Module Name: src
Committed By: jmmv
Date: Tue Jan 19 22:08:11 UTC 2010
Modified Files:
src/etc: daily security
src/etc/defaults: daily.conf security.conf
Log Message:
Add the fetch_pkg_vulnerabilities option to the daily script to keep the
packages vulnerability database up to date. This will only fetch the
file from the server if it has changed since the last run.
Add the check_pkg_vulnerabilities and check_pkg_signatures options to the
security script to check that the installed packages are sane.
All of these options are enabled by default but they will only run if
there is, at least, one installed package.
To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/etc/daily
cvs rdiff -u -r1.106 -r1.107 src/etc/security
cvs rdiff -u -r1.11 -r1.12 src/etc/defaults/daily.conf
cvs rdiff -u -r1.21 -r1.22 src/etc/defaults/security.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/daily
diff -u src/etc/daily:1.72 src/etc/daily:1.73
--- src/etc/daily:1.72 Sun Mar 29 16:04:15 2009
+++ src/etc/daily Tue Jan 19 22:08:11 2010
@@ -1,6 +1,6 @@
#!/bin/sh -
#
-# $NetBSD: daily,v 1.72 2009/03/29 16:04:15 perry Exp $
+# $NetBSD: daily,v 1.73 2010/01/19 22:08:11 jmmv Exp $
# @(#)daily 8.2 (Berkeley) 1/25/94
#
@@ -242,6 +242,16 @@
fi
fi
+: ${pkgdb_dir:=/var/db/pkg}
+
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+ if checkyesno fetch_pkg_vulnerabilities; then
+ echo ""
+ echo "Fetching package vulnerabilities database:"
+ pkg_admin -K ${pkgdb_dir} fetch-pkg-vulnerabilities -u
+ fi
+fi
+
if checkyesno run_security; then
SECOUT="$DAILYDIR/sec"
sh /etc/security > "$SECOUT" 2>&1
Index: src/etc/security
diff -u src/etc/security:1.106 src/etc/security:1.107
--- src/etc/security:1.106 Tue Jan 27 10:32:18 2009
+++ src/etc/security Tue Jan 19 22:08:11 2010
@@ -1,6 +1,6 @@
#!/bin/sh -
#
-# $NetBSD: security,v 1.106 2009/01/27 10:32:18 haad Exp $
+# $NetBSD: security,v 1.107 2010/01/19 22:08:11 jmmv Exp $
# from: @(#)security 8.1 (Berkeley) 6/9/93
#
@@ -25,7 +25,7 @@
# Set reasonable defaults (if they're not set in security.conf)
#
backup_dir=${backup_dir:-/var/backups}
-pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
+pkgdb_dir=${pkgdb_dir:-/var/db/pkg} # TODO Inherit from daily.conf.
max_loginlen=${max_loginlen:-8}
max_grouplen=${max_grouplen:-8}
pkg_info=${pkg_info:-/usr/sbin/pkg_info}
@@ -992,6 +992,24 @@
done
fi
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+ if checkyesno check_pkg_vulnerabilities; then
+ pkg_admin -K ${pkgdb_dir} audit >${OUTPUT} 2>&1
+ if [ -s ${OUTPUT} ]; then
+ printf "\nInstalled vulnerable packages:\n"
+ cat ${OUTPUT}
+ fi
+ fi
+
+ if checkyesno check_pkg_signatures; then
+ pkg_admin -K ${pkgdb_dir} check >${OUTPUT} 2>&1
+ if [ $? -ne 0 ]; then
+ printf "\nFiles with invalid signatures:\n"
+ cat ${OUTPUT}
+ fi
+ fi
+fi
+
if [ -f /etc/security.local ]; then
. /etc/security.local > $OUTPUT 2>&1
if [ -s $OUTPUT ] ; then
Index: src/etc/defaults/daily.conf
diff -u src/etc/defaults/daily.conf:1.11 src/etc/defaults/daily.conf:1.12
--- src/etc/defaults/daily.conf:1.11 Sat Aug 30 10:53:22 2008
+++ src/etc/defaults/daily.conf Tue Jan 19 22:08:11 2010
@@ -1,4 +1,4 @@
-# $NetBSD: daily.conf,v 1.11 2008/08/30 10:53:22 bouyer Exp $
+# $NetBSD: daily.conf,v 1.12 2010/01/19 22:08:11 jmmv Exp $
#
# /etc/defaults/daily.conf --
# default configuration of /etc/daily.conf
@@ -28,5 +28,7 @@
run_rdist=YES
run_security=YES
run_skeyaudit=YES
+pkgdb_dir=/var/db/pkg
+fetch_pkg_vulnerabilities=YES
send_empty_security=NO
Index: src/etc/defaults/security.conf
diff -u src/etc/defaults/security.conf:1.21 src/etc/defaults/security.conf:1.22
--- src/etc/defaults/security.conf:1.21 Tue Jan 27 10:32:18 2009
+++ src/etc/defaults/security.conf Tue Jan 19 22:08:11 2010
@@ -1,4 +1,4 @@
-# $NetBSD: security.conf,v 1.21 2009/01/27 10:32:18 haad Exp $
+# $NetBSD: security.conf,v 1.22 2010/01/19 22:08:11 jmmv Exp $
#
# /etc/defaults/security.conf --
# default configuration of /etc/security.conf
@@ -24,6 +24,8 @@
check_pkgs=YES
check_changelist=YES
check_lvm=NO
+check_pkg_vulnerabilities=YES
+check_pkg_signatures=YES
backup_dir=/var/backups
backup_uses_rcs=YES