From owner-freebsd-hackers@FreeBSD.ORG Wed Sep 17 10:55:22 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6F5B16A4B3 for ; Wed, 17 Sep 2003 10:55:22 -0700 (PDT) Received: from mx2.fillmore-labs.com (lima.fillmore-labs.com [62.138.193.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4501143FE9 for ; Wed, 17 Sep 2003 10:55:20 -0700 (PDT) (envelope-from eikemeier@fillmore-labs.com) Received: from atlantis.wireless.fillmore-labs.com ([192.168.161.242] helo=fillmore-labs.com) by mx2.fillmore-labs.com with asmtp (TLSv1:AES256-SHA:256) (Exim 4.22) id 19zgWN-0009J6-F9 for FreeBSD-Hackers@FreeBSD.org; Wed, 17 Sep 2003 19:55:19 +0200 Message-ID: <3F68A006.40203@fillmore-labs.com> Date: Wed, 17 Sep 2003 19:55:18 +0200 From: Oliver Eikemeier MIME-Version: 1.0 To: FreeBSD-Hackers@FreeBSD.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: eikemeier@fillmore-labs.com User-Agent: KMail/1.5.9 Organization: Fillmore Labs GmbH X-Complaints-To: abuse@fillmore-labs.com Subject: port of NetBSD's audit-packages (and an update of pkg_install) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 17:55:22 -0000 Hi, I want to port NetBSD's security/audit-packages to FreeBSD. The system is described in: The idea is that you just synchronize a file with known vulnerabilities, and a script in periodic/security warns you when you have a vulnurable package installed (without upgrading your ports tree!). Furthermore there can be a check in bsd.port.mk that doesn't allow you to install a vulnurable port. Basically you need: - a pkg_version that can compare version numbers: PR 56961: match package version numbers with relational operators - a script that synchronizes a file with known vulnerabilities (not done) - a script to put in periodic/security (prototype below, needs work) - a patch for bsd.port.mk (shell script prototype below) The scripts below a simple test scripts assuming that a patched port sysutils/pkg_install is installed and a file called 'vulnerabilities' is in the same directory. They are not considered production quality and are provided just to get the idea how the system should work. Ok, feedback, comments (and commits ;-) welcome Oliver --- xxx.pkg_vulnerabilities begins here --- #!/bin/sh - # # Usage: # ./xxx.pkg_vulnerabilities # PKG_INFO=/usr/local/sbin/pkg_info export PKG_INFO if [ ! -x "${PKG_INFO}" ]; then echo "${PKG_INFO} missing, please install port sysutils/pkg_install" exit 1 fi if [ "`${PKG_INFO} -qP`" -lt 20030917 ]; then echo "${PKG_INFO} is too old, please update port sysutils/pkg_install" exit 1 fi echo 'Checking for vulnerable packages:' n=$(awk ' /^(#|$)/ { next } { while((ENVIRON["PKG_INFO"] " -E \"" $1 "\"" | getline pkg) > 0) print "Package " pkg " has a " $2 " vulnerability, see " $3 close(ENVIRON["PKG_INFO"]) } ' vulnerabilities | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 exit "$rc" --- xxx.pkg_vulnerabilities ends here --- and something like this in bsd.port.mk --- pkg_vulnerable.sh begins here --- #!/bin/sh - # # Usage # ./pkg_vulnerable.sh && echo "Refused to install" # PKG_INFO=/usr/local/sbin/pkg_info PKG_VERSION=/usr/local/sbin/pkg_version export PKG_VERSION if [ ! -x "${PKG_VERSION}" ]; then echo "${PKG_VERSION} missing, please install port sysutils/pkg_install" exit 1 fi if [ "`${PKG_INFO} -qP`" -lt 20030917 ]; then echo "${PKG_VERSION} is too old, please update port sysutils/pkg_install" exit 1 fi pkgname=${1:-pkg_install-20030917} echo "Checking if package ${pkgname} is vulnerable:" n=$(awk "BEGIN { pkg=\"${pkgname}\"; pkgre = \"^\" pkg; sub(/-[^-]+\$/, \"\", pkgre) }"' /^(#|$)/ { next } $1 ~ pkgre { if (system(ENVIRON["PKG_VERSION"] " -T \"" pkg "\" \"" $1 "\"") == 0) print "Package " pkg " has a " $2 " vulnerability, see " $3 } ' vulnerabilities | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 exit "$rc" --- pkg_vulnerable.sh ends here ---