diff options
-rw-r--r-- | security/audit-packages/DESCR | 12 | ||||
-rw-r--r-- | security/audit-packages/MESSAGE | 22 | ||||
-rw-r--r-- | security/audit-packages/MESSAGE.DragonFly | 23 | ||||
-rw-r--r-- | security/audit-packages/Makefile | 102 | ||||
-rw-r--r-- | security/audit-packages/PLIST | 9 | ||||
-rwxr-xr-x | security/audit-packages/files/audit-packages | 235 | ||||
-rw-r--r-- | security/audit-packages/files/audit-packages.0 | 173 | ||||
-rw-r--r-- | security/audit-packages/files/audit-packages.8 | 307 | ||||
-rw-r--r-- | security/audit-packages/files/audit-packages.conf | 26 | ||||
-rw-r--r-- | security/audit-packages/files/download-vulnerability-list | 128 |
10 files changed, 0 insertions, 1037 deletions
diff --git a/security/audit-packages/DESCR b/security/audit-packages/DESCR deleted file mode 100644 index 6c740bc296e..00000000000 --- a/security/audit-packages/DESCR +++ /dev/null @@ -1,12 +0,0 @@ -The audit-packages tools provide two scripts: - -(1) download-vulnerability-list, an easy way to download a list of -security vulnerabilities which have been published. This list is kept -up to date by the NetBSD security officer. It is held at the -well-known URL: - -ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/vulnerabilities - -(2) audit-packages, an easy way to audit the current machine, checking -each vulnerability listed by the security officer. If a vulnerable -package is installed, it will be shown by output to stdout. diff --git a/security/audit-packages/MESSAGE b/security/audit-packages/MESSAGE deleted file mode 100644 index d4f12dbf3fe..00000000000 --- a/security/audit-packages/MESSAGE +++ /dev/null @@ -1,22 +0,0 @@ -=========================================================================== -$NetBSD: MESSAGE,v 1.3 2003/09/02 10:20:27 agc Exp $ - -You may wish to have the vulnerabilities file downloaded daily so that -it remains current. This may be done by adding an appropriate entry -to the root users crontab(5) entry. For example the entry - -# download vulnerabilities file -0 3 * * * ${PREFIX}/sbin/download-vulnerability-list >/dev/null 2>&1 - -will update the vulnerability list every day at 3AM. You may wish to do -this more often than once a day. - -In addition, you may wish to run the package audit from the daily -security script. This may be accomplished by adding the following -lines to /etc/security.local - -if [ -x ${PREFIX}/sbin/audit-packages ]; then - ${PREFIX}/sbin/audit-packages -fi - -=========================================================================== diff --git a/security/audit-packages/MESSAGE.DragonFly b/security/audit-packages/MESSAGE.DragonFly deleted file mode 100644 index 623fbe8f2ec..00000000000 --- a/security/audit-packages/MESSAGE.DragonFly +++ /dev/null @@ -1,23 +0,0 @@ -=========================================================================== -$NetBSD: MESSAGE.DragonFly,v 1.2 2006/03/02 18:31:49 joerg Exp $ - -You may wish to have the vulnerabilities file downloaded daily so that -it remains current. This may be done by adding an appropriate entry -to the root users crontab(5) entry. For example the entry - -# download vulnerabilities file -0 3 * * * ${PREFIX}/sbin/download-vulnerability-list >/dev/null 2>&1 - -will update the vulnerability list every day at 3AM. You may wish to do -this more often than once a day. - -In addition, you may wish to run the package audit from the daily -security script. This may be accomplished by adding the following -lines to /etc/periodic/security/NNN.audit-packages, where NNN is a -number specifying the order of execution. - -if [ -x ${PREFIX}/sbin/audit-packages ]; then - ${PREFIX}/sbin/audit-packages -fi - -=========================================================================== diff --git a/security/audit-packages/Makefile b/security/audit-packages/Makefile deleted file mode 100644 index 9eea3a98879..00000000000 --- a/security/audit-packages/Makefile +++ /dev/null @@ -1,102 +0,0 @@ -# $NetBSD: Makefile,v 