diff options
| -rw-r--r-- | security/audit-packages/Makefile | 27 | ||||
| -rw-r--r-- | security/audit-packages/PLIST | 6 | ||||
| -rw-r--r-- | security/audit-packages/files/audit-packages.8 | 161 |
3 files changed, 188 insertions, 6 deletions
diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile index 7bacb8665c0..3ecff052dd4 100644 --- a/security/audit-packages/Makefile +++ b/security/audit-packages/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.20 2003/05/21 14:07:45 seb Exp $ +# $NetBSD: Makefile,v 1.21 2003/06/12 06:59:30 wiz Exp $ -DISTNAME= audit-packages-1.15 +DISTNAME= audit-packages-1.16 WRKSRC= ${WRKDIR} CATEGORIES= security pkgtools MASTER_SITES= # empty @@ -10,22 +10,39 @@ MAINTAINER= agc@netbsd.org COMMENT= tools to show vulnerabilities in installed packages NO_CHECKSUM= yes -NO_BUILD= yes NO_MTREE= yes -do-configure: - @for f in audit-packages download-vulnerability-list; do \ +.include "../../mk/bsd.prefs.mk" + +.if ${OPSYS} == "SunOS" +# This doesn't create readable manual pages. "mandoc" should be added +# to zoularis. +NROFF= nroff -man +.else +NROFF= nroff -mandoc +.endif + +do-build: + @for f in audit-packages audit-packages.8 \ + download-vulnerability-list; do \ ${SED} -e 's|@PKGVULNDIR@|${PKGVULNDIR}|g' \ -e 's|@AWK@|${AWK}|g' \ -e 's|@FETCH_CMD@|${FETCH_CMD}|g' \ + -e 's|@FETCH_CMD_SHORT@|${FETCH_CMD:T}|g' \ + -e 's|@PKGSRCDIR@|${_PKGSRCDIR}|g' \ -e 's|@PKG_TOOLS_BIN@|${PKG_TOOLS_BIN}|g' \ -e 's|@SH@|${SH}|g' \ ${FILESDIR}/$$f > ${WRKSRC}/$$f; \ done + ${NROFF} ${WRKSRC}/audit-packages.8 >${WRKSRC}/audit-packages.0 do-install: @for f in audit-packages download-vulnerability-list; do \ ${INSTALL_SCRIPT} ${WRKSRC}/$$f ${PREFIX}/sbin; \ done + ${INSTALL_MAN} ${WRKSRC}/audit-packages.0 ${PREFIX}/man/cat8 + ${INSTALL_MAN} ${WRKSRC}/audit-packages.8 ${PREFIX}/man/man8 + ${LN} -s audit-packages.0 ${PREFIX}/man/cat8/download-vulnerability-list.0 + ${LN} -s audit-packages.8 ${PREFIX}/man/man8/download-vulnerability-list.8 .include "../../mk/bsd.pkg.mk" diff --git a/security/audit-packages/PLIST b/security/audit-packages/PLIST index 61622f44783..c337d07a7df 100644 --- a/security/audit-packages/PLIST +++ b/security/audit-packages/PLIST @@ -1,3 +1,7 @@ -@comment $NetBSD: PLIST,v 1.1 2001/11/01 01:16:32 zuntum Exp $ +@comment $NetBSD: PLIST,v 1.2 2003/06/12 06:59:30 wiz Exp $ +man/cat8/audit-packages.0 +man/cat8/download-vulnerability-list.0 +man/man8/audit-packages.8 +man/man8/download-vulnerability-list.8 sbin/audit-packages sbin/download-vulnerability-list diff --git a/security/audit-packages/files/audit-packages.8 b/security/audit-packages/files/audit-packages.8 new file mode 100644 index 00000000000..ddb6e235330 --- /dev/null +++ b/security/audit-packages/files/audit-packages.8 @@ -0,0 +1,161 @@ +.\" $NetBSD: audit-packages.8,v 1.1 2003/06/12 06:59:31 wiz Exp $ +.Dd June 11, 2003 +.Os +.Dt AUDIT-PACKAGES 8 +.Sh NAME +.Nm audit-packages , +.Nm download-vulnerability-list +.Nd show vulnerabilities in installed packages +.Sh SYNOPSIS +.Nm +.Nm download-vulnerability-list +.Sh DESCRIPTION +The +.Nm +program compares the installed packages with the +.Pa vulnerabilities +file and reports any known security issues to standard output. +This output contains the name and version of the package, the +type of vulnerability, and an URL for further information for each +vulnerable package. +.Pp +The +.Nm download-vulnerability-list +program downloads this file from +.Pa ftp://ftp.netbsd.org/pub/NetBSD/packages/distfiles/vulnerabilities +using +.Xr @FETCH_CMD_SHORT@ 1 . +This vulnerabilities file documents all known security issues in +pkgsrc packages and is kept up-to-date by the +.Nx +packages team. +.Pp +Each line lists the package and vulnerable versions, the type of exploit, +and an Internet address for further information. +Commonly, the types of exploits listed are: +.Bl -bullet -compact -offset indent +.It +cross-site-html +.It +cross-site-scripting +.It +denial-of-service +.It +file-permissions +.It +local-access +.It +local-code-execution +.It +local-file-read +.It +local-file-removal +.It +local-file-write +.It +local-root-file-view +.It +local-root-shell +.It +local-symlink-race +.It +local-user-file-view +.It +local-user-shell +.It +privacy-leak +.It +remote-code-execution +.It +remote-command-inject +.It +remote-file-creation +.It +remote-file-read +.It +remote-file-view +.It +remote-file-write +.It +remote-key-theft +.It +remote-root-access +.It +remote-root-shell +.It +remote-script-inject +.It +remote-server-admin +.It +remote-use-of-secret +.It +remote-user-access +.It +remote-user-file-view +.It +remote-user-shell +.It +unknown +.It +weak-authentication +.It +weak-encryption +.It +weak-ssl-authentication +.El +.Pp +By default, the vulnerabilities file is stored in the +.Pa @PKGVULNDIR@ +directory. +This can be changed by defining the environment variable +.Ev PKGVULNDIR +to the directory containing the vulnerabilities file. +.Sh ENVIRONMENT +.Bl -tag -width PKGVULNDIR +.It Ev PKGVULNDIR +Specifies the directory containing the +.Pa vulnerabilities +file. +.El +.Sh FILES +.Pa @PKGVULNDIR@/vulnerabilities +.\" .Sh EXAMPLES +.Sh EXAMPLES +The +.Nm download-vulnerability-list +command can be run via +.Xr cron 8 +to update the +.Pa vulnerabilities +daily. +And +.Nm +can be run via +.Xr cron 8 +(or with +.Nx Ns 's +.Pa /etc/security.local +daily security script). +.Sh SEE ALSO +.Xr pkg_info 1 , +.Xr mk.conf 5 , +.Xr packages 7 , +.Pa @PKGSRCDIR@/mk/bsd.pkg.defaults.mk +and +.Rs +.%T "Documentation on the NetBSD Package System" +.Re +.Pa @PKGSRCDIR@/Packages.txt +.Sh HISTORY +The +.Nm +and +.Nm download-vulnerability-list +commands were originally implemented and added to +.Nx Ns 's +pkgsrc by +.An Alistair Crooks +on September 19, 2000. +The original idea came from Roland Dowdeswell and Bill Sommerfeld. +.\" .Sh AUTHORS +.\" .Sh SECURITY CONSIDERATIONS |