[src/trunk]: src/etc Add the fetch_pkg_vulnerabilities option to the daily sc...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/etc Add the fetch_pkg_vulnerabilities option to the daily sc...
From: jmmv <jmmv%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 18:23:35 +0000

details:   https://anonhg.NetBSD.org/src/rev/1ba99fcb8a57
branches:  trunk
changeset: 750945:1ba99fcb8a57
user:      jmmv <jmmv%NetBSD.org@localhost>
date:      Tue Jan 19 22:08:11 2010 +0000

description:
Add the fetch_pkg_vulnerabilities option to the daily script to keep the
packages vulnerability database up to date.  This will only fetch the
file from the server if it has changed since the last run.

Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.

All of these options are enabled by default but they will only run if
there is, at least, one installed package.

diffstat:

 etc/daily                  |  12 +++++++++++-
 etc/defaults/daily.conf    |   4 +++-
 etc/defaults/security.conf |   4 +++-
 etc/security               |  22 ++++++++++++++++++++--
 4 files changed, 37 insertions(+), 5 deletions(-)

diffs (108 lines):

diff -r 55c1d44db915 -r 1ba99fcb8a57 etc/daily
--- a/etc/daily Tue Jan 19 22:06:18 2010 +0000
+++ b/etc/daily Tue Jan 19 22:08:11 2010 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#      $NetBSD: daily,v 1.72 2009/03/29 16:04:15 perry Exp $
+#      $NetBSD: daily,v 1.73 2010/01/19 22:08:11 jmmv Exp $
 #      @(#)daily       8.2 (Berkeley) 1/25/94
 #
 
@@ -242,6 +242,16 @@
        fi
 fi
 
+: ${pkgdb_dir:=/var/db/pkg}
+
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+       if checkyesno fetch_pkg_vulnerabilities; then
+               echo ""
+               echo "Fetching package vulnerabilities database:"
+               pkg_admin -K ${pkgdb_dir} fetch-pkg-vulnerabilities -u
+       fi
+fi
+
 if checkyesno run_security; then
        SECOUT="$DAILYDIR/sec"
        sh /etc/security > "$SECOUT" 2>&1
diff -r 55c1d44db915 -r 1ba99fcb8a57 etc/defaults/daily.conf
--- a/etc/defaults/daily.conf   Tue Jan 19 22:06:18 2010 +0000
+++ b/etc/defaults/daily.conf   Tue Jan 19 22:08:11 2010 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: daily.conf,v 1.11 2008/08/30 10:53:22 bouyer Exp $
+#      $NetBSD: daily.conf,v 1.12 2010/01/19 22:08:11 jmmv Exp $
 #
 # /etc/defaults/daily.conf --
 #      default configuration of /etc/daily.conf
@@ -28,5 +28,7 @@
 run_rdist=YES
 run_security=YES
 run_skeyaudit=YES
+pkgdb_dir=/var/db/pkg
+fetch_pkg_vulnerabilities=YES
 
 send_empty_security=NO
diff -r 55c1d44db915 -r 1ba99fcb8a57 etc/defaults/security.conf
--- a/etc/defaults/security.conf        Tue Jan 19 22:06:18 2010 +0000
+++ b/etc/defaults/security.conf        Tue Jan 19 22:08:11 2010 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: security.conf,v 1.21 2009/01/27 10:32:18 haad Exp $
+#      $NetBSD: security.conf,v 1.22 2010/01/19 22:08:11 jmmv Exp $
 #
 # /etc/defaults/security.conf --
 #      default configuration of /etc/security.conf
@@ -24,6 +24,8 @@
 check_pkgs=YES
 check_changelist=YES
 check_lvm=NO
+check_pkg_vulnerabilities=YES
+check_pkg_signatures=YES
 
 backup_dir=/var/backups
 backup_uses_rcs=YES
diff -r 55c1d44db915 -r 1ba99fcb8a57 etc/security
--- a/etc/security      Tue Jan 19 22:06:18 2010 +0000
+++ b/etc/security      Tue Jan 19 22:08:11 2010 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#      $NetBSD: security,v 1.106 2009/01/27 10:32:18 haad Exp $
+#      $NetBSD: security,v 1.107 2010/01/19 22:08:11 jmmv Exp $
 #      from: @(#)security      8.1 (Berkeley) 6/9/93
 #
 
@@ -25,7 +25,7 @@
 # Set reasonable defaults (if they're not set in security.conf)
 #
 backup_dir=${backup_dir:-/var/backups}
-pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
+pkgdb_dir=${pkgdb_dir:-/var/db/pkg} # TODO Inherit from daily.conf.
 max_loginlen=${max_loginlen:-8}
 max_grouplen=${max_grouplen:-8}
 pkg_info=${pkg_info:-/usr/sbin/pkg_info}
@@ -992,6 +992,24 @@
        done
 fi
 
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+       if checkyesno check_pkg_vulnerabilities; then
+               pkg_admin -K ${pkgdb_dir} audit >${OUTPUT} 2>&1
+               if [ -s ${OUTPUT} ]; then
+                       printf "\nInstalled vulnerable packages:\n"
+                       cat ${OUTPUT}
+               fi
+       fi
+
+       if checkyesno check_pkg_signatures; then
+               pkg_admin -K ${pkgdb_dir} check >${OUTPUT} 2>&1
+               if [ $? -ne 0 ]; then
+                       printf "\nFiles with invalid signatures:\n"
+                       cat ${OUTPUT}
+               fi
+       fi
+fi
+
 if [ -f /etc/security.local ]; then
        . /etc/security.local > $OUTPUT 2>&1
        if [ -s $OUTPUT ] ; then

Prev by Date: [src/trunk]: src/sys Redefine bpf linkage through an always present op vector...
Next by Date: [src/trunk]: src/sys Redefine bpf linkage through an always present op vector...
Previous by Thread: [src/trunk]: src/sys Redefine bpf linkage through an always present op vector...
Next by Thread: [src/trunk]: src/sys Redefine bpf linkage through an always present op vector...
Indexes:

Home | Main Index | Thread Index | Old Index