port of NetBSD's audit-packages (and an update of pkg_install)
Oliver Eikemeier
eikemeier at fillmore-labs.com
Wed Sep 17 10:55:22 PDT 2003
Hi,
I want to port NetBSD's security/audit-packages to FreeBSD. The system is
described in:
<http://www.netbsd.org/Documentation/pkgsrc/features.html#id2980060>
The idea is that you just synchronize a file with known vulnerabilities,
and a script in periodic/security warns you when you have a vulnurable
package installed (without upgrading your ports tree!). Furthermore
there can be a check in bsd.port.mk that doesn't allow you to install a
vulnurable port.
Basically you need:
- a pkg_version that can compare version numbers:
PR 56961: match package version numbers with relational operators
<http://www.freebsd.org/cgi/query-pr.cgi?pr=56960>
- a script that synchronizes a file with known vulnerabilities
(not done)
- a script to put in periodic/security
(prototype below, needs work)
- a patch for bsd.port.mk
(shell script prototype below)
The scripts below a simple test scripts assuming that a patched port
sysutils/pkg_install is installed and a file called 'vulnerabilities'
is in the same directory. They are not considered production quality
and are provided just to get the idea how the system should work.
Ok, feedback, comments (and commits ;-) welcome
Oliver
--- xxx.pkg_vulnerabilities begins here ---
#!/bin/sh -
#
# Usage:
# ./xxx.pkg_vulnerabilities
#
PKG_INFO=/usr/local/sbin/pkg_info
export PKG_INFO
if [ ! -x "${PKG_INFO}" ]; then
echo "${PKG_INFO} missing, please install port sysutils/pkg_install"
exit 1
fi
if [ "`${PKG_INFO} -qP`" -lt 20030917 ]; then
echo "${PKG_INFO} is too old, please update port sysutils/pkg_install"
exit 1
fi
echo 'Checking for vulnerable packages:'
n=$(awk '
/^(#|$)/ { next }
{ while((ENVIRON["PKG_INFO"] " -E \"" $1 "\"" | getline pkg) > 0)
print "Package " pkg " has a " $2 " vulnerability, see " $3
close(ENVIRON["PKG_INFO"])
}
' vulnerabilities | tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0
exit "$rc"
--- xxx.pkg_vulnerabilities ends here ---
and something like this in bsd.port.mk
--- pkg_vulnerable.sh begins here ---
#!/bin/sh -
#
# Usage
# ./pkg_vulnerable.sh <pkgname> && echo "Refused to install"
#
PKG_INFO=/usr/local/sbin/pkg_info
PKG_VERSION=/usr/local/sbin/pkg_version
export PKG_VERSION
if [ ! -x "${PKG_VERSION}" ]; then
echo "${PKG_VERSION} missing, please install port sysutils/pkg_install"
exit 1
fi
if [ "`${PKG_INFO} -qP`" -lt 20030917 ]; then
echo "${PKG_VERSION} is too old, please update port sysutils/pkg_install"
exit 1
fi
pkgname=${1:-pkg_install-20030917}
echo "Checking if package ${pkgname} is vulnerable:"
n=$(awk "BEGIN { pkg=\"${pkgname}\"; pkgre = \"^\" pkg; sub(/-[^-]+\$/, \"\", pkgre) }"'
/^(#|$)/ { next }
$1 ~ pkgre { if (system(ENVIRON["PKG_VERSION"] " -T \"" pkg "\" \"" $1 "\"") == 0)
print "Package " pkg " has a " $2 " vulnerability, see " $3
}
' vulnerabilities | tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0
exit "$rc"
--- pkg_vulnerable.sh ends here ---
More information about the freebsd-hackers
mailing list