From owner-svn-ports-all@freebsd.org Fri Jan 12 15:29:02 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A517E6AF5F; Fri, 12 Jan 2018 15:29:02 +0000 (UTC) (envelope-from pi@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ED9FF6FADC; Fri, 12 Jan 2018 15:29:01 +0000 (UTC) (envelope-from pi@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 05E5A2570C; Fri, 12 Jan 2018 15:29:01 +0000 (UTC) (envelope-from pi@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w0CFT01h095541; Fri, 12 Jan 2018 15:29:00 GMT (envelope-from pi@FreeBSD.org) Received: (from pi@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w0CFT0hx095538; Fri, 12 Jan 2018 15:29:00 GMT (envelope-from pi@FreeBSD.org) Message-Id: <201801121529.w0CFT0hx095538@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: pi set sender to pi@FreeBSD.org using -f From: Kurt Jaeger Date: Fri, 12 Jan 2018 15:29:00 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r458854 - in head/security/base-audit: . files X-SVN-Group: ports-head X-SVN-Commit-Author: pi X-SVN-Commit-Paths: in head/security/base-audit: . files X-SVN-Commit-Revision: 458854 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 15:29:02 -0000 Author: pi Date: Fri Jan 12 15:29:00 2018 New Revision: 458854 URL: https://svnweb.freebsd.org/changeset/ports/458854 Log: security/base-audit: update 0.1 -> 0.2 - Introduce security_status_baseaudit_period variable to files/405.pkg-base-audit.in in order to make it possible to specify when this script is executed (i.e. daily, weekly or monthly). PR: 224239 Submitted by: Yasuhiro KIMURA , Miroslav Lachman <000.fbsd@quip.cz> (maintainer) Added: head/security/base-audit/pkg-message (contents, props changed) Deleted: head/security/base-audit/files/pkg-message.in Modified: head/security/base-audit/Makefile head/security/base-audit/files/405.pkg-base-audit.in Modified: head/security/base-audit/Makefile ============================================================================== --- head/security/base-audit/Makefile Fri Jan 12 15:02:40 2018 (r458853) +++ head/security/base-audit/Makefile Fri Jan 12 15:29:00 2018 (r458854) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= base-audit -PORTVERSION= 0.1 +PORTVERSION= 0.2 CATEGORIES= security MASTER_SITES= # none DISTFILES= # none Modified: head/security/base-audit/files/405.pkg-base-audit.in ============================================================================== --- head/security/base-audit/files/405.pkg-base-audit.in Fri Jan 12 15:02:40 2018 (r458853) +++ head/security/base-audit/files/405.pkg-base-audit.in Fri Jan 12 15:29:00 2018 (r458854) @@ -38,6 +38,13 @@ if [ -r /etc/defaults/periodic.conf ]; then source_periodic_confs fi +: ${security_status_baseaudit_enable:=YES} +: ${security_status_baseaudit_period:=daily} +: ${security_status_baseaudit_quiet:=NO} +: ${security_status_baseaudit_chroots=$pkg_chroots} +: ${security_status_baseaudit_jails=$pkg_jails} +: ${security_status_baseaudit_expiry:=2} + # Compute PKG_DBDIR from the config file. pkgcmd=%%PREFIX%%/sbin/pkg PKG_DBDIR=`${pkgcmd} config PKG_DBDIR` @@ -91,7 +98,7 @@ audit_base() { now=`date +%s` || rc=3 ## Add 10 minutes of padding since the check is in seconds. if [ $rc -ne 0 -o \ - $(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \ + $(( 86400 \* "${security_status_baseaudit_expiry}" )) \ -le $(( ${now} - ${then} + 600 )) ]; then ## Random delay so the mirrors do not get slammed when run by periodic(8) if [ ! -t 0 ]; then @@ -117,23 +124,20 @@ audit_base() { # Use $pkg_chroots to provide a default list of chroots, and # $pkg_jails to provide a default list of jails (or '*' for all jails) # for all pkg periodic scripts, or set -# $daily_status_security_baseaudit_chroots and -# $daily_status_security_baseaudit_jails for this script only. +# $security_status_baseaudit_chroots and +# $security_status_baseaudit_jails for this script only. audit_base_all() { local rc local last_rc local jails - : ${daily_status_security_baseaudit_chroots=$pkg_chroots} - : ${daily_status_security_baseaudit_jails=$pkg_jails} - # We always show audit results for the base system, but only print # a banner line if we're also showing audit results for any # chroots or jails. - if [ -n "${daily_status_security_baseaudit_chroots}" -o \ - -n "${daily_status_security_baseaudit_jails}" ]; then + if [ -n "${security_status_baseaudit_chroots}" -o \ + -n "${security_status_baseaudit_jails}" ]; then echo "Host system:" fi @@ -141,7 +145,7 @@ audit_base_all() { last_rc=$? [ $last_rc -gt 1 ] && rc=$last_rc - for c in $daily_status_security_baseaudit_chroots ; do + for c in $security_status_baseaudit_chroots ; do echo echo "chroot: $c" audit_base "-c $c" $c @@ -149,7 +153,7 @@ audit_base_all() { [ $last_rc -gt 1 ] && rc=$last_rc done - case $daily_status_security_baseaudit_jails in + case $security_status_baseaudit_jails in \*) jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/') ;; @@ -159,7 +163,7 @@ audit_base_all() { *) # Given the jail name or jid, find the jail path jails= - for j in $daily_status_security_baseaudit_jails ; do + for j in $security_status_baseaudit_jails ; do p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/') jails="${jails} ${p}" done @@ -177,11 +181,16 @@ audit_base_all() { return $rc } +security_daily_compat_var security_status_baseaudit_enable +security_daily_compat_var security_status_baseaudit_quiet +security_daily_compat_var security_status_baseaudit_chroots +security_daily_compat_var security_status_baseaudit_jails +security_daily_compat_var security_status_baseaudit_exipiry + rc=0 -case "${daily_status_security_baseaudit_enable:-YES}" in -[Nn][Oo]) ;; -*) +if check_yesno_period security_status_baseaudit_enable +then echo echo 'Checking for security vulnerabilities in base (userland & kernel):' @@ -189,7 +198,7 @@ case "${daily_status_security_baseaudit_enable:-YES}" echo 'pkg-audit is enabled but pkg is not used' rc=2 else - case "${daily_status_security_baseaudit_quiet:-NO}" in + case "${security_status_baseaudit_quiet}" in [Yy][Ee][Ss]) q='-q' ;; @@ -200,7 +209,6 @@ case "${daily_status_security_baseaudit_enable:-YES}" audit_base_all ; rc=$? fi - ;; -esac +fi exit "$rc" Added: head/security/base-audit/pkg-message ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/base-audit/pkg-message Fri Jan 12 15:29:00 2018 (r458854) @@ -0,0 +1,15 @@ +Add the following lines to /etc/periodic.conf(.local) to enable periodic check + security_status_baseaudit_enable="YES" + security_status_baseaudit_quiet="NO" + +Use pkg_chroots to provide a default list of chroots +and pkg_jails to provide a default list of jails (or '*' for all jails) +for all pkg periodic scripts, or set + security_status_baseaudit_chroots +and + security_status_baseaudit_jails +for this script only. + +You can also change following variables: + security_status_baseaudit_period="daily" + security_status_baseaudit_expiry="2"