aboutsummaryrefslogtreecommitdiff
path: root/ports-mgmt/portaudit
diff options
context:
space:
mode:
authorOliver Eikemeier <eik@FreeBSD.org>2004-01-27 19:24:52 +0000
committerOliver Eikemeier <eik@FreeBSD.org>2004-01-27 19:24:52 +0000
commit34522b5af15a19582c575c9bb11828b98a51dbf9 (patch)
tree9c52b27d0b4d87ef198a2f7bb721905d3b405d12 /ports-mgmt/portaudit
parent4544d5a9e6b2043e390a42191f69df448b55edd0 (diff)
downloadports-34522b5af15a19582c575c9bb11828b98a51dbf9.tar.gz
ports-34522b5af15a19582c575c9bb11828b98a51dbf9.zip
Notes
Diffstat (limited to 'ports-mgmt/portaudit')
-rw-r--r--ports-mgmt/portaudit/Makefile51
-rw-r--r--ports-mgmt/portaudit/database/auditfile.txt27
-rw-r--r--ports-mgmt/portaudit/files/fetchaudit.sh81
-rw-r--r--ports-mgmt/portaudit/files/portaudit.functions23
-rw-r--r--ports-mgmt/portaudit/files/portaudit.sh87
-rw-r--r--ports-mgmt/portaudit/pkg-descr17
-rw-r--r--ports-mgmt/portaudit/pkg-plist9
7 files changed, 295 insertions, 0 deletions
diff --git a/ports-mgmt/portaudit/Makefile b/ports-mgmt/portaudit/Makefile
new file mode 100644
index 000000000000..ff09854b21e3
--- /dev/null
+++ b/ports-mgmt/portaudit/Makefile
@@ -0,0 +1,51 @@
+# New ports collection makefile for: portaudit
+# Date created: 25 Jan 2004
+# Whom: Oliver Eikemeier
+#
+# $FreeBSD$
+#
+
+PORTNAME= portaudit
+PORTVERSION= 0.1
+CATEGORIES= security
+DISTFILES=
+
+MAINTAINER= eik@FreeBSD.org
+COMMENT= Checks installed ports against a list of security vulnerabilities
+
+PERIODICDIR?= ${PREFIX}/etc/periodic
+DATABASEDIR?= /var/db/portaudit
+
+PLIST_SUB+= PERIODICDIR="${PERIODICDIR:S,^${PREFIX}/,,}" \
+ DATABASEDIR="${DATABASEDIR}"
+
+PKG_INFO_BASE?= /usr/sbin/pkg_info
+BASEPKGVER!= ${PKG_INFO_BASE} -qP 2>/dev/null
+
+.if ${BASEPKGVER} < 20040125
+RUN_DEPENDS= ${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if ${OSVERSION} < 420001 || ${OSVERSION} >= 500000 && ${OSVERSION} < 500014
+IGNORE= "You need tar with bzip support to run portaudit"
+.endif
+
+do-build:
+.for f in portaudit.sh fetchaudit.sh portaudit.functions
+ @${SED} -e "s|%%DATADIR%%|${DATADIR}|g" \
+ -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" \
+ ${FILESDIR}/${f} > ${WRKDIR}/${f}
+.endfor
+
+do-install:
+ @${MKDIR} ${PERIODICDIR}/security
+ @${INSTALL_SCRIPT} ${WRKDIR}/portaudit.sh ${PERIODICDIR}/security/910.portaudit
+ @${MKDIR} ${PERIODICDIR}/daily
+ @${INSTALL_SCRIPT} ${WRKDIR}/fetchaudit.sh ${PERIODICDIR}/daily/330.fetchaudit
+ @${MKDIR} ${DATADIR}
+ @${INSTALL_DATA} ${WRKDIR}/portaudit.functions ${DATADIR}
+ @${MKDIR} ${DATABASEDIR}
+
+.include <bsd.port.post.mk>
diff --git a/ports-mgmt/portaudit/database/auditfile.txt b/ports-mgmt/portaudit/database/auditfile.txt
new file mode 100644
index 000000000000..89a325b2add4
--- /dev/null
+++ b/ports-mgmt/portaudit/database/auditfile.txt
@@ -0,0 +1,27 @@
+#
+# auditfile.txt - FreeBSD ports vulnerabilities database
+#
+# $FreeBSD$
+#
+# MAINTAINER=ports@FreeBSD.org
+#
+# Each entry consists of a single line containing the following three
+# fields in the order named, separated with the pipe (`|') character:
+#
+# Package: A pattern that matches the name of the vulnurable
+# package, see `man -M /usr/local/man pkg_info'.
