NAME

audit-packages, download-vulnerability-list - show vulnerabilities in installed packages

SYNOPSIS

audit-packages [-deqsVv] [-c config_file] [-F file] [-g file] [-h file] [-K pkg_dbdir] [-n package] [-p package] [-Q varname] [-t type] download-vulnerability-list [-hs] [-c config_file]

DESCRIPTION

The audit-packages program compares the installed packages with the pkg-vulnerabilities file and reports any known security issues to standard output. This output contains the name and version of the package, the type of vulnerability, and an URL for further information for each vulnerable package.

The following flags are supported:

-d
Attempt to download the vulnerabilities file using the download-vulnerability-list script before scanning the installed packages for vulnerabilities.

-e
Check for end-of-life (eol) packages.

-q
Be ``quiet'' in emitting report headers and such, just dump the raw info (basically, assume a non-human reading).

-s
Verify the signature of the current pkg-vulnerabilities file. The key used to sign the file is available from: ftp://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc

In order for this to function correctly the above key must be added to the gpg keyring of the user who runs audit-packages -s and/or download-vulnerability-list -s. In addition to this the gpg binary must be installed on your system. The path to the gpg binary can be set in audit-packages.conf(5).

The requirement for GnuPG may go away in the future when a suitable replacement is implemented.

-V
Display the version number and exit.

-v
Be more verbose. Specify multiple -v flags to increase verbosity. Currently a maximum level of three is supported.

-c config_file
Specify a custom config_file configuration file to use.

-F file
Load a file containing a list of package names and or package patterns to check.

-g file
Compute the SHA512 hash on file.

-h file
Check the SHA512 hash of a file against the internally stored value.

-K pkg_dbdir
Use package database directory pkg_dbdir.

-n package
Check only the package package for vulnerabilities.

-p package
Check only the installed package package for vulnerabilities.

-Q varname
Display the current value of varname and exit. Currently supported varname are GPG, PKGVULNDIR, and IGNORE_URLS.

-t type
Only check for the specified type of vulnerability.

The download-vulnerability-list program downloads the pkg-vulnerabilities file from ftp.NetBSD.org using ftp(1) by default. This vulnerabilities file documents all known security issues in pkgsrc packages and is kept up-to-date by the NetBSD pkgsrc-security team.

The following flags are supported:

-c config_file
Specify a custom config_file configuration file to use.

-h
Display program usage.

-s
Verify the signature of the current pkg-vulnerabilities file. In order for this to function correctly you will need to add the pkgsrc Security Team key to your gpg keyring and trust it. The key is available from: ftp://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc In addition to this the gpg binary must be installed on your system. The path to the gpg binary can be set in audit-packages.conf(5).

By default download-vulnerability-list will download a compressed version of pkg-vulnerabilities from ftp.netbsd.org. The default file downloaded is compressed using gzip(1). The compression tool used can set in audit-packages.conf(5). Currently only gzcat(1) and bzcat(1) are supported.

audit-packages and/or download-vulnerability-list need not be run by the root user. They will function as an unpriveleged user just so long as the user chosen has permmission to write the downloded pkg-vulnerabilites file to the location specified in audit-packages.conf(5).

Each line lists the package and vulnerable versions, the type of exploit, and an Internet address for further information:

<package pattern> <type> <url>

The type of exploit can be any text, although some common types of exploits listed are:

The type eol implies that the package is no longer maintained by the software vendor but is provided by the pkgsrc team for your convenience only. It may contain any number of the above mentioned vulnerabilities. Any packages of type eol are not reported by default. Run Fle to also report on eol packages.

By default, the vulnerabilities file is stored in the PKG_DBDIR directory. On a standard installation this will be set to /var/db/pkg. If you have installed pkgsrc on a supported platform this will be what ever you specifed when bootstrapping pkgsrc i.e., --pkgdbdir <pkgdbdir>. The path to the pkg-vulnerabilities file can be set in audit-packages.conf(5).

EXIT STATUS

FILES

/var/db/pkg/pkg-vulnerabilities
Vulnerabilities database.

/etc/audit-packages.conf
audit-packages configuration file.

ftp://ftp.netbsd.org/pub/NetBSD/security/PGP/pkgsrc-security@NetBSD.org.asc
Key used to sign the vulnerabilities file.

EXAMPLES

The download-vulnerability-list command can be run via cron(8) to update the pkg-vulnerabilities file daily. audit-packages can be run via cron(8) (or with NetBSDAp s /etc/security.local daily security script).

The download-vulnerability-list command can be forced to use IPv4 with the following setting in /etc/audit-packages.conf:

FETCH_ARGS="-4"

The download-vulnerability-list command can be forced to use http to download the pkg-vulnerabilities file with the following setting in /etc/audit-packages.conf:

FETCH_PROTO="http"

SEE ALSO

pkg_info(1), audit-packages.conf(5), mk.conf(5), pkgsrc(7),

HISTORY

The audit-packages and download-vulnerability-list commands were originally implemented and added to NetBSDAp s pkgsrc by Alistair Crooks on September 19, 2000. During April 2007 audit-packages was re-written by Adrian Portelli and support was added for compressed files and checking signatures on downloaded files. The original idea came from Roland Dowdeswell and Bill Sommerfeld.