Date: Wed, 17 Sep 2003 19:55:18 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: FreeBSD-Hackers@FreeBSD.org Subject: port of NetBSD's audit-packages (and an update of pkg_install) Message-ID: <3F68A006.40203@fillmore-labs.com>
next in thread | raw e-mail | index | archive | help
Hi, I want to port NetBSD's security/audit-packages to FreeBSD. The system is described in: <http://www.netbsd.org/Documentation/pkgsrc/features.html#id2980060> The idea is that you just synchronize a file with known vulnerabilities, and a script in periodic/security warns you when you have a vulnurable package installed (without upgrading your ports tree!). Furthermore there can be a check in bsd.port.mk that doesn't allow you to install a vulnurable port. Basically you need: - a pkg_version that can compare version numbers: PR 56961: match package version numbers with relational operators <http://www.freebsd.org/cgi/query-pr.cgi?pr=56960> - a script that synchronizes a file with known vulnerabilities (not done) - a script to put in periodic/security (prototype below, needs work) - a patch for bsd.port.mk (shell script prototype below) The scripts below a simple test scripts assuming that a patched port sysutils/pkg_install is installed and a file called 'vulnerabilities' is in the same directory. They are not considered production quality and are provided just to get the idea how the system should work. Ok, feedback, comments (and commits ;-) welcome Oliver --- xxx.pkg_vulnerabilities begins here --- #!/bin/sh - # # Usage: # ./xxx.pkg_vulnerabilities # PKG_INFO=/usr/local/sbin/pkg_info export PKG_INFO if [ ! -x "${PKG_INFO}" ]; then echo "${PKG_INFO} missing, please install port sysutils/pkg_install" exit 1 fi if [ "`${PKG_INFO} -qP`" -lt 20030917 ]; then echo "${PKG_INFO} is too old, please update port sysutils/pkg_install" exit 1 fi echo 'Checking for vulnerable packages:' n=$(awk ' /^(#|$)/ { next } { while((ENVIRON["PKG_INFO"] " -E \"" $1 "\"" | getline pkg) > 0) print "Package " pkg " has a " $2 " vulnerability, see " $3 close(ENVIRON["PKG_INFO"]) } ' vulnerabilities | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 exit "$rc" --- xxx.pkg_vulnerabilities ends here --- and something like this in bsd.port.mk --- pkg_vulnerable.sh begins here --- #!/bin/sh - # # Usage # ./pkg_vulnerable.sh <pkgname> && echo "Refused to install" # PKG_INFO=/usr/local/sbin/pkg_info PKG_VERSION=/usr/local/sbin/pkg_version export PKG_VERSION if [ ! -x "${PKG_VERSION}" ]; then echo "${PKG_VERSION} missing, please install port sysutils/pkg_install" exit 1 fi if [ "`${PKG_INFO} -qP`" -lt 20030917 ]; then echo "${PKG_VERSION} is too old, please update port sysutils/pkg_install" exit 1 fi pkgname=${1:-pkg_install-20030917} echo "Checking if package ${pkgname} is vulnerable:" n=$(awk "BEGIN { pkg=\"${pkgname}\"; pkgre = \"^\" pkg; sub(/-[^-]+\$/, \"\", pkgre) }"' /^(#|$)/ { next } $1 ~ pkgre { if (system(ENVIRON["PKG_VERSION"] " -T \"" pkg "\" \"" $1 "\"") == 0) print "Package " pkg " has a " $2 " vulnerability, see " $3 } ' vulnerabilities | tee /dev/stderr | wc -l) [ $n -gt 0 ] && rc=1 || rc=0 exit "$rc" --- pkg_vulnerable.sh ends here ---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F68A006.40203>