Add the fetch_pkg_vulnerabilities option to the daily script to keep the trunk
authorjmmv <jmmv@NetBSD.org>
Tue, 19 Jan 2010 22:08:11 +0000
branchtrunk
changeset 187278 d62d0c2b4476
parent 187277 5205a725d53f
child 187279 c85fecdf0ad9
Add the fetch_pkg_vulnerabilities option to the daily script to keep the packages vulnerability database up to date. This will only fetch the file from the server if it has changed since the last run. Add the check_pkg_vulnerabilities and check_pkg_signatures options to the security script to check that the installed packages are sane. All of these options are enabled by default but they will only run if there is, at least, one installed package.
etc/daily
etc/defaults/daily.conf
etc/defaults/security.conf
etc/security
--- a/etc/daily	Tue Jan 19 22:06:18 2010 +0000
+++ b/etc/daily	Tue Jan 19 22:08:11 2010 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$NetBSD: daily,v 1.72 2009/03/29 16:04:15 perry Exp $
+#	$NetBSD: daily,v 1.73 2010/01/19 22:08:11 jmmv Exp $
 #	@(#)daily	8.2 (Berkeley) 1/25/94
 #
 
@@ -242,6 +242,16 @@
 	fi
 fi
 
+: ${pkgdb_dir:=/var/db/pkg}
+
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+	if checkyesno fetch_pkg_vulnerabilities; then
+		echo ""
+		echo "Fetching package vulnerabilities database:"
+		pkg_admin -K ${pkgdb_dir} fetch-pkg-vulnerabilities -u
+	fi
+fi
+
 if checkyesno run_security; then
 	SECOUT="$DAILYDIR/sec"
 	sh /etc/security > "$SECOUT" 2>&1
--- a/etc/defaults/daily.conf	Tue Jan 19 22:06:18 2010 +0000
+++ b/etc/defaults/daily.conf	Tue Jan 19 22:08:11 2010 +0000
@@ -1,4 +1,4 @@
-#	$NetBSD: daily.conf,v 1.11 2008/08/30 10:53:22 bouyer Exp $
+#	$NetBSD: daily.conf,v 1.12 2010/01/19 22:08:11 jmmv Exp $
 #
 # /etc/defaults/daily.conf --
 #	default configuration of /etc/daily.conf
@@ -28,5 +28,7 @@
 run_rdist=YES
 run_security=YES
 run_skeyaudit=YES
+pkgdb_dir=/var/db/pkg
+fetch_pkg_vulnerabilities=YES
 
 send_empty_security=NO
--- a/etc/defaults/security.conf	Tue Jan 19 22:06:18 2010 +0000
+++ b/etc/defaults/security.conf	Tue Jan 19 22:08:11 2010 +0000
@@ -1,4 +1,4 @@
-#	$NetBSD: security.conf,v 1.21 2009/01/27 10:32:18 haad Exp $
+#	$NetBSD: security.conf,v 1.22 2010/01/19 22:08:11 jmmv Exp $
 #
 # /etc/defaults/security.conf --
 #	default configuration of /etc/security.conf
@@ -24,6 +24,8 @@
 check_pkgs=YES
 check_changelist=YES
 check_lvm=NO
+check_pkg_vulnerabilities=YES
+check_pkg_signatures=YES
 
 backup_dir=/var/backups
 backup_uses_rcs=YES
--- a/etc/security	Tue Jan 19 22:06:18 2010 +0000
+++ b/etc/security	Tue Jan 19 22:08:11 2010 +0000
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$NetBSD: security,v 1.106 2009/01/27 10:32:18 haad Exp $
+#	$NetBSD: security,v 1.107 2010/01/19 22:08:11 jmmv Exp $
 #	from: @(#)security	8.1 (Berkeley) 6/9/93
 #
 
@@ -25,7 +25,7 @@
 # Set reasonable defaults (if they're not set in security.conf)
 #
 backup_dir=${backup_dir:-/var/backups}
-pkgdb_dir=${pkgdb_dir:-/var/db/pkg}
+pkgdb_dir=${pkgdb_dir:-/var/db/pkg} # TODO Inherit from daily.conf.
 max_loginlen=${max_loginlen:-8}
 max_grouplen=${max_grouplen:-8}
 pkg_info=${pkg_info:-/usr/sbin/pkg_info}
@@ -992,6 +992,24 @@
 	done
 fi
 
+if pkg_info -K ${pkgdb_dir} -q -E '*'; then
+	if checkyesno check_pkg_vulnerabilities; then
+		pkg_admin -K ${pkgdb_dir} audit >${OUTPUT} 2>&1
+		if [ -s ${OUTPUT} ]; then
+			printf "\nInstalled vulnerable packages:\n"
+			cat ${OUTPUT}
+		fi
+	fi
+
+	if checkyesno check_pkg_signatures; then
+		pkg_admin -K ${pkgdb_dir} check >${OUTPUT} 2>&1
+		if [ $? -ne 0 ]; then
+			printf "\nFiles with invalid signatures:\n"
+			cat ${OUTPUT}
+		fi
+	fi
+fi
+
 if [ -f /etc/security.local ]; then
 	. /etc/security.local > $OUTPUT 2>&1
 	if [ -s $OUTPUT ] ; then