DBDIR=`${pkgcmd} config PKG_DBDIR` |
|
Lines 91-97
Link Here
|
| 91 |
now=`date +%s` || rc=3 |
98 |
now=`date +%s` || rc=3 |
| 92 |
## Add 10 minutes of padding since the check is in seconds. |
99 |
## Add 10 minutes of padding since the check is in seconds. |
| 93 |
if [ $rc -ne 0 -o \ |
100 |
if [ $rc -ne 0 -o \ |
| 94 |
$(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \ |
101 |
$(( 86400 \* "${security_status_baseaudit_expiry}" )) \ |
| 95 |
-le $(( ${now} - ${then} + 600 )) ]; then |
102 |
-le $(( ${now} - ${then} + 600 )) ]; then |
| 96 |
## Random delay so the mirrors do not get slammed when run by periodic(8) |
103 |
## Random delay so the mirrors do not get slammed when run by periodic(8) |
| 97 |
if [ ! -t 0 ]; then |
104 |
if [ ! -t 0 ]; then |
|
Lines 117-124
Link Here
|
| 117 |
# Use $pkg_chroots to provide a default list of chroots, and |
124 |
# Use $pkg_chroots to provide a default list of chroots, and |
| 118 |
# $pkg_jails to provide a default list of jails (or '*' for all jails) |
125 |
# $pkg_jails to provide a default list of jails (or '*' for all jails) |
| 119 |
# for all pkg periodic scripts, or set |
126 |
# for all pkg periodic scripts, or set |
| 120 |
# $daily_status_security_baseaudit_chroots and |
127 |
# $security_status_baseaudit_chroots and |
| 121 |
# $daily_status_security_baseaudit_jails for this script only. |
128 |
# $security_status_baseaudit_jails for this script only. |
| 122 |
|
129 |
|
| 123 |
audit_base_all() { |
130 |
audit_base_all() { |
| 124 |
local rc |
131 |
local rc |
|
Lines 125-139
Link Here
|
| 125 |
local last_rc |
132 |
local last_rc |
| 126 |
local jails |
133 |
local jails |
| 127 |
|
134 |
|
| 128 |
: ${daily_status_security_baseaudit_chroots=$pkg_chroots} |
|
|
| 129 |
: ${daily_status_security_baseaudit_jails=$pkg_jails} |
| 130 |
|
| 131 |
# We always show audit results for the base system, but only print |
135 |
# We always show audit results for the base system, but only print |
| 132 |
# a banner line if we're also showing audit results for any |
136 |
# a banner line if we're also showing audit results for any |
| 133 |
# chroots or jails. |
137 |
# chroots or jails. |
| 134 |
|
138 |
|
| 135 |
if [ -n "${daily_status_security_baseaudit_chroots}" -o \ |
139 |
if [ -n "${security_status_baseaudit_chroots}" -o \ |
| 136 |
-n "${daily_status_security_baseaudit_jails}" ]; then |
140 |
-n "${security_status_baseaudit_jails}" ]; then |
| 137 |
echo "Host system:" |
141 |
echo "Host system:" |
| 138 |
fi |
142 |
fi |
| 139 |
|
143 |
|
|
Lines 141-147
Link Here
|
| 141 |
last_rc=$? |
145 |
last_rc=$? |
| 142 |
[ $last_rc -gt 1 ] && rc=$last_rc |
146 |
[ $last_rc -gt 1 ] && rc=$last_rc |
| 143 |
|
147 |
|
| 144 |
for c in $daily_status_security_baseaudit_chroots ; do |
148 |
for c in $security_status_baseaudit_chroots ; do |
| 145 |
echo |
149 |
echo |
| 146 |
echo "chroot: $c" |
150 |
echo "chroot: $c" |
| 147 |
audit_base "-c $c" $c |
151 |
audit_base "-c $c" $c |
|
Lines 149-155
Link Here
|
| 149 |
[ $last_rc -gt 1 ] && rc=$last_rc |
153 |
[ $last_rc -gt 1 ] && rc=$last_rc |
| 150 |
done |
154 |
done |
| 151 |
|
155 |
|
| 152 |
case $daily_status_security_baseaudit_jails in |
156 |
case $security_status_baseaudit_jails in |
| 153 |
\*) |
157 |
\*) |
| 154 |
jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/') |
158 |
jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/') |
| 155 |
;; |
159 |
;; |
|
Lines 159-165
Link Here
|
| 159 |
*) |
163 |
*) |
| 160 |
# Given the jail name or jid, find the jail path |
164 |
# Given the jail name or jid, find the jail path |
| 161 |
jails= |
165 |
jails= |
| 162 |
for j in $daily_status_security_baseaudit_jails ; do |
166 |
for j in $security_status_baseaudit_jails ; do |
| 163 |
p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/') |
167 |
p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/') |
| 164 |
jails="${jails} ${p}" |
168 |
jails="${jails} ${p}" |
| 165 |
done |
169 |
done |
|
Lines 177-187
Link Here
|
| 177 |
return $rc |
181 |
return $rc |
| 178 |
} |
182 |
} |
| 179 |
|
183 |
|
|
|
184 |
security_daily_compat_var security_status_baseaudit_enable |
| 185 |
security_daily_compat_var security_status_baseaudit_quiet |
| 186 |
security_daily_compat_var security_status_baseaudit_chroots |
| 187 |
security_daily_compat_var security_status_baseaudit_jails |
| 188 |
security_daily_compat_var security_status_baseaudit_exipiry |
| 189 |
|
| 180 |
rc=0 |
190 |
rc=0 |
| 181 |
|
191 |
|
| 182 |
case "${daily_status_security_baseaudit_enable:-YES}" in |
192 |
if check_yesno_period security_status_baseaudit_enable |
| 183 |
[Nn][Oo]) ;; |
193 |
then |
| 184 |
*) |
|
|
| 185 |
echo |
194 |
echo |
| 186 |
echo 'Checking for security vulnerabilities in base (userland & kernel):' |
195 |
echo 'Checking for security vulnerabilities in base (userland & kernel):' |
| 187 |
|
196 |
|
|
Lines 189-195
Link Here
|
| 189 |
echo 'pkg-audit is enabled but pkg is not used' |
198 |
echo 'pkg-audit is enabled but pkg is not used' |
| 190 |
rc=2 |
199 |
rc=2 |
| 191 |
else |
200 |
else |
| 192 |
case "${daily_status_security_baseaudit_quiet:-NO}" in |
201 |
case "${security_status_baseaudit_quiet}" in |
| 193 |
[Yy][Ee][Ss]) |
202 |
[Yy][Ee][Ss]) |
| 194 |
q='-q' |
203 |
q='-q' |
| 195 |
;; |
204 |
;; |
|
Lines 200-206
Link Here
|
| 200 |
|
209 |
|
| 201 |
audit_base_all ; rc=$? |
210 |
audit_base_all ; rc=$? |
| 202 |
fi |
211 |
fi |
| 203 |
;; |
212 |
fi |
| 204 |
esac |
|
|
| 205 |
|
213 |
|
| 206 |
exit "$rc" |
214 |
exit "$rc" |