svn commit: r458854 - in head/security/base-audit: . files
Kurt Jaeger
pi at FreeBSD.org
Fri Jan 12 15:29:02 UTC 2018
Author: pi
Date: Fri Jan 12 15:29:00 2018
New Revision: 458854
URL: https://svnweb.freebsd.org/changeset/ports/458854
Log:
security/base-audit: update 0.1 -> 0.2
- Introduce security_status_baseaudit_period variable to
files/405.pkg-base-audit.in in order to make it possible to specify
when this script is executed (i.e. daily, weekly or monthly).
PR: 224239
Submitted by: Yasuhiro KIMURA <yasu at utahime.org>, Miroslav Lachman <000.fbsd at quip.cz> (maintainer)
Added:
head/security/base-audit/pkg-message (contents, props changed)
Deleted:
head/security/base-audit/files/pkg-message.in
Modified:
head/security/base-audit/Makefile
head/security/base-audit/files/405.pkg-base-audit.in
Modified: head/security/base-audit/Makefile
==============================================================================
--- head/security/base-audit/Makefile Fri Jan 12 15:02:40 2018 (r458853)
+++ head/security/base-audit/Makefile Fri Jan 12 15:29:00 2018 (r458854)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= base-audit
-PORTVERSION= 0.1
+PORTVERSION= 0.2
CATEGORIES= security
MASTER_SITES= # none
DISTFILES= # none
Modified: head/security/base-audit/files/405.pkg-base-audit.in
==============================================================================
--- head/security/base-audit/files/405.pkg-base-audit.in Fri Jan 12 15:02:40 2018 (r458853)
+++ head/security/base-audit/files/405.pkg-base-audit.in Fri Jan 12 15:29:00 2018 (r458854)
@@ -38,6 +38,13 @@ if [ -r /etc/defaults/periodic.conf ]; then
source_periodic_confs
fi
+: ${security_status_baseaudit_enable:=YES}
+: ${security_status_baseaudit_period:=daily}
+: ${security_status_baseaudit_quiet:=NO}
+: ${security_status_baseaudit_chroots=$pkg_chroots}
+: ${security_status_baseaudit_jails=$pkg_jails}
+: ${security_status_baseaudit_expiry:=2}
+
# Compute PKG_DBDIR from the config file.
pkgcmd=%%PREFIX%%/sbin/pkg
PKG_DBDIR=`${pkgcmd} config PKG_DBDIR`
@@ -91,7 +98,7 @@ audit_base() {
now=`date +%s` || rc=3
## Add 10 minutes of padding since the check is in seconds.
if [ $rc -ne 0 -o \
- $(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \
+ $(( 86400 \* "${security_status_baseaudit_expiry}" )) \
-le $(( ${now} - ${then} + 600 )) ]; then
## Random delay so the mirrors do not get slammed when run by periodic(8)
if [ ! -t 0 ]; then
@@ -117,23 +124,20 @@ audit_base() {
# Use $pkg_chroots to provide a default list of chroots, and
# $pkg_jails to provide a default list of jails (or '*' for all jails)
# for all pkg periodic scripts, or set
-# $daily_status_security_baseaudit_chroots and
-# $daily_status_security_baseaudit_jails for this script only.
+# $security_status_baseaudit_chroots and
+# $security_status_baseaudit_jails for this script only.
audit_base_all() {
local rc
local last_rc
local jails
- : ${daily_status_security_baseaudit_chroots=$pkg_chroots}
- : ${daily_status_security_baseaudit_jails=$pkg_jails}
-
# We always show audit results for the base system, but only print
# a banner line if we're also showing audit results for any
# chroots or jails.
- if [ -n "${daily_status_security_baseaudit_chroots}" -o \
- -n "${daily_status_security_baseaudit_jails}" ]; then
+ if [ -n "${security_status_baseaudit_chroots}" -o \
+ -n "${security_status_baseaudit_jails}" ]; then
echo "Host system:"
fi
@@ -141,7 +145,7 @@ audit_base_all() {
last_rc=$?
[ $last_rc -gt 1 ] && rc=$last_rc
- for c in $daily_status_security_baseaudit_chroots ; do
+ for c in $security_status_baseaudit_chroots ; do
echo
echo "chroot: $c"
audit_base "-c $c" $c
@@ -149,7 +153,7 @@ audit_base_all() {
[ $last_rc -gt 1 ] && rc=$last_rc
done
- case $daily_status_security_baseaudit_jails in
+ case $security_status_baseaudit_jails in
\*)
jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/')
;;
@@ -159,7 +163,7 @@ audit_base_all() {
*)
# Given the jail name or jid, find the jail path
jails=
- for j in $daily_status_security_baseaudit_jails ; do
+ for j in $security_status_baseaudit_jails ; do
p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/')
jails="${jails} ${p}"
done
@@ -177,11 +181,16 @@ audit_base_all() {
return $rc
}
+security_daily_compat_var security_status_baseaudit_enable
+security_daily_compat_var security_status_baseaudit_quiet
+security_daily_compat_var security_status_baseaudit_chroots
+security_daily_compat_var security_status_baseaudit_jails
+security_daily_compat_var security_status_baseaudit_exipiry
+
rc=0
-case "${daily_status_security_baseaudit_enable:-YES}" in
-[Nn][Oo]) ;;
-*)
+if check_yesno_period security_status_baseaudit_enable
+then
echo
echo 'Checking for security vulnerabilities in base (userland & kernel):'
@@ -189,7 +198,7 @@ case "${daily_status_security_baseaudit_enable:-YES}"
echo 'pkg-audit is enabled but pkg is not used'
rc=2
else
- case "${daily_status_security_baseaudit_quiet:-NO}" in
+ case "${security_status_baseaudit_quiet}" in
[Yy][Ee][Ss])
q='-q'
;;
@@ -200,7 +209,6 @@ case "${daily_status_security_baseaudit_enable:-YES}"
audit_base_all ; rc=$?
fi
- ;;
-esac
+fi
exit "$rc"
Added: head/security/base-audit/pkg-message
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/base-audit/pkg-message Fri Jan 12 15:29:00 2018 (r458854)
@@ -0,0 +1,15 @@
+Add the following lines to /etc/periodic.conf(.local) to enable periodic check
+ security_status_baseaudit_enable="YES"
+ security_status_baseaudit_quiet="NO"
+
+Use pkg_chroots to provide a default list of chroots
+and pkg_jails to provide a default list of jails (or '*' for all jails)
+for all pkg periodic scripts, or set
+ security_status_baseaudit_chroots
+and
+ security_status_baseaudit_jails
+for this script only.
+
+You can also change following variables:
+ security_status_baseaudit_period="daily"
+ security_status_baseaudit_expiry="2"
More information about the svn-ports-all
mailing list