+# Reference: An URL where an advisory can be found
+# Reason: The type of vulnurability found
+#
+# Keep this list sorted in the chronological order. New entries must
+# be added at the end, old entries shouldn't be removed; this should
+# document *all* known package vulnerabilities.
+#
+# This file does not have any designated maintainer, so feel free to
+# commit to it yourself. However, it is generally a good idea to
+# notify the maintainer of the affected package(s)
+#
+
+gnupg<1.2.3_4|http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html|ElGamal signing keys compromised
+rsync<2.5.7|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962|Buffer overflow in server
+gaim<0.75_2|http://security.e-matters.de/advisories/012004.txt|12 vulnerabilities that allow remote compromise
diff --git a/ports-mgmt/portaudit/files/fetchaudit.sh b/ports-mgmt/portaudit/files/fetchaudit.sh
new file mode 100644
index 000000000000..d7137ca6875d
--- /dev/null
+++ b/ports-mgmt/portaudit/files/fetchaudit.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+#
+# $FreeBSD$
+#
+
+# defaults
+daily_status_portaudit_enable="YES"
+portaudit_dir="%%DATABASEDIR%%"
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+. %%DATADIR%%/portaudit.functions
+
+MASTER_SITE_LOCAL="
+ ${MASTER_SITE_LOCAL}
+ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+ ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+ ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+ ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+ ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+ ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/
+ "
+
+MASTER_SITE_SUBDIR=eik
+
+DISTNAME=auditfile
+EXTRACT_SUFX=.tbz
+
+portaudit_file="${portaudit_dir}/${DISTNAME}${EXTRACT_SUFX}"
+
+# site sort order is not overly smart
+LOCATIONS=`echo "${MASTER_SITE_LOCAL}" | awk "
+ BEGIN { srand() }
+ /^[ \t]*\$/ { next }
+ {
+ gsub(/[ \t]/, \\"\\")
+ gsub(/%SUBDIR%/, \\"${MASTER_SITE_SUBDIR}\\")
+ print rand() \\"\t\\" \\$0 \\"${DISTNAME}${EXTRACT_SUFX}\\"
+ }
+ " | sort -n | cut -f 2`
+
+case "$daily_status_portaudit_enable" in
+ ""|[Yy][Ee][Ss])
+ if [ ! -f "${portaudit_file}" ] || checkexpiry_auditfile 5; then
+ echo ""
+ echo "Updating audit database."
+ cd "${portaudit_dir}"
+ fetch -1am ${LOCATIONS}
+ if [ ! $? ]; then
+ echo "Couldn't fetch database."
+ rc=2
+ elif [ ! -f "${portaudit_file}" ] ; then
+ echo "no database."
+ rc=2
+ elif checksum_auditfile; then
+ echo "database corrupt."
+ rc=2
+ elif checkexpiry_auditfile 7; then
+ echo "database too old."
+ rc=2
+ else
+ echo "done"
+ rc=1
+ fi
+ else
+ rc=0
+ fi
+ ;;
+ *)
+ rc=0
+ ;;
+esac
+
+exit "${rc}"
diff --git a/ports-mgmt/portaudit/files/portaudit.functions b/ports-mgmt/portaudit/files/portaudit.functions
new file mode 100644
index 000000000000..29d09ba5fb26
--- /dev/null
+++ b/ports-mgmt/portaudit/files/portaudit.functions
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+extract_auditfile()
+{
+ tar -jxOf "${portaudit_file}" auditfile
+}
+
+checksum_auditfile()
+{
+ chksum1=`extract_auditfile |
+ sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'`
+ chksum2=`extract_auditfile | sed -e '$d' | md5`
+ [ "${chksum1}" != "${chksum2}" ];
+}
+
+checkexpiry_auditfile()
+{
+ created=`extract_auditfile |
+ sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p'`
+ expiry=`date -u -v-$1d '+%Y%m%d'`
+ [ "${created}" -lt "${expiry}" ];
+}
+
