Lines 38-43
Link Here
|
38 |
source_periodic_confs |
38 |
source_periodic_confs |
39 |
fi |
39 |
fi |
40 |
|
40 |
|
|
|
41 |
: ${security_status_baseaudit_enable:=YES} |
42 |
: ${security_status_baseaudit_period:=daily} |
43 |
: ${security_status_baseaudit_quiet:=NO} |
44 |
: ${security_status_baseaudit_chroots=$pkg_chroots} |
45 |
: ${security_status_baseaudit_jails=$pkg_jails} |
46 |
: ${security_status_baseaudit_expiry:=2} |
47 |
|
41 |
# Compute PKG_DBDIR from the config file. |
48 |
# Compute PKG_DBDIR from the config file. |
42 |
pkgcmd=%%PREFIX%%/sbin/pkg |
49 |
pkgcmd=%%PREFIX%%/sbin/pkg |
43 |
PKG_DBDIR=`${pkgcmd} config PKG_DBDIR` |
50 |
PKG_DBDIR=`${pkgcmd} config PKG_DBDIR` |
Lines 91-97
Link Here
|
91 |
now=`date +%s` || rc=3 |
98 |
now=`date +%s` || rc=3 |
92 |
## Add 10 minutes of padding since the check is in seconds. |
99 |
## Add 10 minutes of padding since the check is in seconds. |
93 |
if [ $rc -ne 0 -o \ |
100 |
if [ $rc -ne 0 -o \ |
94 |
$(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \ |
101 |
$(( 86400 \* "${security_status_baseaudit_expiry}" )) \ |
95 |
-le $(( ${now} - ${then} + 600 )) ]; then |
102 |
-le $(( ${now} - ${then} + 600 )) ]; then |
96 |
## Random delay so the mirrors do not get slammed when run by periodic(8) |
103 |
## Random delay so the mirrors do not get slammed when run by periodic(8) |
97 |
if [ ! -t 0 ]; then |
104 |
if [ ! -t 0 ]; then |
Lines 117-124
Link Here
|
117 |
# Use $pkg_chroots to provide a default list of chroots, and |
124 |
# Use $pkg_chroots to provide a default list of chroots, and |
118 |
# $pkg_jails to provide a default list of jails (or '*' for all jails) |
125 |
# $pkg_jails to provide a default list of jails (or '*' for all jails) |
119 |
# for all pkg periodic scripts, or set |
126 |
# for all pkg periodic scripts, or set |
120 |
# $daily_status_security_baseaudit_chroots and |
127 |
# $security_status_baseaudit_chroots and |
121 |
# $daily_status_security_baseaudit_jails for this script only. |
128 |
# $security_status_baseaudit_jails for this script only. |
122 |
|
129 |
|
123 |
audit_base_all() { |
130 |
audit_base_all() { |
124 |
local rc |
131 |
local rc |
Lines 125-139
Link Here
|
125 |
local last_rc |
132 |
local last_rc |
126 |
local jails |
133 |
local jails |
127 |
|
134 |
|
128 |
: ${daily_status_security_baseaudit_chroots=$pkg_chroots} |
|
|
129 |
: ${daily_status_security_baseaudit_jails=$pkg_jails} |
130 |
|
131 |
# We always show audit results for the base system, but only print |
135 |
# We always show audit results for the base system, but only print |
132 |
# a banner line if we're also showing audit results for any |
136 |
# a banner line if we're also showing audit results for any |
133 |
# chroots or jails. |
137 |
# chroots or jails. |
134 |
|
138 |
|
135 |
if [ -n "${daily_status_security_baseaudit_chroots}" -o \ |
139 |
if [ -n "${security_status_baseaudit_chroots}" -o \ |
136 |
-n "${daily_status_security_baseaudit_jails}" ]; then |
140 |
