80c516d Now prepare and install periodic scripts directly — HardenedBSD-pkg

modified Makefile

@@ -1,7 +1,8 @@

 SUBDIR=	external \
 	libpkg \
 	pkg
 	pkg \
 	scripts
 NEWVERS=	newvers.sh

added scripts/Makefile

@@ -0,0 +1,3 @@

+	`SUBDIR= periodic`
+
+	`.include <bsd.subdir.mk>`

deleted scripts/periodic/400.status-pkg

@@ -1,35 +0,0 @@

 #!/bin/sh -
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
     . /etc/defaults/periodic.conf
     source_periodic_confs
 fi
 pkgcmd=/usr/sbin/pkg
 case "$weekly_status_pkg_enable" in
 	[Yy][Ee][Ss])
 	echo
 	echo 'Checking for out of date packages:'
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 	    echo 'status-pkg is enabled but pkg is not used'
 	    rc=2
 	else
 		rc=$(${pkgcmd} version -v ${pkg_version_index} |
 			sed -n -e '/up-to-date/d' \
 			-e 's/^\([^[:space:]]*\)[[:space:]]*[<>=!?][[:space:]]*\(.*\)$/\1 \2/p' |
 			tee /dev/stderr |
 			wc -l)
 		[ $rc -gt 1 ] && rc=1
 	fi
 	;;
 	*)
 	rc=0
 	;;
 esac
 exit $rc

added scripts/periodic/400.status-pkg.in

@@ -0,0 +1,35 @@

 #!/bin/sh -
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
     . /etc/defaults/periodic.conf
     source_periodic_confs
 fi
 pkgcmd=__PREFIX__/sbin/pkg
 case "$weekly_status_pkg_enable" in
 	[Yy][Ee][Ss])
 	echo
 	echo 'Checking for out of date packages:'
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 	    echo 'status-pkg is enabled but pkg is not used'
 	    rc=2
 	else
 		rc=$(${pkgcmd} version -v ${pkg_version_index} |
 			sed -n -e '/up-to-date/d' \
 			-e 's/^\([^[:space:]]*\)[[:space:]]*[<>=!?][[:space:]]*\(.*\)$/\1 \2/p' |
 			tee /dev/stderr |
 			wc -l)
 		[ $rc -gt 1 ] && rc=1
 	fi
 	;;
 	*)
 	rc=0
 	;;
 esac
 exit $rc

deleted scripts/periodic/410.pkg-audit

@@ -1,74 +0,0 @@

 #!/bin/sh -f
 #
 # Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
 # met:
 #
 # 1. Redistributions of source code must retain the above copyright notice
 #    this list of conditions and the following disclaimer.
 #
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
 #
 # 3. Neither the name of the author nor the names of its contributors may be
 #    used to endorse or promote products derived from this software without
 #    specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 # COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
     . /etc/defaults/periodic.conf
     source_periodic_confs
 fi
 # Compute PKG_DBDIR from the config file.
 pkgcmd=/usr/sbin/pkg
 PKG_DBDIR=`${pkgcmd} -vv | awk -F: '$1 ~ /PKG_DBDIR$/ { print $2 }'`
 auditfile="${PKG_DBDIR}/auditfile"
 rc=0
 case "${daily_status_security_pkgaudit_enable:-YES}" in
 	[Nn][Oo])
 	;;
 	*)
 	echo
 	echo 'Checking for packages with security vulnerabilities:'
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 		echo 'pkg-audit is enabled but pkg is not used'
 		rc=2
 	else
 		then=`stat -f '%m' "${auditfile}" 2> /dev/null` || rc=3
 		now=`date +%s` || rc=3
 		# Add 10 minutes of padding since the check is in seconds.
 		if [ $rc -ne 0 -o \
 			$(( 86400 \* "${daily_status_security_pkgaudit_expiry:-2}" )) \
 			-le $(( ${now} - ${then} + 600 )) ]; then
 			${pkgcmd} audit -Fq || { rc=$?; [ $rc -lt 3 ] && rc=3; }
 		else
 			echo -n 'Database fetched: '
 			date -r "${then}" || rc=3
 			${pkgcmd} audit || { rc=$?; [ $rc -lt 3 ] && rc=3; }
 		fi
 	fi
 	;;
 esac
 exit "$rc"

