FreeBSD Bugzilla – Attachment 174284 Details for
Bug 212306
ports-mgmt/pkg patch to add ability to run pkg audit on base from periodic
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
add 405.pkg-base-audit for periodic/security
pkg.405.pkg-base-audit.patch (text/plain), 7.53 KB, created by
Miroslav Lachman
on 2016-09-01 12:39:38 UTC
(
hide
)
Description:
add 405.pkg-base-audit for periodic/security
Filename:
MIME Type:
Creator:
Miroslav Lachman
Created:
2016-09-01 12:39:38 UTC
Size:
7.53 KB
patch
obsolete
>diff -u -N -r pkg.orig/Makefile pkg/Makefile >--- pkg.orig/Makefile 2016-07-31 13:52:22.000000000 +0200 >+++ pkg/Makefile 2016-09-01 14:09:31.251006604 +0200 >@@ -3,7 +3,7 @@ > PORTNAME= pkg > DISTVERSION= 1.8.7 > _PKG_VERSION= ${DISTVERSION} >-PORTREVISION= 1 >+PORTREVISION= 2 > CATEGORIES= ports-mgmt > MASTER_SITES= \ > http://files.etoilebsd.net/${PORTNAME}/ \ >@@ -21,6 +21,8 @@ > CONFIGURE_ARGS= --disable-maintainer-mode > INSTALL_TARGET= install-strip > >+SUB_FILES= 405.pkg-base-audit >+ > # Use a submake as 'deinstall install' needs to reevaluate PKG_CMD > # so that pkg-static is used from the wrkdir > USE_SUBMAKE= yes >@@ -74,5 +76,8 @@ > post-install: > @${MV} ${STAGEDIR}${PREFIX}/lib/libpkg_static.a \ > ${STAGEDIR}${PREFIX}/lib/libpkg.a >+ @${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/security >+ ${INSTALL_SCRIPT} ${WRKDIR}/405.pkg-base-audit \ >+ ${STAGEDIR}${PREFIX}/etc/periodic/security > > .include <bsd.port.post.mk> >diff -u -N -r pkg.orig/files/405.pkg-base-audit.in pkg/files/405.pkg-base-audit.in >--- pkg.orig/files/405.pkg-base-audit.in 1970-01-01 01:00:00.000000000 +0100 >+++ pkg/files/405.pkg-base-audit.in 2016-09-01 13:41:18.329776495 +0200 >@@ -0,0 +1,206 @@ >+#!/bin/sh -f >+# >+# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. >+# Copyright (c) 2014 Matthew Seaman <matthew@FreeBSD.org> >+# Copyright (c) 2016 Miroslav Lachman <000.fbsd@quip.cz> >+# >+# Redistribution and use in source and binary forms, with or without >+# modification, are permitted provided that the following conditions are >+# met: >+# >+# 1. Redistributions of source code must retain the above copyright notice >+# this list of conditions and the following disclaimer. >+# >+# 2. Redistributions in binary form must reproduce the above copyright >+# notice, this list of conditions and the following disclaimer in the >+# documentation and/or other materials provided with the distribution. >+# >+# 3. Neither the name of the author nor the names of its contributors may be >+# used to endorse or promote products derived from this software without >+# specific prior written permission. >+# >+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, >+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY >+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE >+# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, >+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+# >+# $FreeBSD$ >+# >+ >+if [ -r /etc/defaults/periodic.conf ]; then >+ . /etc/defaults/periodic.conf >+ source_periodic_confs >+fi >+ >+# Compute PKG_DBDIR from the config file. >+pkgcmd=%%PREFIX%%/sbin/pkg >+PKG_DBDIR=`${pkgcmd} config PKG_DBDIR` >+auditfile="${PKG_DBDIR}/vuln.xml" >+ >+audit_base() { >+ local pkgargs="$1" >+ local basedir="$2" >+ local rc >+ local then >+ local now >+ local usrlv >+ local krnlv >+ local strlen >+ local chrootv >+ local jailv >+ local jid >+ >+ ## get version from chroot >+ if [ -n "`echo "$pkgargs" | egrep '^-c'`" ]; then >+ if [ -x "$basedir/bin/freebsd-version" ]; then >+ chrootv=$($basedir/bin/freebsd-version -u) >+ ## safety check - strlen >+ strlen=$(echo "$chrootv" | wc -c) >+ if [ $strlen -gt 17 -o $strlen -lt 11 ]; then >+ echo "Wrong version string, cannot run audit" >+ return 3 >+ fi >+ usrlv=$(echo $chrootv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') >+ else >+ echo "Cannot guess chroot version" >+ return 3 >+ fi >+ ## get version from jail >+ elif [ -n "`echo "$pkgargs" | egrep '^-j'`" ]; then >+ jid=$(echo "$pkgargs" | awk '$1 ~ /^-[j]/ { print $2 }') >+ jailv=$(jexec $jid freebsd-version -u) >+ ## safety check - strlen >+ strlen=$(echo "$jailv" | wc -c) >+ if [ $strlen -gt 17 -o $strlen -lt 11 ]; then >+ echo "Wrong version string, cannot run audit" >+ return 3 >+ fi >+ usrlv=$(echo $jailv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') >+ ## get version from host >+ else >+ usrlv=$(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') >+ fi >+ >+ then=`stat -f '%m' "${basedir}${auditfile}" 2> /dev/null` || rc=3 >+ now=`date +%s` || rc=3 >+ ## Add 10 minutes of padding since the check is in seconds. >+ if [ $rc -ne 0 -o \ >+ $(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \ >+ -le $(( ${now} - ${then} + 600 )) ]; then >+ ## Random delay so the mirrors do not get slammed when run by periodic(8) >+ if [ ! -t 0 ]; then >+ sleep `jot -r 1 0 600` >+ fi >+ f="-F" >+ else >+ echo -n 'Database fetched: ' >+ date -r "${then}" || rc=3 >+ fi >+ >+ ## cannot check kernel in jail or chroot >+ if [ -z "`echo "$pkgargs" | egrep '^-[cj]'`" -a `sysctl -n security.jail.jailed` = 0 ]; then >+ krnlv=$(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,') >+ ${pkgcmd} audit $f $q $krnlv || { rc=$?; [ $rc -lt 3 ] && rc=3; } >+ fi >+ >+ ${pkgcmd} audit $f $q $usrlv || { rc=$?; [ $rc -lt 3 ] && rc=3; } >+ >+ return $rc >+} >+ >+# Use $pkg_chroots to provide a default list of chroots, and >+# $pkg_jails to provide a default list of jails (or '*' for all jails) >+# for all pkg periodic scripts, or set >+# $daily_status_security_baseaudit_chroots and >+# $daily_status_security_baseaudit_jails for this script only. >+ >+audit_base_all() { >+ local rc >+ local last_rc >+ local jails >+ >+ : ${daily_status_security_baseaudit_chroots=$pkg_chroots} >+ : ${daily_status_security_baseaudit_jails=$pkg_jails} >+ >+ # We always show audit results for the base system, but only print >+ # a banner line if we're also showing audit results for any >+ # chroots or jails. >+ >+ if [ -n "${daily_status_security_baseaudit_chroots}" -o \ >+ -n "${daily_status_security_baseaudit_jails}" ]; then >+ echo "Host system:" >+ fi >+ >+ audit_base '' '' >+ last_rc=$? >+ [ $last_rc -gt 1 ] && rc=$last_rc >+ >+ for c in $daily_status_security_baseaudit_chroots ; do >+ echo >+ echo "chroot: $c" >+ audit_base "-c $c" $c >+ last_rc=$? >+ [ $last_rc -gt 1 ] && rc=$last_rc >+ done >+ >+ case $daily_status_security_baseaudit_jails in >+ \*) >+ jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/') >+ ;; >+ '') >+ jails= >+ ;; >+ *) >+ # Given the jail name or jid, find the jail path >+ jails= >+ for j in $daily_status_security_baseaudit_jails ; do >+ p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/') >+ jails="${jails} ${p}" >+ done >+ ;; >+ esac >+ >+ for j in $jails ; do >+ echo >+ echo "jail: ${j%|*}" >+ audit_base "-j ${j%|*}" ${j##*|} >+ last_rc=$? >+ [ $last_rc -gt 1 ] && rc=$last_rc >+ done >+ >+ return $rc >+} >+ >+rc=0 >+ >+case "${daily_status_security_baseaudit_enable:-YES}" in >+[Nn][Oo]) ;; >+*) >+ echo >+ echo 'Checking for security vulnerabilities in base (userland & kernel):' >+ >+ if ! ${pkgcmd} -N >/dev/null 2>&1 ; then >+ echo 'pkg-audit is enabled but pkg is not used' >+ rc=2 >+ else >+ case "${daily_status_security_baseaudit_quiet:-NO}" in >+ [Yy][Ee][Ss]) >+ q='-q' >+ ;; >+ *) >+ q= >+ ;; >+ esac >+ >+ audit_base_all ; rc=$? >+ fi >+ ;; >+esac >+ >+exit "$rc" >diff -u -N -r pkg.orig/pkg-plist pkg/pkg-plist >--- pkg.orig/pkg-plist 2015-10-31 16:13:01.000000000 +0100 >+++ pkg/pkg-plist 2016-09-01 13:34:46.213005176 +0200 >@@ -1,6 +1,7 @@ > etc/bash_completion.d/_pkg.bash > etc/periodic/daily/411.pkg-backup > etc/periodic/daily/490.status-pkg-changes >+etc/periodic/security/405.pkg-base-audit > etc/periodic/security/410.pkg-audit > etc/periodic/security/460.pkg-checksum > etc/periodic/weekly/400.status-pkg
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=174284">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 212306
: 174284