tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Package automation in /etc/daily


pkg_admin in the base system has bundled support for vulnerability
checks for a while.  I think it'd be valuable to automate these in
/etc/daily instead of relying on the administrator to do this.

The attached patch adds some new checks in the daily scripts to
refresh the vulnerabilities database and to check that the installed
packages are valid.  From the manpage:

   Settings for package-specific checks
     The following checks are specific to the packages system and will only be
     run if there are packages installed:

     audit_packages             Checks the currently installed packages
                                against a database of known vulnerabilities
                                and reports those that are vulnerable.
                                fetch_pkg_vulnerabilities should be enabled in
                                order for this to be useful.

     check_packages             Checks the digital signature of all files
                                installed by packages against the expected
                                values stored in the packages database.

     fetch_pkg_vulnerabilities  Refreshes the local database of package vul-

     The following variables affect the execution of the package checks:

     pkg_dbdir  Location of the packages database.  If unset, defaults to the
                value of the PKG_DBDIR environment variable (typically set
                from /etc/profile) or to /var/db/pkg.


Julio Merino

Attachment: pkg-daily.diff
Description: Binary data

Home | Main Index | Thread Index | Old Index