added scripts/periodic/410.pkg-audit.in

@@ -0,0 +1,74 @@

 #!/bin/sh -f
 #
 # Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
 # met:
 #
 # 1. Redistributions of source code must retain the above copyright notice
 #    this list of conditions and the following disclaimer.
 #
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
 #
 # 3. Neither the name of the author nor the names of its contributors may be
 #    used to endorse or promote products derived from this software without
 #    specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 # COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
     . /etc/defaults/periodic.conf
     source_periodic_confs
 fi
 # Compute PKG_DBDIR from the config file.
 pkgcmd=__PREFIX__/sbin/pkg
 PKG_DBDIR=`${pkgcmd} -vv | awk -F: '$1 ~ /PKG_DBDIR$/ { print $2 }'`
 auditfile="${PKG_DBDIR}/auditfile"
 rc=0
 case "${daily_status_security_pkgaudit_enable:-YES}" in
 	[Nn][Oo])
 	;;
 	*)
 	echo
 	echo 'Checking for packages with security vulnerabilities:'
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 		echo 'pkg-audit is enabled but pkg is not used'
 		rc=2
 	else
 		then=`stat -f '%m' "${auditfile}" 2> /dev/null` || rc=3
 		now=`date +%s` || rc=3
 		# Add 10 minutes of padding since the check is in seconds.
 		if [ $rc -ne 0 -o \
 			$(( 86400 \* "${daily_status_security_pkgaudit_expiry:-2}" )) \
 			-le $(( ${now} - ${then} + 600 )) ]; then
 			${pkgcmd} audit -Fq || { rc=$?; [ $rc -lt 3 ] && rc=3; }
 		else
 			echo -n 'Database fetched: '
 			date -r "${then}" || rc=3
 			${pkgcmd} audit || { rc=$?; [ $rc -lt 3 ] && rc=3; }
 		fi
 	fi
 	;;
 esac
 exit "$rc"

deleted scripts/periodic/411.pkg-backup

@@ -1,48 +0,0 @@

 #!/bin/sh -
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
 	. /etc/defaults/periodic.conf
 	source_periodic_confs
 fi
 rc=0
 case "${daily_backup_pkgng_enable:-YES}" in
 	[Nn][Oo])
 	;;
 	*)
 	bak="${daily_backup_pkgng_dir:-/var/backups}"
 	bak_file="${bak}/pkgng.db"
 	pkgcmd=/usr/sbin/pkg
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 		echo 'pkg-backup is enabled but pkg is not used'
 		rc=2
  	else
 		if [ ! -d "$bak" ]
 		then
 			install -d -o root -g wheel -m 750 $bak || {
 			echo 'pkg-backup is enabled but' \
 				"$daily_backup_pkgng_dbdir doesn't exist" ;
 			exit 2 ; }
 		fi
 		echo
 		echo 'Backing up pkgng database:'
 		[ -e "${bak_file}.txz" ] && \
 			mv -f "${bak_file}.txz" "${bak_file}.txz.2"
 		if ${pkgcmd} backup -d ${bak_file} 2>/dev/null; then
 			rc=0
 		else
 			rc=3
 		fi
 	fi
 	;;
 esac
 exit $rc

added scripts/periodic/411.pkg-backup.in

@@ -0,0 +1,48 @@

 #!/bin/sh -
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
 	. /etc/defaults/periodic.conf
 	source_periodic_confs
 fi
 rc=0
 case "${daily_backup_pkgng_enable:-YES}" in
 	[Nn][Oo])
 	;;
 	*)
 	bak="${daily_backup_pkgng_dir:-/var/backups}"
 	bak_file="${bak}/pkgng.db"
 	pkgcmd=__PREFIX__/sbin/pkg
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 		echo 'pkg-backup is enabled but pkg is not used'
 		rc=2
  	else
 		if [ ! -d "$bak" ]
 		then
 			install -d -o root -g wheel -m 750 $bak || {
 			echo 'pkg-backup is enabled but' \
 				"$daily_backup_pkgng_dbdir doesn't exist" ;
 			exit 2 ; }
 		fi
 		echo
 		echo 'Backing up pkgng database:'
 		[ -e "${bak_file}.txz" ] && \
 			mv -f "${bak_file}.txz" "${bak_file}.txz.2"
 		if ${pkgcmd} backup -d ${bak_file} 2>/dev/null; then
 			rc=0
 		else
 			rc=3
 		fi
 	fi
 	;;
 esac
 exit $rc

deleted scripts/periodic/460.pkg-checksum

@@ -1,36 +0,0 @@

 #!/bin/sh -
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
 	. /etc/defaults/periodic.conf
 	source_periodic_confs
 fi
 . /etc/periodic/security/security.functions
 case "${daily_status_security_pkg_checksum_enable}" in
 	[Yy][Ee][Ss])
 	pkgcmd=/usr/sbin/pkg
 	echo
 	echo 'Checking for packages with mismatched checksums:'
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 		echo 'pkg-checksum is enabled but pkg is not used'
 		rc=2
 	else
 		rc=$(${pkgcmd} check -sa 2>&1 |
 		sed -e 's/ checksum mismatch for//' |
 		tee /dev/stderr |
 		wc -l)
 		[ $rc -gt 1 ] && rc=1
 	fi
 	;;
 	*)
 	rc=0
 	;;
 esac
 exit $rc

