I want to port NetBSD's security/audit-packages to FreeBSD. The system is described in: <http://www.netbsd.org/Documentation/pkgsrc/features.html#id2980060>
The idea is that you just synchronize a file with known vulnerabilities, and a script in periodic/security warns you when you have a vulnurable package installed (without upgrading your ports tree!). Furthermore there can be a check in bsd.port.mk that doesn't allow you to install a vulnurable port.
Basically you need: - a pkg_version that can compare version numbers: PR 56961: match package version numbers with relational operators <http://www.freebsd.org/cgi/query-pr.cgi?pr=56960>
- a script that synchronizes a file with known vulnerabilities (not done)
- a script to put in periodic/security (prototype below, needs work)
- a patch for bsd.port.mk (shell script prototype below)
The scripts below a simple test scripts assuming that a patched port sysutils/pkg_install is installed and a file called 'vulnerabilities' is in the same directory. They are not considered production quality and are provided just to get the idea how the system should work.
Ok, feedback, comments (and commits ;-) welcome Oliver
--- xxx.pkg_vulnerabilities begins here --- #!/bin/sh - # # Usage: # ./xxx.pkg_vulnerabilities # PKG_INFO=/usr/local/sbin/pkg_info export PKG_INFO
if [ ! -x "${PKG_INFO}" ]; then echo "${PKG_INFO} missing, please install port sysutils/pkg_install" exit 1 fi
if [ "`${PKG_INFO} -qP`" -lt 20030917 ]; then echo "${PKG_INFO} is too old, please update port sysutils/pkg_install" exit 1 fi
echo 'Checking for vulnerable packages:'
n=$(awk ' /^(#|$)/ { next } { while((ENVIRON["PKG_INFO"] " -E \"" $1 "\"" | getline pkg) > 0) print "Package " pkg " has a " $2 " vulnerability, see " $3 close(ENVIRON["PKG_INFO"]) } ' vulnerabilities | tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0
exit "$rc" --- xxx.pkg_vulnerabilities ends here ---
and something like this in bsd.port.mk
--- pkg_vulnerable.sh begins here ---
#!/bin/sh -
# # Usage
# ./pkg_vulnerable.sh <pkgname> && echo "Refused to install"
#
PKG_INFO=/usr/local/sbin/pkg_info PKG_VERSION=/usr/local/sbin/pkg_version export PKG_VERSION
if [ ! -x "${PKG_VERSION}" ]; then echo "${PKG_VERSION} missing, please install port sysutils/pkg_install" exit 1 fi
if [ "`${PKG_INFO} -qP`" -lt 20030917 ]; then echo "${PKG_VERSION} is too old, please update port sysutils/pkg_install" exit 1 fi
pkgname=${1:-pkg_install-20030917}
echo "Checking if package ${pkgname} is vulnerable:"
n=$(awk "BEGIN { pkg=\"${pkgname}\"; pkgre = \"^\" pkg; sub(/-[^-]+\$/, \"\", pkgre) }"' /^(#|$)/ { next }
$1 ~ pkgre { if (system(ENVIRON["PKG_VERSION"] " -T \"" pkg "\" \"" $1 "\"") == 0)
print "Package " pkg " has a " $2 " vulnerability, see " $3
}
' vulnerabilities | tee /dev/stderr | wc -l)
[ $n -gt 0 ] && rc=1 || rc=0
exit "$rc" --- pkg_vulnerable.sh ends here ---
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"