Initial import of a package to scan a vulnerability list, looking for

installed packages which are insecure and open to exploitation.

The original idea came from Roland Dowdeswell and Bill Sommerfeld, quite
independently, the unorthodox implementation by me.

This package contains two scripts:
(1) download-vulnerability-list, which downloads a list of vulnerable
packages from the NetBSD ftp server, and
(2) audit-packages, which scans all the packages installed on the
local machine, looking for packages which are vulnerable.

6 files changed, 66 insertions, 0 deletions

diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile
new file mode 100644
index 00000000000..2a13a4d12e1
--- /dev/null
+++ b/security/audit-packages/Makefile
@@ -0,0 +1,29 @@
+# $NetBSD: Makefile,v 1.1.1.1 2000/09/19 19:23:17 agc Exp $
+
+DISTNAME=	audit-packages-1.0
+CATEGORIES=	security pkgtools
+MASTER_SITES=	# empty
+DISTFILES=	# empty
+
+MAINTAINER=	agc@netbsd.org
+
+WRKSRC=		${WRKDIR}
+NO_CHECKSUM=    yes
+NO_BUILD=	yes
+NO_MTREE=	yes
+
+do-configure:
+	@for f in audit-packages download-vulnerability-list; do		\
+		${SED} -e 's|\$${DISTDIR}|${DISTDIR}|g' 		\
+			-e 's|\$${AWK}|${AWK}|g'			\
+			-e 's|\$${FETCH_CMD}|${FETCH_CMD}|g'		\
+			-e 's|\$${PKG_INFO}|${PKG_INFO}|g'		\
+			${FILESDIR}/$$f > ${WRKSRC}/$$f;		\
+	done
+
+do-install:
+	@for f in audit-packages download-vulnerability-list; do		\
+		${BSD_INSTALL_SCRIPT} ${WRKSRC}/$$f ${PREFIX}/sbin;	\
+	done
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages
new file mode 100755
index 00000000000..cb08a0285c7
--- /dev/null
+++ b/security/audit-packages/files/audit-packages
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+${AWK} '
+	/^#.*/ { next }
+	NF == 0 { next }
+	{ cmd = sprintf("${PKG_INFO} -qe \"%s\" && echo Package \"`${PKG_INFO} -e \"%s\"`\" has a %s vulnerability, see %s", $1, $1, $2, $3);
+	  system(cmd); }
+' ${DISTDIR}/vulnerabilities
+
+exit 0
diff --git a/security/audit-packages/files/download-vulnerability-list b/security/audit-packages/files/download-vulnerability-list
new file mode 100644
index 00000000000..86270469396
--- /dev/null
+++ b/security/audit-packages/files/download-vulnerability-list
@@ -0,0 +1,11 @@
+#! /bin/sh
+
+NEW_VUL_LIST=${DISTDIR}/vulnerabilities.$$
+
+${FETCH_CMD} -o ${NEW_VUL_LIST} ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities || \
+	(echo "Can't download vulnerability list"; exit 1)
+
+/usr/bin/cmp -s ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities > /dev/null 2>&1 || \
+	(/bin/mv ${NEW_VUL_LIST} ${DISTDIR}/vulnerabilities)
+
+exit 0
diff --git a/security/audit-packages/pkg/COMMENT b/security/audit-packages/pkg/COMMENT
new file mode 100644
index 00000000000..a0b3ebeb1c3
--- /dev/null
+++ b/security/audit-packages/pkg/COMMENT
@@ -0,0 +1 @@
+tools to show vulnerabilities in installed packages
diff --git a/security/audit-packages/pkg/DESCR b/security/audit-packages/pkg/DESCR
new file mode 100644
index 00000000000..e583e4e65ad
--- /dev/null
+++ b/security/audit-packages/pkg/DESCR
@@ -0,0 +1,12 @@
+The audit-packages tools provide two scripts:
+
+(1) download-vulnerability-list, an easy way to download a list of
+security vulnerabilities which have been published.  This list is kept
+up to date by the NetBSD security officer.  It is held at the
+well-known URL:
+
+ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities
+
+(2) audit-packages, an easy way to audit the current machine, checking
+each vulnerability listed by the security officer.  If a vulnerable
+package is installed, it will be shown by output to stdout.
diff --git a/security/audit-packages/pkg/PLIST b/security/audit-packages/pkg/PLIST
new file mode 100644
index 00000000000..3c712b29259
--- /dev/null
+++ b/security/audit-packages/pkg/PLIST
@@ -0,0 +1,3 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2000/09/19 19:23:17 agc Exp $
+sbin/audit-packages
+sbin/download-vulnerability-list