diff --git a/ports-mgmt/portaudit/files/portaudit.sh b/ports-mgmt/portaudit/files/portaudit.sh
new file mode 100644
index 000000000000..e4cab249aa65
--- /dev/null
+++ b/ports-mgmt/portaudit/files/portaudit.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+#
+# $FreeBSD$
+#
+
+# defaults
+daily_status_portaudit_enable="YES"
+portaudit_dir="%%DATABASEDIR%%"
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+. %%DATADIR%%/portaudit.functions
+
+portaudit_file="${portaudit_dir}/auditfile.tbz"
+
+rc=0
+case "$daily_status_portaudit_enable" in
+ ""|[Yy][Ee][Ss])
+ echo ""
+ echo "Checking for packages with security vulnerabilities:"
+ echo ""
+
+ if [ -z "${PKG_INFO}" ]; then
+ if [ -x /usr/local/sbin/pkg_info ]; then
+ PKG_INFO=/usr/local/sbin/pkg_info
+ else
+ PKG_INFO=/usr/sbin/pkg_info
+ fi
+ fi
+
+ if [ ! -x "${PKG_INFO}" ]; then
+ echo "${PKG_INFO} missing, please install port sysutils/pkg_install-devel"
+ exit 2
+ fi
+
+ PKG_INSTALL_VER=`${PKG_INFO} -qP 2>/dev/null`
+ if [ -z "${PKG_INSTALL_VER}" -o "${PKG_INSTALL_VER}" -lt 20040125 ]; then
+ echo "${PKG_INFO} is too old, please update port sysutils/pkg_install-devel"
+ exit 2
+ fi
+
+ if [ ! -f "${portaudit_file}" ]; then
+ echo "portaudit: database missing."
+ echo " run fetchaudit to update."
+ exit 2
+ fi
+ if checksum_auditfile; then
+ echo "portaudit: corrupt database."
+ exit 2
+ fi
+ if checkexpiry_auditfile 14; then
+ echo "portaudit: database too old."
+ echo ""
+ rc=2
+ fi
+
+ extract_auditfile | awk -F\| "
+ BEGIN { vul=0 }
+ /^(#|\$)/ { next }
+ {
+ cmd=\"${PKG_INFO} -E \\\"\" \$1 \"\\\"\"
+ while((cmd | getline pkg) > 0) {
+ vul++
+ print \"Affected package: \" pkg \"\\n\" \
+ \"Type of problem: \" \$3 \".\\n\" \
+ \"Reference: <\" \$2 \">\\n\"
+ }
+ close(cmd)
+ }
+ END {
+ print vul \" problem(s) in your installed packages found.\"
+ if (vul > 0) exit(1)
+ }
+ " || rc=1
+ ;;
+ *)
+ ;;
+esac
+
+exit "$rc"
diff --git a/ports-mgmt/portaudit/pkg-descr b/ports-mgmt/portaudit/pkg-descr
new file mode 100644
index 000000000000..f42c45dc97fb
--- /dev/null
+++ b/ports-mgmt/portaudit/pkg-descr
@@ -0,0 +1,17 @@
+portaudit provides a list of published security vulnerabilities
+of FreeBSD ports and tools to check if installed ports are listed.
+
+After installation it will update the security database automatically
+and include its reports in the output of the daily security run.
+
+Since this is a prerelease version, it is mostly usable for
+committers that want to contribute to the project, and can currently
+not be relied upon as an extensive security auditing tool.
+
+Credits go to Roland Dowdeswell <elric@NetBSD.org> and Bill
+Sommerfeld <sommerfeld@NetBSD.org> for the idea and Alistair
+Crooks <agc@NetBSD.org> for the initial implementation.
+
+WWW: http://sourceforge.net/projects/portaudit/
+
+Oliver Eikemeier <eik@FreeBSD.org>
diff --git a/ports-mgmt/portaudit/pkg-plist b/ports-mgmt/portaudit/pkg-plist
new file mode 100644
index 000000000000..f91562cb8cc8
--- /dev/null
+++ b/ports-mgmt/portaudit/pkg-plist
@@ -0,0 +1,9 @@
+%%PERIODICDIR%%/security/910.portaudit
+%%PERIODICDIR%%/daily/330.fetchaudit
+%%DATADIR%%/portaudit.functions
+@unexec rmdir %D/%%PERIODICDIR%%/security 2>/dev/null || true
+@unexec rmdir %D/%%PERIODICDIR%%/daily 2>/dev/null || true
+@unexec rmdir %D/%%PERIODICDIR%% 2>/dev/null || true
+@dirrm %%DATADIR%%
+@exec mkdir -p %%DATABASEDIR%%
+@unexec rmdir %%DATABASEDIR%% 2>/dev/null || true