-n "${security_status_baseaudit_jails}" ]; then |
137 |
echo "Host system:" |
141 |
echo "Host system:" |
138 |
fi |
142 |
fi |
139 |
|
143 |
|
Lines 141-147
Link Here
|
141 |
last_rc=$? |
145 |
last_rc=$? |
142 |
[ $last_rc -gt 1 ] && rc=$last_rc |
146 |
[ $last_rc -gt 1 ] && rc=$last_rc |
143 |
|
147 |
|
144 |
for c in $daily_status_security_baseaudit_chroots ; do |
148 |
for c in $security_status_baseaudit_chroots ; do |
145 |
echo |
149 |
echo |
146 |
echo "chroot: $c" |
150 |
echo "chroot: $c" |
147 |
audit_base "-c $c" $c |
151 |
audit_base "-c $c" $c |
Lines 149-155
Link Here
|
149 |
[ $last_rc -gt 1 ] && rc=$last_rc |
153 |
[ $last_rc -gt 1 ] && rc=$last_rc |
150 |
done |
154 |
done |
151 |
|
155 |
|
152 |
case $daily_status_security_baseaudit_jails in |
156 |
case $security_status_baseaudit_jails in |
153 |
\*) |
157 |
\*) |
154 |
jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/') |
158 |
jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/') |
155 |
;; |
159 |
;; |
Lines 159-165
Link Here
|
159 |
*) |
163 |
*) |
160 |
# Given the jail name or jid, find the jail path |
164 |
# Given the jail name or jid, find the jail path |
161 |
jails= |
165 |
jails= |
162 |
for j in $daily_status_security_baseaudit_jails ; do |
166 |
for j in $security_status_baseaudit_jails ; do |
163 |
p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/') |
167 |
p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/') |
164 |
jails="${jails} ${p}" |
168 |
jails="${jails} ${p}" |
165 |
done |
169 |
done |
Lines 177-187
Link Here
|
177 |
return $rc |
181 |
return $rc |
178 |
} |
182 |
} |
179 |
|
183 |
|
|
|
184 |
security_daily_compat_var security_status_baseaudit_enable |
185 |
security_daily_compat_var security_status_baseaudit_quiet |
186 |
security_daily_compat_var security_status_baseaudit_chroots |
187 |
security_daily_compat_var security_status_baseaudit_jails |
188 |
security_daily_compat_var security_status_baseaudit_exipiry |
189 |
|
180 |
rc=0 |
190 |
rc=0 |
181 |
|
191 |
|
182 |
case "${daily_status_security_baseaudit_enable:-YES}" in |
192 |
if check_yesno_period security_status_baseaudit_enable |
183 |
[Nn][Oo]) ;; |
193 |
then |
184 |
*) |
|
|
185 |
echo |
194 |
echo |
186 |
echo 'Checking for security vulnerabilities in base (userland & kernel):' |
195 |
echo 'Checking for security vulnerabilities in base (userland & kernel):' |
187 |
|
196 |
|
Lines 189-195
Link Here
|
189 |
echo 'pkg-audit is enabled but pkg is not used' |
198 |
echo 'pkg-audit is enabled but pkg is not used' |
190 |
rc=2 |
199 |
rc=2 |
191 |
else |
200 |
else |
192 |
case "${daily_status_security_baseaudit_quiet:-NO}" in |
201 |
case "${security_status_baseaudit_quiet}" in |
193 |
[Yy][Ee][Ss]) |
202 |
[Yy][Ee][Ss]) |
194 |
q='-q' |
203 |
q='-q' |
195 |
;; |
204 |
;; |
Lines 200-206
Link Here
|
200 |
|
209 |
|
201 |
audit_base_all ; rc=$? |
210 |
audit_base_all ; rc=$? |
202 |
fi |
211 |
fi |
203 |
;; |
212 |
fi |
204 |
esac |
|
|
205 |
|
213 |
|
206 |
exit "$rc" |
214 |
exit "$rc" |