1.78 2008/01/02 09:00:34 adrianp Exp $ - -DISTNAME= audit-packages-1.46 -CATEGORIES= security pkgtools -MASTER_SITES= # empty -DISTFILES= # empty - -MAINTAINER= agc@NetBSD.org -COMMENT= Tools to show vulnerabilities in installed packages - -PKG_INSTALLATION_TYPES= overwrite pkgviews -PKG_DESTDIR_SUPPORT= user-destdir - -CONFLICTS+= pkg_install>=20070714 - -USE_TOOLS+= digest:run - -BUILD_DEFS+= PKGVULNDIR - -WRKSRC= ${WRKDIR} -NO_CHECKSUM= yes - -OWN_DIRS= ${PKGVULNDIR} -MAN8DIR= ${PREFIX}/${PKGMANDIR}/man8 -CAT8DIR= ${PREFIX}/${PKGMANDIR}/cat8 -INSTALLATION_DIRS= ${CAT8DIR} ${MAN8DIR} sbin \ - share/examples/audit-packages - -.include "../../mk/bsd.prefs.mk" - -.if ${OPSYS} == "DragonFly" -MESSAGE_SRC= ${PKGDIR}/MESSAGE.DragonFly -.else -MESSAGE_SRC= ${PKGDIR}/MESSAGE -.endif - -# If you're running NetBSD it's possible that you may already have -# audit-packages installed as a part of the base OS. -# -.if ${OPSYS} == "NetBSD" -. if exists(/usr/sbin/audit-packages) -PKG_FAIL_REASON+= "audit-packages is already installed on this system" -. endif -.endif - -CONF_FILES= ${PREFIX}/share/examples/audit-packages/audit-packages.conf \ - ${PKG_SYSCONFDIR}/audit-packages.conf - -SUBST_CLASSES= paths -SUBST_STAGE.paths= post-build -SUBST_FILES.paths= audit-packages audit-packages.0 audit-packages.8 -SUBST_FILES.paths+= download-vulnerability-list -SUBST_SED.paths= -e 's|@PKGVULNDIR@|${PKGVULNDIR}|g' -SUBST_SED.paths+= -e 's|@AWK@|${AWK}|g' -SUBST_SED.paths+= -e 's|@FETCH_CMD@|${FETCH_CMD:Q}|g' -SUBST_SED.paths+= -e 's|@FETCH_CMD_SHORT@|${FETCH_CMD:T:Q}|g' -SUBST_SED.paths+= -e 's|@PKGSRCDIR@|${PKGSRCDIR}|g' -SUBST_SED.paths+= -e 's|@PKG_TOOLS_BIN@|${PKG_TOOLS_BIN}|g' -SUBST_SED.paths+= -e 's|@PREFIX@|${PREFIX}|g' -SUBST_SED.paths+= -e 's|@SH@|${SH}|g' -SUBST_SED.paths+= -e 's|@DIGEST@|${DIGEST}|g' -SUBST_SED.paths+= -e 's|@CHMOD@|${CHMOD}|g' -SUBST_SED.paths+= -e 's|@MV@|${MV}|g' -SUBST_SED.paths+= -e 's|@RM@|${RM}|g' -SUBST_SED.paths+= -e 's|@MKDIR@|${MKDIR}|g' -SUBST_SED.paths+= -e 's|@PKG_SYSCONFDIR@|${PKG_SYSCONFDIR}|g' -SUBST_SED.paths+= -e 's|@FIND@|${FIND}|g' -SUBST_MESSAGE.paths= Fixing paths. - -.if ${OPSYS} == "SunOS" || ${OPSYS} == "AIX" -USE_TOOLS+= nroff -.endif - -do-build: - for f in audit-packages audit-packages.0 audit-packages.8 \ - download-vulnerability-list; do \ - ${CP} ${FILESDIR}/$$f ${WRKSRC} ; \ - done - -.if ${OPSYS} == "SunOS" || ${OPSYS} == "AIX" - # pre-created man-pages are "mandoc" pages, these OS need "man", - # so regen the .0 page - ${NROFF} -man ${WRKSRC}/audit-packages.8 >${WRKSRC}/audit-packages.0 -.endif - -do-install: - ${INSTALL_DATA} ${FILESDIR}/audit-packages.conf \ - ${DESTDIR}${PREFIX}/share/examples/audit-packages - - for f in audit-packages download-vulnerability-list; do \ - ${INSTALL_SCRIPT} ${WRKSRC}/$$f ${DESTDIR}${PREFIX}/sbin; \ - done - - ${INSTALL_MAN} ${WRKSRC}/audit-packages.0 ${DESTDIR}${CAT8DIR}/ - ${INSTALL_MAN} ${WRKSRC}/audit-packages.8 ${DESTDIR}${MAN8DIR}/ - - ${RM} -f ${DESTDIR}${CAT8DIR}/download-vulnerability-list.0 - ${LN} -s audit-packages.0 ${DESTDIR}${CAT8DIR}/download-vulnerability-list.0 - ${RM} -f ${DESTDIR}${MAN8DIR}/download-vulnerability-list.8 - ${LN} -s audit-packages.8 ${DESTDIR}${MAN8DIR}/download-vulnerability-list.8 - -.include "../../mk/bsd.pkg.mk" diff --git a/security/audit-packages/PLIST b/security/audit-packages/PLIST deleted file mode 100644 index e6f0d589075..00000000000 --- a/security/audit-packages/PLIST +++ /dev/null @@ -1,9 +0,0 @@ -@comment $NetBSD: PLIST,v 1.3 2006/12/09 12:30:47 adrianp Exp $ -man/cat8/audit-packages.0 -man/cat8/download-vulnerability-list.0 -man/man8/audit-packages.8 -man/man8/download-vulnerability-list.8 -sbin/audit-packages -sbin/download-vulnerability-list -share/examples/audit-packages/audit-packages.conf -@dirrm share/examples/audit-packages diff --git a/security/audit-packages/files/audit-packages b/security/audit-packages/files/audit-packages deleted file mode 100755 index 6d88a30c930..00000000000 --- a/security/audit-packages/files/audit-packages +++ /dev/null @@ -1,235 +0,0 @@ -#! @SH@ -# -# $NetBSD: audit-packages,v 1.31 2007/07/10 15:27:57 joerg Exp $ -# -# Copyright (c) 2000-2003 Alistair Crooks. