diff --git a/security/Makefile b/security/Makefile index 10e3e703aa27..c4c49af0b5b3 100644 --- a/security/Makefile +++ b/security/Makefile @@ -38,6 +38,7 @@ SUBDIR += barnyard2 SUBDIR += barnyard2-sguil SUBDIR += base + SUBDIR += base-audit SUBDIR += bcrypt SUBDIR += bcwipe SUBDIR += bdes diff --git a/security/base-audit/Makefile b/security/base-audit/Makefile new file mode 100644 index 000000000000..e021e03a4f72 --- /dev/null +++ b/security/base-audit/Makefile @@ -0,0 +1,32 @@ +# Created by: Miroslav Lachman +# $FreeBSD$ + +PORTNAME= base-audit +PORTVERSION= 0.1 +CATEGORIES= security +MASTER_SITES= # none +DISTFILES= # none + +MAINTAINER= 000.fbsd@quip.cz +COMMENT= Daily periodic check of vulnerabilities in base system + +LICENSE= BSD3CLAUSE + +RUN_DEPENDS= pkg:ports-mgmt/pkg + +NO_ARCH= yes +NO_BUILD= yes +NO_INSTALL= yes + +SUB_FILES= 405.pkg-base-audit + +PERIODIC_SECURITY= etc/periodic/security + +PLIST_FILES= ${PERIODIC_SECURITY}/405.pkg-base-audit + +do-install: + @${MKDIR} ${STAGEDIR}${PREFIX}/${PERIODIC_SECURITY} + ${INSTALL_SCRIPT} ${WRKDIR}/405.pkg-base-audit \ + ${STAGEDIR}${PREFIX}/${PERIODIC_SECURITY} + +.include diff --git a/security/base-audit/files/405.pkg-base-audit.in b/security/base-audit/files/405.pkg-base-audit.in new file mode 100644 index 000000000000..257158383bef --- /dev/null +++ b/security/base-audit/files/405.pkg-base-audit.in @@ -0,0 +1,206 @@ +#!/bin/sh -f +# +# Copyright (c) 2004 Oliver Eikemeier. All rights reserved. +# Copyright (c) 2014 Matthew Seaman +# Copyright (c) 2016 Miroslav Lachman <000.fbsd@quip.cz> +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# 1. Redistributions of source code must retain the above copyright notice +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the author nor the names of its contributors may be +# used to endorse or promote products derived from this software without +# specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# $FreeBSD$ +# + +if [ -r /etc/defaults/periodic.conf ]; then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +# Compute PKG_DBDIR from the config file. +pkgcmd=%%PREFIX%%/sbin/pkg +PKG_DBDIR=`${pkgcmd} config PKG_DBDIR` +auditfile="${PKG_DBDIR}/vuln.xml" + +audit_base() { + local pkgargs="$1" + local basedir="$2" + local rc + local then + local now + local usrlv + local krnlv + local strlen + local chrootv + local jailv + local jid + + ## get version from chroot + if [ -n "`echo "$pkgargs" | egrep '^-c'`" ]; then + if [ -x "$basedir/bin/freebsd-version" ]; then + chrootv=$($basedir/bin/freebsd-version -u) + ## safety check - strlen + strlen=$(echo "$chrootv" | wc -c) + if [ $strlen -gt 17 -o $strlen -lt 11 ]; then + echo "Wrong version string, cannot run audit" + return 3 + fi + usrlv=$(echo $chrootv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') + else + echo "Cannot guess chroot version" + return 3 + fi + ## get version from jail + elif [ -n "`echo "$pkgargs" | egrep '^-j'`" ]; then + jid=$(echo "$pkgargs" | awk '$1 ~ /^-[j]/ { print $2 }') + jailv=$(jexec $jid freebsd-version -u) + ## safety check - strlen + strlen=$(echo "$jailv" | wc -c) + if [ $strlen -gt 17 -o $strlen -lt 11 ]; then + echo "Wrong version string, cannot run audit" + return 3 + fi + usrlv=$(echo $jailv | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') + ## get version from host + else + usrlv=$(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') + fi + + then=`stat -f '%m' "${basedir}${auditfile}" 2> /dev/null` || rc=3 + now=`date +%s` || rc=3 + ## Add 10 minutes of padding since the check is in seconds. + if [ $rc -ne 0 -o \ + $(( 86400 \* "${daily_status_security_baseaudit_expiry:-2}" )) \ + -le $(( ${now} - ${then} + 600 )) ]; then + ## Random delay so the mirrors do not get slammed when run by periodic(8) + if [ ! -t 0 ]; then + sleep `jot -r 1 0 600` + fi + f="-F" + else + echo -n 'Database fetched: ' + date -r "${then}" || rc=3 + fi + + ## cannot check kernel in jail or chroot + if [ -z "`echo "$pkgargs" | egrep '^-[cj]'`" -a `sysctl -n security.jail.jailed` = 0 ]; then + krnlv=$(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,') + ${pkgcmd} audit $f $q $krnlv || { rc=$?; [ $rc -lt 3 ] && rc=3; } + fi + + ${pkgcmd} audit $f $q $usrlv || { rc=$?; [ $rc -lt 3 ] && rc=3; } + + return $rc +} + +# Use $pkg_chroots to provide a default list of chroots, and +# $pkg_jails to provide a default list of jails (or '*' for all jails) +# for all pkg periodic scripts, or set +# $daily_status_security_baseaudit_chroots and +# $daily_status_security_baseaudit_jails for this script only. + +audit_base_all() { + local rc + local last_rc + local jails + + : ${daily_status_security_baseaudit_chroots=$pkg_chroots} + : ${daily_status_security_baseaudit_jails=$pkg_jails} + + # We always show audit results for the base system, but only print + # a banner line if we're also showing audit results for any + # chroots or jails. + + if [ -n "${daily_status_security_baseaudit_chroots}" -o \ + -n "${daily_status_security_baseaudit_jails}" ]; then + echo "Host system:" + fi + + audit_base '' '' + last_rc=$? + [ $last_rc -gt 1 ] && rc=$last_rc + + for c in $daily_status_security_baseaudit_chroots ; do + echo + echo "chroot: $c" + audit_base "-c $c" $c + last_rc=$? + [ $last_rc -gt 1 ] && rc=$last_rc + done + + case $daily_status_security_baseaudit_jails in + \*) + jails=$(jls -q -h name path | sed -e 1d -e 's/ /|/') + ;; + '') + jails= + ;; + *) + # Given the jail name or jid, find the jail path + jails= + for j in $daily_status_security_baseaudit_jails ; do + p=$(jls -j $j -h name path | sed -e 1d -e 's/ /|/') + jails="${jails} ${p}" + done + ;; + esac + + for j in $jails ; do + echo + echo "jail: ${j%|*}" + audit_base "-j ${j%|*}" ${j##*|} + last_rc=$? + [ $last_rc -gt 1 ] && rc=$last_rc + done + + return $rc +} + +rc=0 + +case "${daily_status_security_baseaudit_enable:-YES}" in +[Nn][Oo]) ;; +*) + echo + echo 'Checking for security vulnerabilities in base (userland & kernel):' + + if ! ${pkgcmd} -N >/dev/null 2>&1 ; then + echo 'pkg-audit is enabled but pkg is not used' + rc=2 + else + case "${daily_status_security_baseaudit_quiet:-NO}" in + [Yy][Ee][Ss]) + q='-q' + ;; + *) + q= + ;; + esac + + audit_base_all ; rc=$? + fi + ;; +esac + +exit "$rc" diff --git a/security/base-audit/files/pkg-message.in b/security/base-audit/files/pkg-message.in new file mode 100644 index 000000000000..5eb884f8af2a --- /dev/null +++ b/security/base-audit/files/pkg-message.in @@ -0,0 +1,11 @@ +Add the following lines to /etc/periodic.conf(.local) to enable periodic check + daily_status_security_baseaudit_enable="YES" + daily_status_security_baseaudit_quiet="NO" + +Use pkg_chroots to provide a default list of chroots +and pkg_jails to provide a default list of jails (or '*' for all jails) +for all pkg periodic scripts, or set + daily_status_security_baseaudit_chroots +and + daily_status_security_baseaudit_jails +for this script only. diff --git a/security/base-audit/pkg-descr b/security/base-audit/pkg-descr new file mode 100644 index 000000000000..0b560575e978 --- /dev/null +++ b/security/base-audit/pkg-descr @@ -0,0 +1,4 @@ +Audit base system against known vulnerabilities and generate reports +including references to security advisories. +It uses pkg audit and Vuxml database as is used for packages but this script +checks base system.