Hello,
pkg_admin in the base system has bundled support for vulnerability
checks for a while. I think it'd be valuable to automate these in
/etc/daily instead of relying on the administrator to do this.
The attached patch adds some new checks in the daily scripts to
refresh the vulnerabilities database and to check that the installed
packages are valid. From the manpage:
Settings for package-specific checks
The following checks are specific to the packages system and will only be
run if there are packages installed:
audit_packages Checks the currently installed packages
against a database of known vulnerabilities
and reports those that are vulnerable.
fetch_pkg_vulnerabilities should be enabled in
order for this to be useful.
check_packages Checks the digital signature of all files
installed by packages against the expected
values stored in the packages database.
fetch_pkg_vulnerabilities Refreshes the local database of package vul-
nerabilities.
The following variables affect the execution of the package checks:
pkg_dbdir Location of the packages database. If unset, defaults to the
value of the PKG_DBDIR environment variable (typically set
from /etc/profile) or to /var/db/pkg.
Comments?
--
Julio Merino
Attachment:
pkg-daily.diff
Description: Binary data