FreeBSD Bugzilla – Attachment 188060 Details for
Bug 223716
[NEW PORT] sysutils/base-audit Periodic script to check base for vulnerabilities
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
sysutils/base-audit shar
base-audit-0.1.shar (text/plain), 8.39 KB, created by
Miroslav Lachman
on 2017-11-16 23:34:36 UTC
(
hide
)
Description:
sysutils/base-audit shar
Filename:
MIME Type:
Creator:
Miroslav Lachman
Created:
2017-11-16 23:34:36 UTC
Size:
8.39 KB
patch
obsolete
># This is a shell archive. Save it in a file, remove anything before ># this line, and then unpack it by entering "sh file". Note, it may ># create directories; files and directories will be owned by you and ># have default permissions. ># ># This archive contains: ># ># base-audit ># base-audit/Makefile ># base-audit/pkg-descr ># base-audit/files ># base-audit/files/pkg-message.in ># base-audit/files/405.pkg-base-audit.in ># >echo c - base-audit >mkdir -p base-audit > /dev/null 2>&1 >echo x - base-audit/Makefile >sed 's/^X//' >base-audit/Makefile << '65e6086f002b227646105a8931613099' >X# Created by: Miroslav Lachman >X# $FreeBSD$ >X >XPORTNAME= base-audit >XPORTVERSION= 0.1 >XCATEGORIES= sysutils >XMASTER_SITES= # none >XDISTFILES= # none >X >XMAINTAINER= 000.fbsd@quip.cz >XCOMMENT= Daily periodic check of vulnerabilities in base system >X >XRUN_DEPENDS= pkg:ports-mgmt/pkg >X >XLICENSE= BSD2CLAUSE >X >XNO_ARCH= yes >XNO_BUILD= yes >XNO_INSTALL= yes >X >XSUB_FILES= 405.pkg-base-audit >X >XPERIODIC_SECURITY= etc/periodic/security >X >XPLIST_FILES= ${PERIODIC_SECURITY}/405.pkg-base-audit >X >Xdo-install: >X @${MKDIR} ${STAGEDIR}${PREFIX}/${PERIODIC_SECURITY} >X ${INSTALL_SCRIPT} ${WRKDIR}/405.pkg-base-audit \ >X ${STAGEDIR}${PREFIX}/${PERIODIC_SECURITY} >X >X.include <bsd.port.mk> >65e6086f002b227646105a8931613099 >echo x - base-audit/pkg-descr >sed 's/^X//' >base-audit/pkg-descr << 'bdf60381bc13c86ddc3ad39cfb1b2686' >XAudit base system against known vulnerabilities and generate reports >Xincluding references to security advisories. >XIt uses pkg audit and Vuxml database as is used for packages but this script >Xchecks base system. >bdf60381bc13c86ddc3ad39cfb1b2686 >echo c - base-audit/files >mkdir -p base-audit/files > /dev/null 2>&1 >echo x - base-audit/files/pkg-message.in >sed 's/^X//' >base-audit/files/pkg-message.in << '8be2bf4791f6cb6eee206ecf88252e39' >XAdd the following lines to /etc/periodic.conf(.local) to enable periodic check >X daily_status_security_baseaudit_enable="YES" >X daily_status_security_baseaudit_quiet="NO" >X >XUse pkg_chroots to provide a default list of chroots >Xand pkg_jails to provide a default list of jails (or '*' for all jails) >Xfor all pkg periodic scripts, or set >X daily_status_security_baseaudit_chroots >Xand >X daily_status_security_baseaudit_jails >Xfor this script only. >8be2bf4791f6cb6eee206ecf88252e39 >echo x - base-audit/files/405.pkg-base-audit.in >sed 's/^X//' >base-audit/files/405.pkg-base-audit.in << 'e65b69de2a869718755bfa4aba4b6977' >X#!/bin/sh -f >X# >X# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. >X# Copyright (c) 2014 Matthew Seaman <matthew@FreeBSD.org> >X# Copyright (c) 2016 Miroslav Lachman <000.fbsd@quip.cz> >X# >X# Redistribution and use in source and binary forms, with or without >X# modification, are permitted provided that the following conditions are >X# met: >X# >X# 1. Redistributions of source code must retain the above copyright notice >X# this list of conditions and the following disclaimer. >X# >X# 2. Redistributions in binary form must reproduce the above copyright >X# notice, this list of conditions and the following disclaimer in the >X# documentation and/or other materials provided with the distribution. >X# >X# 3. Neither the name of the author nor the names of its contributors may be >X# used to endorse or promote products derived from this software without >X# specific prior written permission. >X# >X# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, >X# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY >X# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE >X# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, >X# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >X# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, >X# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY >X# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >X# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >X# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >X# >X# $FreeBSD$ >X# >X >Xif [ -r /etc/defaults/periodic.conf ]; then >X . /etc/defaults/periodic.conf >X source_periodic_confs >Xfi >X >X# Compute PKG_DBDIR from the config file. >Xpkgcmd=%%PREFIX%%/sbin/pkg >XPKG_DBDIR=`${pkgcmd} config PKG_DBDIR` >Xauditfile="${PKG_DBDIR}/vuln.xml" >X >Xaudit_base() { >X local pkgargs="$1" >X local basedir="$2" >X local rc >X local then >X local now >X local usrlv >X local krnlv >X local strlen >X local chrootv >X local jailv >X local jid >X >X ## get version from chroot >X if [ -n "`echo "$pkgargs" | egrep '^-c'`" ]; then >X if [ -x "$basedir/bin/freebsd-version" ]; then >X chrootv=$($basedir/bin/freebsd-version -u) >X ## safety check - strlen >X strlen=$(echo "$chrootv" | wc -c) >X if [ $strlen -gt 17 -o $strlen -lt 11 ]; then >X echo "Wrong version string, cannot run audit" >X return 3 >X fi >X usrlv=$(echo $chrootv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') >X else >X echo "Cannot guess chroot version" >X return 3 >X fi >X ## get version from jail >X elif [ -n "`echo "$pkgargs" | egrep '^-j'`" ]; then >X jid=$(echo "$pkgargs" | awk '$1 ~ /^-[j]/ { print $2 }') >X jailv=$(jexec $jid freebsd-version -u) >X ## safety check - strlen >X strlen=$(echo "$jailv" | wc -c) >X if [ $strlen -gt 17 -o $strlen -lt 11 ]; then >X echo "Wrong version string, cannot run audit" >X return 3 >X fi >X usrlv=$(echo $jailv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') >X ## get version from host >X else >X usrlv=$(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') >X fi >X >X then=`stat -f '%m' "${basedir}${auditfile}" 2> /dev/null` || rc=3 >X now=`date +%s` || rc=3 >X ## Add 10 minutes of padding since the check is in seconds. >X if [ $rc -ne 0 -o \ >X $(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \ >X -le $(( ${now} - ${then} + 600 )) ]; then >X ## Random delay so the mirrors do not get slammed when run by periodic(8) >X if [ ! -t 0 ]; then >X sleep `jot -r 1 0 600` >X fi >X f="-F" >X else >X echo -n 'Database fetched: ' >X date -r "${then}" || rc=3 >X fi >X >X ## cannot check kernel in jail or chroot >X if [ -z "`echo "$pkgargs" | egrep '^-[cj]'`" -a `sysctl -n security.jail.jailed` = 0 ]; then >X krnlv=$(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,') >X ${pkgcmd} audit $f $q $krnlv || { rc=$?; [ $rc -lt 3 ] && rc=3; } >X fi >X >X ${pkgcmd} audit $f $q $usrlv || { rc=$?; [ $rc -lt 3 ] && rc=3; } >X >X return $rc >X} >X >X# Use $pkg_chroots to provide a default list of chroots, and >X# $pkg_jails to provide a default list of jails (or '*' for all jails) >X# for all pkg periodic scripts, or set >X# $daily_status_security_baseaudit_chroots and >X# $daily_status_security_baseaudit_jails for this script only. >X >Xaudit_base_all() { >X local rc >X local last_rc >X local jails >X >X : ${daily_status_security_baseaudit_chroots=$pkg_chroots} >X : ${daily_status_security_baseaudit_jails=$pkg_jails} >X >X # We always show audit results for the base system, but only print >X # a banner line if we're also showing audit results for any >X # chroots or jails. >X >X if [ -n "${daily_status_security_baseaudit_chroots}" -o \ >X -n "${daily_status_security_baseaudit_jails}" ]; then >X echo "Host system:" >X fi >X >X audit_base '' '' >X last_rc=$? >X [ $last_rc -gt 1 ] && rc=$last_rc >X >X for c in $daily_status_security_baseaudit_chroots ; do >X echo >X echo "chroot: $c" >X audit_base "-c $c" $c >X last_rc=$? >X [ $last_rc -gt 1 ] && rc=$last_rc >X done >X >X case $daily_status_security_baseaudit_jails in >X \*) >X jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/') >X ;; >X '') >X jails= >X ;; >X *) >X # Given the jail name or jid, find the jail path >X jails= >X for j in $daily_status_security_baseaudit_jails ; do >X p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/') >X jails="${jails} ${p}" >X done >X ;; >X esac >X >X for j in $jails ; do >X echo >X echo "jail: ${j%|*}" >X audit_base "-j ${j%|*}" ${j##*|} >X last_rc=$? >X [ $last_rc -gt 1 ] && rc=$last_rc >X done >X >X return $rc >X} >X >Xrc=0 >X >Xcase "${daily_status_security_baseaudit_enable:-YES}" in >X[Nn][Oo]) ;; >X*) >X echo >X echo 'Checking for security vulnerabilities in base (userland & kernel):' >X >X if ! ${pkgcmd} -N >/dev/null 2>&1 ; then >X echo 'pkg-audit is enabled but pkg is not used' >X rc=2 >X else >X case "${daily_status_security_baseaudit_quiet:-NO}" in >X [Yy][Ee][Ss]) >X q='-q' >X ;; >X *) >X q= >X ;; >X esac >X >X audit_base_all ; rc=$? >X fi >X ;; >Xesac >X >Xexit "$rc" >e65b69de2a869718755bfa4aba4b6977 >exit >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=188060">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 223716
: 188060 |
188061