Module Name:    src
Committed By:   jmmv
Date:           Tue Jan 19 22:08:11 UTC 2010

Modified Files:
        src/etc: daily security
        src/etc/defaults: daily.conf security.conf

Log Message:
Add the fetch_pkg_vulnerabilities option to the daily script to keep the
packages vulnerability database up to date.  This will only fetch the
file from the server if it has changed since the last run.

Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.

All of these options are enabled by default but they will only run if
there is, at least, one installed package.


To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/etc/daily
cvs rdiff -u -r1.106 -r1.107 src/etc/security
cvs rdiff -u -r1.11 -r1.12 src/etc/defaults/daily.conf
cvs rdiff -u -r1.21 -r1.22 src/etc/defaults/security.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/etc/daily
diff -u src/etc/daily:1.72 src/etc/daily:1.73
--- src/etc/daily:1.72	Sun Mar 29 16:04:15 2009
+++ src/etc/daily	Tue Jan 19 22:08:11 2010
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$NetBSD: daily,v 1.72 2009/03/29 16:04:15 perry Exp $
+#	$NetBSD: daily,v 1.73 2010/01/19 22:08:11 jmmv Exp $
 #	@(#)daily	8.2 (Berkeley) 1/25/94
 #
 
@@ -242,6 +242,16 @@
 	fi
 fi
 
+: ${pkgdb_dir:=/var/db/pkg}
+
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+	if checkyesno fetch_pkg_vulnerabilities; then
+		echo ""
+		echo "Fetching package vulnerabilities database:"
+		pkg_admin -K ${pkgdb_dir} fetch-pkg-vulnerabilities -u
+	fi
+fi
+
 if checkyesno run_security; then
 	SECOUT="$DAILYDIR/sec"
 	sh /etc/security > "$SECOUT" 2>&1

Index: src/etc/security
diff -u src/etc/security:1.106 src/etc/security:1.107
--- src/etc/security:1.106	Tue Jan 27 10:32:18 2009
+++ src/etc/security	Tue Jan 19 22:08:11 2010
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$NetBSD: security,v 1.106 2009/01/27 10:32:18 haad Exp $
+#	$NetBSD: security,v 1.107 2010/01/19 22:08:11 jmmv Exp $
 #	from: @(#)security	8.1 (Berkeley) 6/9/93
 #
 
@@ -25,7 +25,7 @@
 # Set reasonable defaults (if they're not set in security.conf)
 #
 backup_dir=${backup_dir:-/var/backups}
-pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
+pkgdb_dir=${pkgdb_dir:-/var/db/pkg} # TODO Inherit from daily.conf.
 max_loginlen=${max_loginlen:-8}
 max_grouplen=${max_grouplen:-8}
 pkg_info=${pkg_info:-/usr/sbin/pkg_info}
@@ -992,6 +992,24 @@
 	done
 fi
 
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+	if checkyesno check_pkg_vulnerabilities; then
+		pkg_admin -K ${pkgdb_dir} audit >${OUTPUT} 2>&1
+		if [ -s ${OUTPUT} ]; then
+			printf "\nInstalled vulnerable packages:\n"
+			cat ${OUTPUT}
+		fi
+	fi
+
+	if checkyesno check_pkg_signatures; then
+		pkg_admin -K ${pkgdb_dir} check >${OUTPUT} 2>&1
+		if [ $? -ne 0 ]; then
+			printf "\nFiles with invalid signatures:\n"
+			cat ${OUTPUT}
+		fi
+	fi
+fi
+
 if [ -f /etc/security.local ]; then
 	. /etc/security.local > $OUTPUT 2>&1
 	if [ -s $OUTPUT ] ; then

Index: src/etc/defaults/daily.conf
diff -u src/etc/defaults/daily.conf:1.11 src/etc/defaults/daily.conf:1.12
--- src/etc/defaults/daily.conf:1.11	Sat Aug 30 10:53:22 2008
+++ src/etc/defaults/daily.conf	Tue Jan 19 22:08:11 2010
@@ -1,4 +1,4 @@
-#	$NetBSD: daily.conf,v 1.11 2008/08/30 10:53:22 bouyer Exp $
+#	$NetBSD: daily.conf,v 1.12 2010/01/19 22:08:11 jmmv Exp $
 #
 # /etc/defaults/daily.conf --
 #	default configuration of /etc/daily.conf
@@ -28,5 +28,7 @@
 run_rdist=YES
 run_security=YES
 run_skeyaudit=YES
+pkgdb_dir=/var/db/pkg
+fetch_pkg_vulnerabilities=YES
 
 send_empty_security=NO

Index: src/etc/defaults/security.conf
diff -u src/etc/defaults/security.conf:1.21 src/etc/defaults/security.conf:1.22
--- src/etc/defaults/security.conf:1.21	Tue Jan 27 10:32:18 2009
+++ src/etc/defaults/security.conf	Tue Jan 19 22:08:11 2010
@@ -1,4 +1,4 @@
-#	$NetBSD: security.conf,v 1.21 2009/01/27 10:32:18 haad Exp $
+#	$NetBSD: security.conf,v 1.22 2010/01/19 22:08:11 jmmv Exp $
 #
 # /etc/defaults/security.conf --
 #	default configuration of /etc/security.conf
@@ -24,6 +24,8 @@
 check_pkgs=YES
 check_changelist=YES
 check_lvm=NO
+check_pkg_vulnerabilities=YES
+check_pkg_signatures=YES
 
 backup_dir=/var/backups
 backup_uses_rcs=YES

Reply via email to