Security: /usr/ports/security/portaudit

lars

vom mars
Um ein System sicher zu halten, muss es nicht nur korrekt
konfiguriert sein, sondern auch regelmässig aktualisiert werden.

Nicht nur das OS muss aktualisiert werden, sondern auch zusätzlich
installierte Programme.
Die Maillisten und Homepages aller installierten Programme regelmässig
nach Sicherheitsproblemen abzuklappern ist aber sehr aufwendig.

Diese Arbeit vereinfachen könnte
/usr/ports/security/portaudit
das ich gestern zufällig hier
http://bsdhound.com/newsread.php?newsid=283
entdeckt habe.

pkg-description:
portaudit provides a system to check if installed ports are listed in a
database of published security vulnerabilities.

After installation it will update this security database automatically and
include its reports in the output of the daily security run.

If you have found a vulnerability not listed in the database, please contact
the FreeBSD Security Officer <security-officer@FreeBSD.org>. Refer to

http://www.freebsd.org/security/#sec

for more information.

WWW: http://people.freebsd.org/~eik/portaudit/

Oliver Eikemeier <eik@FreeBSD.org>

Ich hoffe jemand kann was damit anfangen.
 
Verträgt sich leider nur mit der OpenSSL-Version, die FreeBSD mitbringt, sobald man eine neuere installiert hat, läßt sich das Tool nicht installieren.
 
@i18n

Ich hab für die Installation mal schnell die Port-Version der OpenSSL deinstalliert und danach wieder installiert - Funzt!

Gruß,

Ice
 
Soetwas gibt es auch für NetBSD (/usr/pkgsrc/security/audit-packages). Habe es seit langer Zeit erfolgreich im Einsatz.

Das musste mal gesagt werden.

Gruß c.
 
Mal ne Frage:

Code:
SU /:portinstall -P portaudit
** No such installed package nor such port called 'portaudit' is found.
SU /:cd /usr/ports/security/portaudit/
SU /usr/ports/security/portaudit:ls
Makefile        pkg-deinstall   pkg-install
files           pkg-descr       pkg-plist

Wieso findet der den nicht? Update der ports und porstdb erfolgt jede Nacht.

Mmh...

Gruß, incmc
 
Geht es vielleicht mit portinstall security/portaudit ?
Oft genug muss man die Kategorie mit angeben!
 
Mmh, das hab ich ja noch nie gehört. Normalerweise wird dann wenn mehrere mit ähnlichem Namen da sind eine Auswahl angezeigt.

Gruß, incmc
 
kleiner beweis dafuer, wie so eine 'sicherheits blockade' dann aussieht:

lambda# cd cphone
lambda# make install clean
>> cphone-0.3.1.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
>> Attempting to fetch from http://heanet.dl.sourceforge.net/sourceforge/cphone/.
Receiving cphone-0.3.1.tar.bz2 (55721 bytes): 100%
55721 bytes transferred in 0.8 seconds (68.21 kBps)
===> Extracting for cphone-0.3.1_1
>> Checksum OK for cphone-0.3.1.tar.bz2.
===> Patching for cphone-0.3.1_1
===> Applying FreeBSD patches for cphone-0.3.1_1
===> cphone-0.3.1_1 depends on file: /nonexistent - not found
===> Verifying build for /nonexistent in /usr/ports/net/openh323
===> openh323-1.12.0_3 is forbidden: http://people.freebsd.org/~eik/portaudit/27c331d5-64c7-11d8-80e3-0020ed76ef5a.html.
*** Error code 1

Stop in /usr/ports/net/openh323.
*** Error code 1

Stop in /usr/ports/net/cphone.


---


der link 'http://people.freebsd.org/~eik/portaudit/27c331d5-64c7-11d8-80e3-0020ed76ef5a.html' verweisst auf den sicherheits hinweis.

:)
 
Habs mal eben über meine workstation auf Arbeit (die für alles herhält) rattern lassen:

Code:
pcs28# portaudit -F -a
>> Attempting to fetch from [url]ftp://ftp.dk.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/.[/url]
new database installed.
Affected package: mysql-client-4.0.17
Type of problem: MySQL insecure temporary file creation (mysqlbug).
Reference: <[url]http://people.freebsd.org/~eik/portaudit/2e129846-8fbb-11d8-8b29-0020ed76ef5a.html[/url]>

Affected package: mc-4.6.0_6
Type of problem: Midnight Commander buffer overflow during symlink resolution.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/322d4ff6-85c3-11d8-a41f-0020ed76ef5a.html[/url]>