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. All advertising materials mentioning features or use of this software -# must display the following acknowledgement: -# This product includes software developed by Alistair Crooks -# for the NetBSD project. -# 4. The name of the author may not be used to endorse or promote -# products derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS -# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE -# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -ERR_DOWNLOAD="Please run download-vulnerability-list." -ERR_UPGRADE="Please upgrade security/audit-packages to the newest version." -ERR_PKGINSTALL="Please upgrade pkgtools/pkg_install to the newest version." - -: ${PKGVULNDIR=@PKGVULNDIR@} - -FORMAT_MAJOR=1 -FORMAT_MINOR=0 -FORMAT_TEENY=0 -PKG_INSTALL_REQUIRED=20050530 - -usage() { - argv0="${1##*/}" - cat <<EOF -$2 -Usage: $argv0 [-dv] [-K pkg_dbdir] [-p package] - -d : Run download-vulnerability-list before anything else. - -K : Use pkg_dbdir as PKG_DBDIR. - -p : Check a specific package for vulnerabilities. - -v : Verbose mode -EOF - exit 1 -} - -settingsmsg="" -if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then - settingsmsg="Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf" - . @PKG_SYSCONFDIR@/audit-packages.conf -fi - -vuls="${PKGVULNDIR}/pkg-vulnerabilities" - -download=no -verbose=no -one_package= -while [ $# -gt 0 ]; do - case "$1" in - -d) download=yes ;; - -v) verbose=yes ;; - -p) - one_package="$2" - shift - ;; - -K) - export PKG_DBDIR="$2" - shift - ;; - *) - usage "$0" "Unknown option $1" - esac - shift -done - -case $verbose in -yes) case "$settingsmsg" in - "") ;; - *) echo "$settingsmsg" - ;; - esac - ;; -esac - -# try to download vulnerability list, as requested -# the integrity of the list is checked below -# so just issue a warning if there was a failure -case "$download" in -yes) @PREFIX@/sbin/download-vulnerability-list || \ - echo "***WARNING***: download-vulnerability-list failure" 1>&2;; -esac - -errmsg="" - -# check for missing vulnerabilities file -if [ ! -f "$vuls" ]; then - errmsg="Missing vulnerabilities file $vuls" - errsolution="$ERR_DOWNLOAD" -fi - -case "$errmsg" in -"") # check for old vulnerabilities file if we're being verbose - case "$verbose" in - # XXX: quote vuls - yes) [ -n "$(@FIND@ $vuls -ctime +7)" ] && echo "*** WARNING - $vuls more than a week old, continuing..." ;; - esac - ;; -esac - -case "$errmsg" in -"") # check that pkg_info is new enough (supports ranges) - if [ `@PKG_TOOLS_BIN@/pkg_info -V` -lt "$PKG_INSTALL_REQUIRED" ]; then - errmsg='Installed pkg_info is too old.' - errsolution="$ERR_PKGINSTALL" - fi - ;; -esac - -case "$errmsg" in -"") # check format version of vulnerabilities file - file_major=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[1]; exit; }' "$vuls"` - file_minor=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[2]; exit; }' "$vuls"` - file_teeny=`@AWK@ '$1 == "#FORMAT" { split($2, a, "\\\\."); print a[3]; exit; }' "$vuls"` - if [ -z "$file_teeny" ] ; then - file_teeny=0 - fi - if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]; then - errmsg="No file format version found in $vuls" - errsolution="$ERR_DOWNLOAD" - elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]; then - errmsg="Unsupported file format version $file_major.$file_minor${file_teeny:+.${file_teeny}} in $vuls (supported version: $FORMAT_MAJOR.$FORMAT_MINOR.