audit-packages like program for FreeBSD?

From: Hendrik Scholz (hscholz@raisdorf.net)
Date: 07/30/02 

Date: Tue, 30 Jul 2002 10:05:34 +1000
From: Hendrik Scholz <hscholz@raisdorf.net>
To: freebsd-security@freebsd.org

Hi!

While using NetBSD I discovered the audit-packages package.
Basicly it consists of a script and a text file.
The text file contains information about packages/ports that are vulnerable to any kind of remote/local/dos attack.
The script can be run by the daily cron job and then checks if one of the installed packages is mentioned in the list of vulnerable packages.
If so it reports package name, version, type of bug and an URL to an advisory as part of the cron report.
The text-file can be updated with ftp/wget/...

As I've been thinking about this I just want to know if someone is interested in this for FreeBSD?

Writing the script itself should be no problem for me but maintaining the vulnerability database could become difficult as the number of ports grow.
A script that crawls through the ports cvs tree and checking for ports marked forbidden since the last run would be a good start but for unmaintained ports bugtraq/vuln-watch/... has to be read.
Any ideas how to get more input?

Which language to use?
Perl would do fine for this job but as Perl isn't in the base system anymore a shell script or c program would be better if it should be possible to run this as part of the daily cron job.
If I start with this what language should I use?

Thanks for all comments, Hendrik

P.S. I won't be able to answer all questions immediatly as I'm on vacation :) 

-- 
Hendrik Scholz - <hscholz@raisdorf.net> - http://raisdorf.net/
drag me, drop me - treat me like an object 
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: audit-packages like program for FreeBSD?
    ... >While using NetBSD I discovered the audit-packages package. ... >Basicly it consists of a script and a text file. ... >vulnerability database could become difficult as the number of ports grow. ... >possible to run this as part of the daily cron job. ...
    (FreeBSD-Security)
  • Installation of software, and security. . .
    ... installation in Windows and various package managers. ... A setup.exe program coded by some third party such as Real Networks ... A .msi Microsoft Installer package is unpacked, and a script coded by ...
    (Bugtraq)
  • Re: goto &Package::func destroying @_?!
    ... >>script, but maybe the description will trigger something from someone.... ... code the 'Core' package uses another package as a base that has a custom ... package Foo; ... if it really is a problem with goto&. ...
    (comp.lang.perl.misc)
  • Tcl application deployment
    ... Tcl interpretator and any packages it uses. ... As far as I know, no OS provides way to load dynamic libraries using ... There is no way to fix bugs in some package used by application, ... all script files which come with application should be ...
    (comp.lang.tcl)
  • Re: ActiveX Script errors suppressed
    ... I've never actually tried to call GetExecutionErrorInfo in an ActiveX ... >etc. ActiveX Script only has the variant type. ... >change the variant to a true string. ... Dynamic Properties task instead in the main package. ...
    (microsoft.public.sqlserver.dts)