diff options
author | eik <eik@FreeBSD.org> | 2004-03-11 19:11:59 +0800 |
---|---|---|
committer | eik <eik@FreeBSD.org> | 2004-03-11 19:11:59 +0800 |
commit | 7b0fd02dc061a1f332c5b1dd651e7e8905ee10c3 (patch) | |
tree | 426976fa120aeb9a2d5e173cfc92ca45fe688eb6 /security | |
parent | c52e2984fc85f2d3b70dbc20f3512e1dd6749f25 (diff) | |
download | freebsd-ports-gnome-7b0fd02dc061a1f332c5b1dd651e7e8905ee10c3.tar.gz freebsd-ports-gnome-7b0fd02dc061a1f332c5b1dd651e7e8905ee10c3.tar.zst freebsd-ports-gnome-7b0fd02dc061a1f332c5b1dd651e7e8905ee10c3.zip |
Update to 0.3.
Since we are using the official VuXML database
the auditing should be pretty complete.
- mention web page
- add more mirrors, disabling .ru mirror (too much lag)
- allow combined options in portaudit shell script
- add sample configuration file
- use absolute paths for binaries, to ease use in crontab scripts [1]
- correct type in man page [2]
PR: 64005 [2]
Submitted by: Tomasz Pilat <poncki@axelspringer.com.pl> [1]
Nathan Dove <njdove@wafer.sandia.gov> [2]
Diffstat (limited to 'security')
-rw-r--r-- | security/portaudit/Makefile | 10 | ||||
-rw-r--r-- | security/portaudit/files/portaudit-cmd.sh | 75 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.1 | 19 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.conf | 24 | ||||
-rw-r--r-- | security/portaudit/files/portaudit.functions | 68 | ||||
-rw-r--r-- | security/portaudit/pkg-deinstall | 17 | ||||
-rw-r--r-- | security/portaudit/pkg-descr | 5 | ||||
-rw-r--r-- | security/portaudit/pkg-install | 12 | ||||
-rw-r--r-- | security/portaudit/pkg-plist | 1 |
9 files changed, 145 insertions, 86 deletions
diff --git a/security/portaudit/Makefile b/security/portaudit/Makefile index 8b186c098bf3..c574bff71052 100644 --- a/security/portaudit/Makefile +++ b/security/portaudit/Makefile @@ -6,7 +6,7 @@ # PORTNAME= portaudit -PORTVERSION= 0.2.1 +PORTVERSION= 0.3 CATEGORIES= security DISTFILES= @@ -36,17 +36,18 @@ RUN_DEPENDS= ${LOCALBASE}/sbin/pkg_info:${PORTSDIR}/sysutils/pkg_install-devel .include <bsd.port.pre.mk> -.if ${OSVERSION} < 420001 || ${OSVERSION} >= 500000 && ${OSVERSION} < 500014 -IGNORE= "You need tar with bzip support to run portaudit" +.if defined(BZIP2DEPENDS) +RUN_DEPENDS+= bzip2:${PORTSDIR}/archivers/bzip2 .endif do-build: -.for f in portaudit-cmd.sh portaudit.sh fetchaudit.sh portaudit.functions portaudit.1 +.for f in portaudit-cmd.sh portaudit.sh fetchaudit.sh portaudit.functions portaudit.1 portaudit.conf @${SED} -e "s|%%DATADIR%%|${DATADIR}|g" \ -e "s|%%DATABASEDIR%%|${DATABASEDIR}|g" \ -e "s|%%PREFIX%%|${PREFIX}|g" \ -e "s|%%LOCALBASE%%|${LOCALBASE}|g" \ -e "s|%%PORTVERSION%%|${PORTVERSION}|g" \ + -e "s|%%BZIP2_CMD%%|${BZIP2_CMD}|g" \ ${FILESDIR}/${f} > ${WRKDIR}/${f} .endfor @@ -66,6 +67,7 @@ do-install: @${INSTALL_SCRIPT} ${WRKDIR}/fetchaudit.sh ${PERIODICDIR}/daily/330.fetchaudit @${MKDIR} ${DATADIR} @${INSTALL_DATA} ${WRKDIR}/portaudit.functions ${DATADIR} + @${INSTALL_DATA} ${WRKDIR}/portaudit.conf ${PREFIX}/etc/portaudit.conf.sample @${MKDIR} ${DATABASEDIR} post-install: diff --git a/security/portaudit/files/portaudit-cmd.sh b/security/portaudit/files/portaudit-cmd.sh index 76b43ec458ae..7b48e0be3888 100644 --- a/security/portaudit/files/portaudit-cmd.sh +++ b/security/portaudit/files/portaudit-cmd.sh @@ -34,34 +34,57 @@ . %%DATADIR%%/portaudit.functions portaudit_confs +opt_audit=false +opt_version=false +opt_dbversion=false +opt_fetch=false +opt_quiet=false + if [ $# -eq 0 ] ; then - portaudit_prerequisites - audit_installed || true + opt_audit=true fi -while [ $# -gt 0 ]; do - case "$1" in - -a) - portaudit_prerequisites - audit_installed || true - ;; - -V) - echo "portaudit version %%PORTVERSION%%" - ;; - -d) - if [ ! -f "${portaudit_dir}/${portaudit_filename}" ]; then - echo "portaudit: database missing. run \`portaudit -F' to update." - exit 2 - fi - if ! checksum_auditfile; then - echo "portaudit: database corrupt." - exit 2 - fi - echo "database created: `getcreated_auditfile`" - ;; - -F) - fetch_auditfile || echo "failed." - ;; +while getopts aVdFq opt; do + case "$opt" in + a) + opt_audit=true;; + d) + opt_dbversion=true;; + F) + opt_fetch=true;; + q) + opt_quiet=true;; + V) + opt_version=true;; + ?) + echo "Usage: $0 -adFqV" + exit 2;; esac - shift done + +shift $(($OPTIND - 1)) + +if $opt_version; then + echo "portaudit version %%PORTVERSION%%" +fi + +if $opt_fetch; then + fetch_auditfile || echo "failed." +fi + +if $opt_dbversion; then + if [ ! -f "${portaudit_dir}/${portaudit_filename}" ]; then + echo "portaudit: database missing. run \`portaudit -F' to update." + exit 2 + fi + if ! checksum_auditfile; then + echo "portaudit: database corrupt." + exit 2 + fi + echo "database created: `getcreated_auditfile`" +fi + +if $opt_audit; then + portaudit_prerequisites + audit_installed || true +fi diff --git a/security/portaudit/files/portaudit.1 b/security/portaudit/files/portaudit.1 index c5e6e949d18b..4950ff868b2f 100644 --- a/security/portaudit/files/portaudit.1 +++ b/security/portaudit/files/portaudit.1 @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 21, 2004 +.Dd March 11, 2004 .Os FreeBSD .Dt PORTAUDIT \&1 "FreeBSD ports collection" . @@ -60,12 +60,12 @@ to check if security advisories for any installed packages exist. Note that a current ports tree (or any local copy of the ports tree) is not required for operation. .Pp -This package also installs two scripts into %%PREFIX%%/periodic that regularly -update this database and include the report of vulnerable packages in the -daily security report. +This package also installs two scripts into %%PREFIX%%/etc/periodic that +regularly update this database and include the report of vulnerable packages +in the daily security report. .Pp If you have a vulnerable package installed, you are advised to update or -deinstalled it immediately. +deinstall it immediately. . . .Sh OPTIONS @@ -110,15 +110,16 @@ Print a vulnerability report for all installed packages: .Xr ports 7 , .Xr periodic 8 , .Xr periodic.conf 5 , -.Li Aq http://www.freebsd.org/security/#adv . +.Li Aq http://people.freebsd.org/~eik/portaudit/ , +.Li Aq http://www.freebsd.org/security/#adv , .Li Aq http://www.vuxml.org/ . . . .Sh CAVEATS . -.Nm -is in develpoment and should currently not be relied upon -as an extensive security auditing tool. +The format of +.Pa %%DATABASEDIR%%/auditfile.tbz +might change. . . .Sh BUGS diff --git a/security/portaudit/files/portaudit.conf b/security/portaudit/files/portaudit.conf new file mode 100644 index 000000000000..612d86357bd7 --- /dev/null +++ b/security/portaudit/files/portaudit.conf @@ -0,0 +1,24 @@ +# +# Sample configuration file for portaudit(1) +# +# copy to %%PREFIX%%/etc/portaudit.conf +# +# $FreeBSD$ +# + +# specify a proxy if needed, see fetch(3) +#FETCH_ENV="FTP_PROXY=http://ftp.proxy.sample/ HTTP_PROXY=http://http.proxy.sample:80/" + +# default fetch command +#FETCH_CMD="/usr/bin/fetch -1am" + +# uncoment to use passive ftp, see fetch(1) +#FETCH_BEFORE_ARGS="-p" + +#FETCH_AFTER_ARGS= + +# specify a local mirror here +#MASTER_SITES="http://my.mirror.sample/path/portaudit/" + +# uncomment to prefer the UK mirror, jp, se, tw and uk are available +#MASTER_SORT_REGEX="\.uk[.