$FORMAT_TEENY)." - if [ "$file_major" -le "$FORMAT_MAJOR" -o - \( "$file_major" -eq "$FORMAT_MAJOR" -a - "$file_minor" -lt "$FORMAT_MINOR" \) ]; then - errsolution="$ERR_DOWNLOAD" - else - errsolution="$ERR_UPGRADE" - fi - fi - ;; -esac - -case "$errmsg" in -"") # check integrity of vulnerabilities file - recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' "$vuls"` - recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' "$vuls"` - case "$recordedsum" in - "") errmsg="No checksum found in $vuls" - errsolution="$ERR_DOWNLOAD" - ;; - *) case "$recordedalg" in - "") errmsg="No checksum algorithm found in $vuls file" - errsolution="$ERR_DOWNLOAD" - ;; - *) calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$[N]etBSD.*/ { next } { print }' "$vuls" | @DIGEST@ "$recordedalg"` - if [ "$recordedsum" != "$calcsum" ]; then - errmsg="Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\"" - errsolution="$ERR_DOWNLOAD" - fi - ;; - esac - ;; - esac - ;; -esac - -# if we have found an error, then complain and exit -case "$errmsg" in -"") ;; -*) echo "***ERROR*** $errmsg" 1>&2 - echo "** $errsolution" 1>&2 - exit 1 - ;; -esac - -found_vulnpkg=0 -# check for vulnerabilities -while read pat type url; do - case "$pat" in - \#*|'') continue;; - esac - - case "$IGNORE_URLS" in - "") ;; - *) ignore=false; - for u in $IGNORE_URLS; do - if [ "x$u" = "x$url" ]; then - ignore=true - break - fi - done - if $ignore; then - case "$verbose" in - yes) echo "Ignoring vulnerability for $url with pattern $pat" - ;; - esac - continue - fi - ;; - esac - - if [ -z "$one_package" ] ; then - vulnpkgs=`@PKG_TOOLS_BIN@/pkg_info -e "$pat"` - else - vulnpkgs= - one_pkg=`@PKG_TOOLS_BIN@/pkg_info -e "$one_package"` - if `@PKG_TOOLS_BIN@/pkg_admin pmatch "$pat" "$one_pkg"` ; then - vulnpkgs=$one_pkg - fi - fi - for pkg in $vulnpkgs ; do - found_vulnpkg=`expr $found_vulnpkg + 1` - echo "Package $pkg has a" \ - "$type vulnerability, see $url" - done -done < "$vuls" - -if [ "$verbose" = "yes" -a "$found_vulnpkg" -eq 0 ]; then - echo "No vulnerable packages found." -fi - -exit 0 diff --git a/security/audit-packages/files/audit-packages.0 b/security/audit-packages/files/audit-packages.0 deleted file mode 100644 index 431e62b32bd..00000000000 --- a/security/audit-packages/files/audit-packages.0 +++ /dev/null @@ -1,173 +0,0 @@ -AUDIT-PACKAGES(8) NetBSD System Manager's Manual AUDIT-PACKAGES(8) - -NNAAMMEE - aauuddiitt--ppaacckkaaggeess, ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt -- show vulnerabilities in - installed packages - -SSYYNNOOPPSSIISS - aauuddiitt--ppaacckkaaggeess [--ddvv] [--KK _p_k_g___d_b_d_i_r] [--pp _p_a_c_k_a_g_e] - ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt - -DDEESSCCRRIIPPTTIIOONN - The aauuddiitt--ppaacckkaaggeess program compares the installed packages with the - _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file and reports any known security issues to stan- - dard output. This output contains the name and version of the package, - the type of vulnerability, and an URL for further information for each - vulnerable package. - - The following flags are supported: - - --dd aauuddiitt--ppaacckkaaggeess will attempt to download the vulnerabilities - file before scanning the installed packages for vulnerabil- - ities. - - --KK _p_k_g___d_b_d_i_r Use package database directory _p_k_g___d_b_d_i_r. - - --pp _p_a_c_k_a_g_e Check only the package _p_a_c_k_a_g_e for vulnerabilities. - - --vv Set verbose mode. aauuddiitt--ppaacckkaaggeess will warn when the vul- - nerabilities file is more than a week old. - - The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt program downloads this file from - _f_t_p_:_/_/_f_t_p_._N_e_t_B_S_D_._o_r_g_/_p_u_b_/_N_e_t_B_S_D_/_p_a_c_k_a_g_e_s_/_d_i_s_t_f_i_l_e_s_/_p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s - using @FETCH_CMD_SHORT@(1). This vulnerabilities file documents all - known security issues in pkgsrc packages and is kept up-to-date by the - NetBSD pkgsrc-security team. - - Each line lists the package and vulnerable versions, the type of exploit, - and an Internet address for further information: - - <package pattern> <type> <url> - - The type of exploit can be any text, although some common types of - exploits listed are: - ++oo cross-site-html - ++oo cross-site-scripting - ++oo denial-of-service - ++oo file-permissions - ++oo local-access - ++oo local-code-execution - ++oo local-file-read - ++oo local-file-removal - ++oo local-file-write - ++oo local-root-file-view - ++oo local-root-shell - ++oo local-symlink-race - ++oo local-user-file-view - ++oo local-user-shell - ++oo privacy-leak - ++oo remote-code-execution - ++oo remote-command-inject - ++oo remote-file-creation - ++oo remote-file-read - ++oo remote-file-view - ++oo remote-file-write - ++oo remote-key-theft - ++oo remote-root-access - ++oo remote-root-shell - ++oo remote-script-inject - ++oo remote-server-admin - ++oo remote-use-of-secret - ++oo remote-user-access - ++oo remote-user-file-view - ++oo remote-user-shell - ++oo unknown - ++oo weak-authentication - ++oo weak-encryption - ++oo weak-ssl-authentication - - By default, the vulnerabilities file is stored in the @PKGVULNDIR@ direc- - tory. This can be changed by defining the environment variable - PKGVULNDIR to the directory containing the vulnerabilities file. - - If a URL is specified in IGNORE_URLS then all entries listed in - _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s that match that URL will not be reported when - _a_u_d_i_t_-_p_a_c_k_a_g_e_s is run. Running aauuddiitt--ppaacckkaaggeess --vv will display the - details of all entries skipped if IGNORE_URLS is set. - -EEXXIITT SSTTAATTUUSS - The aauuddiitt--ppaacckkaaggeess utility exits 0 on success, and >0 if an error occurs. - -EENNVVIIRROONNMMEENNTT - These variables can also be defined in the @PKG_SYSCONFDIR@/audit-pack- - ages.conf file. - - PKGVULNDIR Specifies the directory containing the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s - file. - - FETCH_ARGS Specifies optional arguments for the ftp client. - - FETCH_PROTO - Specifies the protocol to use when fetching the - _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file. Currently supports only http and - ftp. The default is ftp. - - IGNORE_URLS - A list of vulnerability URLs to be ignored. This allows for - ignoring certain URLs that are attached to a vulnerability. - -FFIILLEESS - @PKGVULNDIR@/pkg-vulnerabilities - - @PKG_SYSCONFDIR@/audit-packages.conf - -EEXXAAMMPPLLEESS - The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be run via cron(8) to update - the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file daily. And aauuddiitt--ppaacckkaaggeess can be run via - cron(8) (or with NetBSD's _/_e_t_c_/_s_e_c_u_r_i_t_y_._l_o_c_a_l daily security script). - - The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use IPv4 with - the following setting in @PKG_SYSCONFDIR@/audit-packages.conf : - - export FETCH_ARGS="-4" - - The ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt command can be forced to use http to - download the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file with the following setting in - @PKG_SYSCONFDIR@/audit-packages.conf : - - export FETCH_PROTO="http" - -DDIIAAGGNNOOSSTTIICCSS - The following errors can occur: - - Checksum mismatch - The vulnerabilities file is corrupted. Run - ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. - - Missing vulnerabilities file - The vulnerabilities file could not be found. Run - ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. - - No checksum algorithm found - The vulnerabilities file is too old or incomplete. Run - ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. - - No checksum found - The vulnerabilities file is too old or incomplete. Run - ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. - - No file format version found - The vulnerabilities file is too old or incomplete. Run - ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. - - Unsupported file format version - The vulnerabilities file is too old or too new. If it's too - old, run ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt. If it's too new, - update the _s_e_c_u_r_i_t_y_/_a_u_d_i_t_-_p_a_c_k_a_g_e_s package. - - Installed pkg_info too old - aauuddiitt--ppaacckkaaggeess requires a newer version of pkg_info(1). - Update the _p_k_g_t_o_o_l_s_/_p_k_g___i_n_s_t_a_l_l package. - -SSEEEE AALLSSOO - pkg_info(1), mk.conf(5), packages(7), _@_P_K_G_S_R_C_D_I_R_@_/_m_k_/_d_e_f_a_u_l_t_s_/_m_k_._c_o_n_f and - - _D_o_c_u_m_e_n_t_a_t_i_o_n _o_n _t_h_e _N_e_t_B_S_D _P_a_c_k_a_g_e _S_y_s_t_e_m. _@_P_K_G_S_R_C_D_I_R_@_/_d_o_c_/_p_k_g_s_r_c_._t_x_t - -HHIISSTTOORRYY - The aauuddiitt--ppaacckkaaggeess and ddoowwnnllooaadd--vvuullnneerraabbiilliittyy--lliisstt commands were origi- - nally implemented and added to NetBSD's pkgsrc by Alistair Crooks on - September 19, 2000. The original idea came from Roland Dowdeswell and - Bill Sommerfeld. - -NetBSD 4.0 April 15, 2006 NetBSD 4.0 diff --git a/security/audit-packages/files/audit-packages.8 b/security/audit-packages/files/audit-packages.8 deleted file mode 100644 index a6560ac9ccb..00000000000 --- a/security/audit-packages/files/audit-packages.8 +++ /dev/null @@ -1,307 +0,0 @@ -.\" $NetBSD: audit-packages.8,v 1.21 2006/12/23 09:34:56 wiz Exp $ -.\" -.\" Copyright (c) 2003 Jeremy C. Reed. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by Jeremy C. Reed -.\" for the NetBSD project. -.\" 4. The name of the author may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS -.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY -.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE -.\" GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd April 15, 2006 -.Os -.Dt AUDIT-PACKAGES 8 -.Sh NAME -.Nm audit-packages , -.Nm download-vulnerability-list -.Nd show vulnerabilities in installed packages -.Sh SYNOPSIS -.Nm -.Op Fl dv -.Op Fl K Ar pkg_dbdir -.Op Fl p Ar package -.Nm download-vulnerability-list -.Sh DESCRIPTION -The -.Nm -program compares the installed packages with the -.Pa pkg-vulnerabilities -file and reports any known security issues to standard output. -This output contains the name and version of the package, the -type of vulnerability, and an URL for further information for each -vulnerable package. -.Pp -The following flags are supported: -.Bl -tag -width Ar -.It Fl d -.Nm -will attempt to download the vulnerabilities -file before scanning -the installed packages for vulnerabilities. -.It Fl K Ar pkg_dbdir -Use package database directory -.Ar pkg_dbdir . -.It Fl p Ar package -Check only the package -.Ar package -for vulnerabilities. -.It Fl v -Set verbose mode. -.Nm -will warn when the vulnerabilities file is more than a week old. -.El -.Pp -The -.Nm download-vulnerability-list -program downloads this file from -.Pa ftp://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities -using -.Xr @FETCH_CMD_SHORT@ 1 . -This vulnerabilities file documents all known security issues in -pkgsrc packages and is kept up-to-date by the -.Nx -pkgsrc-security team. -.Pp -Each line lists the package and vulnerable versions, the type of exploit, -and an Internet address for further information: -.Bl -item -.It -.Aq package pattern -.Aq type -.Aq url -.El -.Pp -The type of exploit can be any text, although -some common types of exploits listed are: -.Bl -bullet -compact -offset indent -.It -cross-site-html -.It -cross-site-scripting -.It -denial-of-service -.It -file-permissions -.It -local-access -.It -local-code-execution -.It -local-file-read -.It -local-file-removal -.It -local-file-write -.It -local-root-file-view -.It -local-root-shell -.It -local-symlink-race -.It -local-user-file-view -.It -local-user-shell -.It -privacy-leak -.It -remote-code-execution -.It -remote-command-inject -.It -remote-file-creation -.It -remote-file-read -.It -remote-file-view -.It -remote-file-write -.It -remote-key-theft -.It -remote-root-access -.It -remote-root-shell -.It -remote-script-inject -.It -remote-server-admin -.It -remote-use-of-secret -.It -remote-user-access -.It -remote-user-file-view -.It -remote-user-shell -.It -unknown -.It -weak-authentication -.It -weak-encryption -.It -weak-ssl-authentication -.El -.Pp -By