Affected package: gaim-0.71_6
Type of problem: Several remotely exploitable buffer overflows in gaim.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html[/url]>

Affected package: mplayer-gtk-esound-0.90.0.110_1
Type of problem: mplayer heap overflow in http requests.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/5e7f58c3-b3f8-4258-aeb8-795e5e940ff8.html[/url]>

Affected package: XFree86-Server-4.3.0_11
Type of problem: Buffer overflows in XFree86 servers.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/3837f462-5d6b-11d8-80e3-0020ed76ef5a.html[/url]>

Affected package: apache-1.3.29_1
Type of problem: Apache 1.3 IP address access control failure on some 64-bit platforms.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/09d418db-70fd-11d8-873f-0020ed76ef5a.html[/url]>

Affected package: libxml2-2.6.5_1
Type of problem: libxml2 stack buffer overflow in URI parsing.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/847ade05-6717-11d8-b321-000a95bc6fae.html[/url]>

Affected package: libtool-1.3.5_1
Type of problem: GNU libtool insecure temporary file handling.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/cacaffbc-5e64-11d8-80e3-0020ed76ef5a.html[/url]>

Affected package: libtool-1.4.3_2
Type of problem: GNU libtool insecure temporary file handling.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/cacaffbc-5e64-11d8-80e3-0020ed76ef5a.html[/url]>

Affected package: rsync-2.5.6_1
Type of problem: rsync buffer overflow in server mode.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/5729b8ed-5d75-11d8-80e3-0020ed76ef5a.html[/url]>

Affected package: proftpd-1.2.8
Type of problem: ProFTPD ASCII translation bug resulting in remote root compromise.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/cf0fb426-3f96-11d8-b096-0020ed76ef5a.html[/url]>

Affected package: lftp-2.6.9
Type of problem: lftp HTML parsing vulnerability.
Reference: <[url]http://people.freebsd.org/~eik/portaudit/d7af61c8-2cc0-11d8-9355-0020ed76ef5a.html[/url]>

12 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

Hehe, na dann...
 
Ich habe hier mal ein par Tage portaudit laufen lassen. Allerdings musste ich dann auf allen Maschine, auf denen es installiert war, feststellen, dass die Periodic-Skripte irgendwann nicht mehr sauber durchliefen, sondern hängen blieben. Ich hatte leider nicht die Zeit, genauer zu ermitteln, wo das Problem lag. Deshalb habe ich portaudit wieder deinstalliert und alles war wieder normal.

Hat jemand ähnliche Erfahrungen gemacht?
 
Das kam heute morgen per mail an:
Oliver Eikemeier <eikemeier@fillmore-labs.com> said:
Dear porters and port users,

I've added a new port security/portaudit-db that complements
security/portaudit for users
that have a current ports tree and want to generate the portaudit
database themselves,
possibly distributing it over their local network. This will save you
the traffic downloading
information that is already on your local machine and avoid the lag that
is currently
associated with the mirroring process.

Basically you just need to install security/portaudit-db and do
`packaudit' every time after
your ports tree has been updated. Try `portaudit -d', it should show the
current date
afterwards.

This port also features a MOVED style file (database/portaudit.txt)
where UUIDs for vulnerabilities
can be allocated before they are researched thoroughly and moved to the
VuXML database. When you fix
a vulnerability in one of your ports, please add at least an entry to
this file, so that this fact
doesn't go unnoticed. Of course a full VuXML entry is preferred.


I take this announcement as an opportunity to make a plea to all port
maintainers:

* please stick with *one* PKGNAMESUFFIX (possibly using a combined one
like -sasl-client)

* please *do not* change the structure of the packages version number
according to included components.

Lets take for example port `myport' with has optional components c1 and
c2. This *should not*
result in the following package names:

port-v
port-suf1-v+v1
port-suf2-v+v2
port-suf1-suf2-v+v1+v2

because I need 2^(number of components) entries to catch all possible
combinations, for example the
recent vulnerability in www/apache13-modssl would need 32 entries in the
vulnerability database,
which seems a little high. A net effect is that many combinations are
not recognized, and users remain
unprotected even though they assume the opposite. If you need to record
the included components, please
do this in the pkg-message, which is displayed with pkg_info -D.

Again:

* a port should *not* change its version numbering based on included
components

* restrain yourself to *one* suffix in the package name (and use a dash
to seperate it from the main ports name)

Thanks
-Oliver

Hört sich nicht schlecht an.

Hat eigentlich noch jemand Probleme mit den Periodic-Skripte festgestellt?
 
Back
Top