\/]" diff --git a/security/portaudit/files/portaudit.functions b/security/portaudit/files/portaudit.functions index 36f10289dd1b..93437a259130 100644 --- a/security/portaudit/files/portaudit.functions +++ b/security/portaudit/files/portaudit.functions @@ -36,25 +36,29 @@ portaudit_confs() portaudit_dir=${portaudit_dir:-"%%DATABASEDIR%%"} portaudit_filename=${portaudit_filename:-"auditfile.tbz"} - FETCH_ENV= - FETCH_CMD="fetch -1am" - FETCH_BEFORE_ARGS= - FETCH_AFTER_ARGS= + FETCH_ENV=${FETCH_ENV:-} + FETCH_CMD=${FETCH_CMD:-"/usr/bin/fetch -1am"} + FETCH_BEFORE_ARGS=${FETCH_BEFORE_ARGS:-} + FETCH_AFTER_ARGS=${FETCH_AFTER_ARGS:-} - MASTER_SITE_LOCAL=" - ${MASTER_SITE_LOCAL} + MASTER_SITES=${MASTER_SITES:-" ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp1.ro.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - ftp://ftp.ru.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + ftp://ftp.at.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ ftp://ftp.tw.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ - " + http://public.planetmirror.com/pub/FreeBSD/ports/local-distfiles/%SUBDIR%/ + "} + MASTER_SITE_SUBDIR=${MASTER_SITE_SUBDIR:-"eik"} - MASTER_SITE_SUBDIR=eik + MASTER_SITE_BACKUP=${MASTER_SITE_BACKUP:-"http://people.freebsd.org/~eik/portaudit/"} #MASTER_SORT_REGEX="\.uk[.\/]" - MASTER_SORT_REGEX="#" + MASTER_SORT_REGEX=${MASTER_SORT_REGEX:-"#"} if [ -r %%PREFIX%%/etc/portaudit.conf ]; then . %%PREFIX%%/etc/portaudit.conf @@ -63,27 +67,28 @@ portaudit_confs() extract_auditfile() { - tar -jxOf "${portaudit_dir}/${portaudit_filename}" auditfile + %%BZIP2_CMD%% -dc -- "${portaudit_dir}/${portaudit_filename}" | \ + /usr/bin/tar -xOf - auditfile } checksum_auditfile() { chksum1=`extract_auditfile | - sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'` - chksum2=`extract_auditfile | sed -e '$d' | md5` + /usr/bin/sed -nEe '$s/^#CHECKSUM: *MD5 *([0-9a-f]{32})$/\1/p'` + chksum2=`extract_auditfile | /usr/bin/sed -e '$d' | /sbin/md5` [ "${chksum1}" = "${chksum2}" ]; } getcreated_auditfile() { extract_auditfile | - sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' + /usr/bin/sed -nEe '1s/^#CREATED: *([0-9]{4})-?([0-9]{2})-?([0-9]{2}).*$/\1\2\3/p' } checkexpiry_auditfile() { created=`getcreated_auditfile` - expiry=`date -u -v-$1d '+%Y%m%d'` + expiry=`/bin/date -u -v-$1d '+%Y%m%d'` [ "${created}" -ge "${expiry}" ]; } @@ -126,7 +131,7 @@ portaudit_prerequisites() audit_installed() { - extract_auditfile | awk -F\| " + extract_auditfile | /usr/bin/awk -F\| " BEGIN { vul=0 } /^(#|\$)/ { next } { @@ -153,15 +158,18 @@ audit_installed() fetch_locations() { # site sort order is not overly smart - echo "${MASTER_SITE_LOCAL}" | sed -e 'y/ /\n\n/' | awk " + echo ${MASTER_SITES} | /usr/bin/tr -s ' \t' '\n' | /usr/bin/awk " BEGIN { IGNORECASE=1; srand() } /^$/ { next } { if (\$0 ~ /${MASTER_SORT_REGEX}/ ) rank=0; else rank=rand() gsub(/%SUBDIR%/, \"${MASTER_SITE_SUBDIR}\") - print rank \"\\t\" \$0 + print \$0 \"\\t\" rank } - " | sort -n | cut -f 2 + " | /usr/bin/sort -n -k 2 | /usr/bin/cut -f 1 + if [ -n "${MASTER_SITE_BACKUP}" ]; then + echo "${MASTER_SITE_BACKUP}" + fi } fetch_auditfile() @@ -169,22 +177,25 @@ fetch_auditfile() rc=1 if [ ! -d "${portaudit_dir}" ]; then - mkdir -p "${portaudit_dir}" + if ! /bin/mkdir -p "${portaudit_dir}"; then + echo "Couldn't create ${portaudit_dir}, try running portaudit -F as root" + return 1 + fi fi if [ ! -w "${portaudit_dir}" ]; then - echo "Couldn't write to ${portaudit_dir}" + echo "Couldn't write to ${portaudit_dir}, try running portaudit -F as root" return 1 fi cd "${portaudit_dir}" if [ -r "${portaudit_filename}" ]; then - cp "${portaudit_filename}" "${portaudit_filename}.old" + /bin/cp "${portaudit_filename}" "${portaudit_filename}.old" fi for site in `fetch_locations`; do echo ">> Attempting to fetch from ${site}." - args="${site}/${portaudit_filename}" - env ${FETCH_ENV} ${FETCH_CMD} ${FETCH_BEFORE_ARGS} ${args} ${FETCH_AFTER_ARGS} + args="${site}${portaudit_filename}" + /usr/bin/env ${FETCH_ENV} ${FETCH_CMD} ${FETCH_BEFORE_ARGS} ${args} ${FETCH_AFTER_ARGS} if [ $? -ne 0 ]; then echo "Couldn't fetch database." elif [ ! -f "${portaudit_dir}/${portaudit_filename}" ] ; then @@ -193,6 +204,7 @@ fetch_auditfile() echo "fetched database corrupt." elif ! checkexpiry_auditfile 7; then echo "fetched database too old." + rc=0 else echo "new database installed." rc=0 @@ -201,12 +213,14 @@ fetch_auditfile() done if [ -f "${portaudit_filename}.old" ]; then if [ ${rc} -eq 0 ]; then - rm -f "${portaudit_filename}.old" + /bin/rm -f "${portaudit_filename}.old" else - mv -f "${portaudit_filename}.old" "${portaudit_filename}" + /bin/mv -f "${portaudit_filename}.old" "${portaudit_filename}" echo "old database restored." fi fi - chmod a=r "${portaudit_filename}" + if [ -f "${portaudit_filename}" ]; then + /bin/chmod a=r "${portaudit_filename}" + fi return ${rc} } diff --git a/security/portaudit/pkg-deinstall b/security/portaudit/pkg-deinstall index 8aebe9994cb0..7e4ebf7c68c4 100644 --- a/security/portaudit/pkg-deinstall +++ b/security/portaudit/pkg-deinstall @@ -3,16 +3,15 @@ # $FreeBSD$ # -ECHO_CMD=echo - case $2 in POST-DEINSTALL) - ${ECHO_CMD} - ${ECHO_CMD} "The portaudit package has been deleted." - ${ECHO_CMD} "If you're *not* upgrading and won't be using" - ${ECHO_CMD} "it any longer, you may want to remove the" - ${ECHO_CMD} "portaudit database:" - ${ECHO_CMD} - ${ECHO_CMD} " rm -Rf %%DATABASEDIR%%" + echo + echo "The portaudit package has been deleted." + echo "If you're *not* upgrading and won't be using" + echo "it any longer, you may want to remove the" + echo "portaudit database:" + echo + echo " rm -Rf %%DATABASEDIR%%" + echo ;; esac diff --git a/security/portaudit/pkg-descr b/security/portaudit/pkg-descr index cab77aaf3fbd..9dd30dd115f6 100644 --- a/security/portaudit/pkg-descr +++ b/security/portaudit/pkg-descr @@ -4,9 +4,6 @@ database of published security vulnerabilities. After installation it will update this security database automatically and include its reports in the output of the daily security run. -Since this system is in development it can currently not be relied upon as an -extensive security auditing tool. - If you have found a vulnerability not listed in the database, please contact the FreeBSD Security Officer <security-officer@FreeBSD.org>. Refer to @@ -14,6 +11,6 @@ the FreeBSD Security Officer <security-officer@FreeBSD.org>. Refer to for more information. -WWW: http://sourceforge.net/projects/portaudit/ +WWW: http://people.freebsd.org/~eik/portaudit/ Oliver Eikemeier <eik@FreeBSD.org> diff --git a/security/portaudit/pkg-install b/security/portaudit/pkg-install index 56b66fd5592d..485fe2c991cb 100644 --- a/security/portaudit/pkg-install +++ b/security/portaudit/pkg-install @@ -3,16 +3,14 @@ # $FreeBSD$ # -ECHO_CMD=echo - case $2 in POST-INSTALL) if [ ! -f "%%DATABASEDIR%%/auditfile.tbz" ]; then - ${ECHO_CMD} - ${ECHO_CMD} "===> To check your installed ports for known vulnerabilities now do:" - ${ECHO_CMD} - ${ECHO_CMD} " %%PREFIX%%/bin/portaudit -F -a" - ${ECHO_CMD} + echo + echo "===> To check your installed ports for known vulnerabilities now do:" + echo + echo " %%PREFIX%%/bin/portaudit -F -a" + echo fi ;; esac diff --git a/security/portaudit/pkg-plist b/security/portaudit/pkg-plist index 4262caf1153c..901547d3196e 100644 --- a/security/portaudit/pkg-plist +++ b/security/portaudit/pkg-plist @@ -1,4 +1,5 @@ bin/portaudit +etc/portaudit.conf.sample %%PERIODICDIR%%/security/910.portaudit %%PERIODICDIR%%/daily/330.fetchaudit %%DATADIR%%/portaudit.functions |