default, the vulnerabilities file is stored in the -@PKGVULNDIR@ -directory. -This can be changed by defining the environment variable -.Ev PKGVULNDIR -to the directory containing the vulnerabilities file. -.Pp -If a URL is specified in -.Ev IGNORE_URLS -then all entries listed in -.Pa pkg-vulnerabilities -that match that URL will not be reported when -.Pa audit-packages -is run. -Running -.Nm Fl v -will display the details of all entries skipped if -.Ev IGNORE_URLS -is set. -.Sh EXIT STATUS -.Ex -std audit-packages -.Sh ENVIRONMENT -These variables can also be defined in the -@PKG_SYSCONFDIR@/audit-packages.conf -file. -.Pp -.Bl -tag -width PKGVULNDIR -.It Ev PKGVULNDIR -Specifies the directory containing the -.Pa pkg-vulnerabilities -file. -.It Ev FETCH_ARGS -Specifies optional arguments for the ftp client. -.It Ev FETCH_PROTO -Specifies the protocol to use when fetching the -.Pa pkg-vulnerabilities -file. -Currently supports only http and ftp. -The default is ftp. -.It Ev IGNORE_URLS -A list of vulnerability URLs to be ignored. -This allows for ignoring certain URLs that are attached to a -vulnerability. -.El -.Sh FILES -@PKGVULNDIR@/pkg-vulnerabilities -.Pp -@PKG_SYSCONFDIR@/audit-packages.conf -.Sh EXAMPLES -The -.Nm download-vulnerability-list -command can be run via -.Xr cron 8 -to update the -.Pa pkg-vulnerabilities -file daily. -And -.Nm -can be run via -.Xr cron 8 -(or with -.Nx Ap s -.Pa /etc/security.local -daily security script). -.Pp -The -.Nm download-vulnerability-list -command can be forced to use IPv4 with the following setting in -@PKG_SYSCONFDIR@/audit-packages.conf : -.Pp -export FETCH_ARGS="-4" -.Pp -The -.Nm download-vulnerability-list -command can be forced to use http to download the -.Pa pkg-vulnerabilities -file with the following setting in -@PKG_SYSCONFDIR@/audit-packages.conf : -.Pp -export FETCH_PROTO="http" -.Sh DIAGNOSTICS -The following errors can occur: -.Bl -tag -width 10n -.It Checksum mismatch -The vulnerabilities file is corrupted. -Run -.Nm download-vulnerability-list . -.It Missing vulnerabilities file -The vulnerabilities file could not be found. -Run -.Nm download-vulnerability-list . -.It \&No checksum algorithm found -The vulnerabilities file is too old or incomplete. -Run -.Nm download-vulnerability-list . -.It \&No checksum found -The vulnerabilities file is too old or incomplete. -Run -.Nm download-vulnerability-list . -.It \&No file format version found -The vulnerabilities file is too old or incomplete. -Run -.Nm download-vulnerability-list . -.It Unsupported file format version -The vulnerabilities file is too old or too new. -If it's too old, run -.Nm download-vulnerability-list . -If it's too new, update the -.Pa security/audit-packages -package. -.It Installed pkg_info too old -.Nm -requires a newer version of -.Xr pkg_info 1 . -Update the -.Pa pkgtools/pkg_install -package. -.El -.Sh SEE ALSO -.Xr pkg_info 1 , -.Xr mk.conf 5 , -.Xr packages 7 , -.Pa @PKGSRCDIR@/mk/defaults/mk.conf -and -.Rs -.%T "Documentation on the NetBSD Package System" -.Re -.Pa @PKGSRCDIR@/doc/pkgsrc.txt -.Sh HISTORY -The -.Nm -and -.Nm download-vulnerability-list -commands were originally implemented and added to -.Nx Ap s -pkgsrc by -.An Alistair Crooks -on September 19, 2000. -The original idea came from Roland Dowdeswell and Bill Sommerfeld. diff --git a/security/audit-packages/files/audit-packages.conf b/security/audit-packages/files/audit-packages.conf deleted file mode 100644 index a7980535d74..00000000000 --- a/security/audit-packages/files/audit-packages.conf +++ /dev/null @@ -1,26 +0,0 @@ -# $NetBSD: audit-packages.conf,v 1.1 2006/12/09 12:30:47 adrianp Exp $ - -# -# sample configuration file for audit-packages(8) and -# download-vulnerability-list(8) -# - -# PKGVULNDIR -# -# Specifies the directory containing the pkg-vulnerabilities file. -# Default: PKGVULNDIR="${DISTDIR}" - -# FETCH_ARGS -# -# Specifies optional arguments for the download-vulnerability-list client. -# Default: FETCH_ARGS= - -# FETCH_PROTO -# -# Specifies the protocol to use when fetching the pkg-vulnerabilities file. -# Default: FETCH_PROTO="ftp" - -# IGNORE_URLS -# -# A list of vulnerability URLs to be ignored. -# Default: IGNORE_URLS= diff --git a/security/audit-packages/files/download-vulnerability-list b/security/audit-packages/files/download-vulnerability-list deleted file mode 100644 index 18503e54c62..00000000000 --- a/security/audit-packages/files/download-vulnerability-list +++ /dev/null @@ -1,128 +0,0 @@ -#! @SH@ - -# $NetBSD: download-vulnerability-list,v 1.29 2006/07/14 22:41:58 adrianp Exp $ -# -# Copyright (c) 2000-2003 Alistair Crooks. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. All advertising materials mentioning features or use of this software -# must display the following acknowledgement: -# This product includes software developed by Alistair Crooks -# for the NetBSD project. -# 4. The name of the author may not be used to endorse or promote -# products derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS -# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY -# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE -# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -: ${PKGVULNDIR=@PKGVULNDIR@} -: ${FETCH_PROTO=ftp} - -NEW_VUL_LIST=pkg-vulnerabilities.$$ -EXIST_VUL_LIST=pkg-vulnerabilities - -# pick up any settings in audit-packages.conf -if [ -r @PKG_SYSCONFDIR@/audit-packages.conf ]; then - echo "Reading settings from @PKG_SYSCONFDIR@/audit-packages.conf" - . @PKG_SYSCONFDIR@/audit-packages.conf -fi - -VUL_SOURCE="${FETCH_PROTO}://ftp.NetBSD.org/pub/NetBSD/packages/distfiles/pkg-vulnerabilities" - -if [ ! -d ${PKGVULNDIR}/. ]; then - echo "Creating ${PKGVULNDIR}" - @MKDIR@ ${PKGVULNDIR} || (echo "Can't create ${PKGVULNDIR}" 1>&2; exit 1) -fi - -case ${FETCH_PROTO} in -http) ;; -ftp) ;; -*) echo "Unknown FETCH_PROTO specified - Only http and ftp are currently supported." - exit 1 - ;; -esac - -cd ${PKGVULNDIR} -utility=`echo "@FETCH_CMD@" | @AWK@ '{ print $1 }'` -case "$utility" in -*curl) @FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;; -*ftp) @FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;; -*wget) @FETCH_CMD@ ${FETCH_ARGS} -O ${NEW_VUL_LIST} ${VUL_SOURCE} ;; -*fetch) @FETCH_CMD@ ${FETCH_ARGS} -o ${NEW_VUL_LIST} ${VUL_SOURCE} ;; -*) echo "Unknown fetch command - please use send-pr to send in support for your fetch command" 1>&2 - exit 1 - ;; -esac - -# see if we got a file -if [ ! -f "${NEW_VUL_LIST}" ]; then - echo "***WARNING*** Download of vulnerabilities file failed" 1>&2 - exit 1 -fi - -# see if the file got damaged while it was being downloaded -errmsg="" -recordedsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${NEW_VUL_LIST}` -recordedalg=`@AWK@ '$1 == "#CHECKSUM" { print $2 }' ${NEW_VUL_LIST}` -case "$recordedsum" in -"") errmsg="***WARNING*** No checksum found in the downloaded vulnerabilities file" - ;; -*) case "$recordedalg" in - "") errmsg="***WARNING*** No checksum algorithm found in the downloaded vulnerabilities file" - ;; - *) calcsum=`@AWK@ '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' ${NEW_VUL_LIST} | @DIGEST@ $recordedalg` - if [ "$recordedsum" != "$calcsum" ]; then - errmsg="***WARNING*** Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\"" - fi - ;; - esac - ;; -esac -case "$errmsg" in -"") ;; -*) echo "$errmsg" 1>&2 - @RM@ -f ${NEW_VUL_LIST} - exit 1 - ;; -esac - -# test to see if file has been changed -neednew=false -if [ -f ${EXIST_VUL_LIST} ]; then - oldsum=`@AWK@ '$1 == "#CHECKSUM" { print $3 }' ${EXIST_VUL_LIST}` - if [ "$oldsum" != "$calcsum" ]; then - neednew=true - fi -else - neednew=true -fi - -# if we need the new file, move it into position -if $neednew; then - echo "Package vulnerabilities file has been updated" - @CHMOD@ a+r ${NEW_VUL_LIST} - @MV@ -f ${NEW_VUL_LIST} ${EXIST_VUL_LIST} -else - echo "No change from existing package vulnerabilities file" - @RM@ -f ${NEW_VUL_LIST} -fi - -exit 0 |