added scripts/periodic/460.pkg-checksum.in

@@ -0,0 +1,36 @@

 #!/bin/sh -
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
 	. /etc/defaults/periodic.conf
 	source_periodic_confs
 fi
 . /etc/periodic/security/security.functions
 case "${daily_status_security_pkg_checksum_enable}" in
 	[Yy][Ee][Ss])
 	pkgcmd=__PREFIX__/sbin/pkg
 	echo
 	echo 'Checking for packages with mismatched checksums:'
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 		echo 'pkg-checksum is enabled but pkg is not used'
 		rc=2
 	else
 		rc=$(${pkgcmd} check -sa 2>&1 |
 		sed -e 's/ checksum mismatch for//' |
 		tee /dev/stderr |
 		wc -l)
 		[ $rc -gt 1 ] && rc=1
 	fi
 	;;
 	*)
 	rc=0
 	;;
 esac
 exit $rc

deleted scripts/periodic/490.status-pkg-changes

@@ -1,40 +0,0 @@

 #!/bin/sh -
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
 	. /etc/defaults/periodic.conf
 	source_periodic_confs
 fi
 case "$daily_status_pkg_changes_enable" in
 	[Yy][Ee][Ss])
 	pkgcmd=/usr/sbin/pkg
 	echo
 	echo 'Changes in installed packages:'
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 		echo 'status-pkg-changes is enabled but pkg is not used'
 		rc=2
 	else
 		bak=/var/backups
 		rc=0
 		[ -r $bak/pkg.bak ] && mv -f $bak/pkg.bak $bak/pkg.bak2
 		${pkgcmd} info > $bak/pkg.bak
 		cmp -sz $bak/pkg.bak $bak/pkg.bak2
 		if [ $? -eq 1 ]; then
 			diff -U 0 $bak/pkg.bak2 $bak/pkg.bak | \
 			grep '^[-+][^-+]' | sort -k 1.2
 		fi
 	fi
 	;;
 	*)
 	rc=0
 	;;
 esac
 exit $rc

added scripts/periodic/490.status-pkg-changes.in

@@ -0,0 +1,40 @@

 #!/bin/sh -
 #
 # $FreeBSD$
 #
 if [ -r /etc/defaults/periodic.conf ]; then
 	. /etc/defaults/periodic.conf
 	source_periodic_confs
 fi
 case "$daily_status_pkg_changes_enable" in
 	[Yy][Ee][Ss])
 	pkgcmd=__PREFIX__/sbin/pkg
 	echo
 	echo 'Changes in installed packages:'
 	if ! ${pkgcmd} -N >/dev/null 2>&1 ; then
 		echo 'status-pkg-changes is enabled but pkg is not used'
 		rc=2
 	else
 		bak=/var/backups
 		rc=0
 		[ -r $bak/pkg.bak ] && mv -f $bak/pkg.bak $bak/pkg.bak2
 		${pkgcmd} info > $bak/pkg.bak
 		cmp -sz $bak/pkg.bak $bak/pkg.bak2
 		if [ $? -eq 1 ]; then
 			diff -U 0 $bak/pkg.bak2 $bak/pkg.bak | \
 			grep '^[-+][^-+]' | sort -k 1.2
 		fi
 	fi
 	;;
 	*)
 	rc=0
 	;;
 esac
 exit $rc

added scripts/periodic/Makefile

@@ -0,0 +1,31 @@

 .SUFFIXES:	.in
 PREFIX?=	/usr/local
 SCRIPTS_DAILY=	400.status-pkg.in \
 .pkg-backup.in \
 .status-pkg-changes.in
 SCRIPTS_SECURITY=	410.pkg-audit.in \
 .pkg-checksum.in
 SCRIPTS=	${SCRIPTS_DAILY:.in=} ${SCRIPTS_SECURITY:.in=}
 .in:
 	sed -e 's,__PREFIX__,${PREFIX},g' \
 		${.IMPSRC} > ${.TARGET}
 all: ${SCRIPTS}
 clean:
 	rm -f ${SCRIPTS}
 install: all
 	install -d ${DESTDIR}${PREFIX}/etc/periodic/security
 	install -d ${DESTDIR}${PREFIX}/etc/periodic/daily
 .for periodic in ${SCRIPTS_DAILY:.in=}
 	install -m 555 ${periodic} ${DESTDIR}${PREFIX}/etc/periodic/daily
 .endfor
 .for periodic in ${SCRIPTS_SECURITY:.in=}
 	install -m 555 ${periodic} ${DESTDIR}${PREFIX}/etc/periodic/security
 .endfor
 .include <bsd.own.mk>