From: Andreas Steffen Date: Fri, 25 Aug 2017 09:23:20 +0000 (+0200) Subject: sec-updater: Checks for security updates X-Git-Tag: 5.6.1dr1~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b84817375d1cb2a40f6f004ea619e4f7cfab6da5;p=thirdparty%2Fstrongswan.git sec-updater: Checks for security updates sec-updater checks for security updates and backports in Debian/ Ubuntu repositories and sets the security flags in the strongTNC policy database accordingly. --- diff --git a/configure.ac b/configure.ac index ea09855ec6..ce0c9a70fa 100644 --- a/configure.ac +++ b/configure.ac @@ -1969,6 +1969,7 @@ AC_CONFIG_FILES([ src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile + src/sec-updater/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile @@ -2003,6 +2004,7 @@ AC_CONFIG_FILES([ src/swanctl/swanctl.conf.5.tail src/pt-tls-client/pt-tls-client.1 src/sw-collector/sw-collector.8 + src/sec-updater/sec-updater.8 ]) AC_OUTPUT diff --git a/src/Makefile.am b/src/Makefile.am index 1bdb8337cc..7bef1a5dd1 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -132,6 +132,10 @@ if USE_IMC_SWIMA SUBDIRS += sw-collector endif +if USE_IMV_SWIMA + SUBDIRS += sec-updater +endif + if USE_INTEGRITY_TEST SUBDIRS += checksum endif diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index 1856e2a319..107b26c31c 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -130,6 +130,10 @@ if USE_IMC_SWIMA exes += $(DESTDIR)$(sbindir)/sw-collector endif +if USE_IMV_SWIMA + exes += $(DESTDIR)$(sbindir)/sec-updater +endif + checksum.c : checksum_builder $(deps) $(exes) ./checksum_builder $(libs) $(exes) > checksum.c diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am index f5bc9010c8..50a87d8770 100644 --- a/src/libimcv/plugins/imv_os/Makefile.am +++ b/src/libimcv/plugins/imv_os/Makefile.am @@ -18,12 +18,3 @@ imv_os_la_SOURCES = \ imv_os_database.c imv_os_database.h imv_os_la_LDFLAGS = -module -avoid-version -no-undefined - -if !USE_WINDOWS -ipsec_PROGRAMS = pacman -pacman_SOURCES = pacman.c -pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -pacman.o : $(top_builddir)/config.status - -EXTRA_DIST = pacman.sh -endif diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh deleted file mode 100755 index fcf35b6449..0000000000 --- a/src/libimcv/plugins/imv_os/pacman.sh +++ /dev/null @@ -1,203 +0,0 @@ -#!/bin/sh - -DIR="/etc/pts" -DATE=`date +%Y%m%d-%H%M` -UBUNTU="http://security.ubuntu.com/ubuntu/dists" -UBUNTU_VERSIONS="trusty saucy raring quantal precise lucid" -UBUNTU_DIRS="main multiverse restricted universe" -UBUNTU_ARCH="binary-amd64 binary-i386" -DEBIAN="http://security.debian.org/dists" -DEBIAN_VERSIONS="jessie wheezy squeeze" -DEBIAN_DIRS="main contrib non-free" -DEBIAN_ARCH="binary-amd64 binary-i386" -PACMAN=/usr/libexec/ipsec/pacman -PACMAN_LOG="$DIR/$DATE-pacman.log" - -mkdir -p $DIR/dists -cd $DIR/dists - -for v in $UBUNTU_VERSIONS -do - for a in $UBUNTU_ARCH - do - mkdir -p $v-security/$a $v-updates/$a - for d in $UBUNTU_DIRS - do - wget $UBUNTU/$v-security/$d/$a/Packages.bz2 -O $v-security/$a/Packages-$d.bz2 - bunzip2 -f $v-security/$a/Packages-$d.bz2 - wget $UBUNTU/$v-updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 - done - done -done - -for v in $DEBIAN_VERSIONS -do - for a in $DEBIAN_ARCH - do - mkdir -p $v-updates/$a - for d in $DEBIAN_DIRS - do - wget $DEBIAN/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 - bunzip2 -f $v-updates/$a/Packages-$d.bz2 - done - done -done - -for f in trusty-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 14.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in trusty-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 14.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in trusty-security/binary-i386/* -do - $PACMAN --product "Ubuntu 14.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in trusty-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 14.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in saucy-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.10 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in saucy-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.10 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in saucy-security/binary-i386/* -do - $PACMAN --product "Ubuntu 13.10 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in saucy-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 13.10 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in raring-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in raring-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 13.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in raring-security/binary-i386/* -do - $PACMAN --product "Ubuntu 13.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in raring-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 13.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in quantal-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.10 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in quantal-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.10 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in quantal-security/binary-i386/* -do - $PACMAN --product "Ubuntu 12.10 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in quantal-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 12.10 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in precise-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in precise-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 12.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in precise-security/binary-i386/* -do - $PACMAN --product "Ubuntu 12.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in precise-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 12.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in lucid-security/binary-amd64/* -do - $PACMAN --product "Ubuntu 10.04 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in lucid-updates/binary-amd64/* -do - $PACMAN --product "Ubuntu 10.04 x86_64" --file $f >> $PACMAN_LOG -done -echo -for f in lucid-security/binary-i386/* -do - $PACMAN --product "Ubuntu 10.04 i686" --file $f --security >> $PACMAN_LOG -done -echo -for f in lucid-updates/binary-i386/* -do - $PACMAN --product "Ubuntu 10.04 i686" --file $f >> $PACMAN_LOG -done -echo - -for f in jessie-updates/binary-amd64/* -do - $PACMAN --product "Debian 8.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in jessie-updates/binary-i386/* -do - $PACMAN --product "Debian 8.0 i686" --file $f --security >> $PACMAN_LOG -done - -for f in wheezy-updates/binary-amd64/* -do - $PACMAN --product "Debian 7.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in wheezy-updates/binary-i386/* -do - $PACMAN --product "Debian 7.0 i686" --file $f --security >> $PACMAN_LOG -done - -for f in squeeze-updates/binary-amd64/* -do - $PACMAN --product "Debian 6.0 x86_64" --file $f --security >> $PACMAN_LOG -done -echo -for f in squeeze-updates/binary-i386/* -do - $PACMAN --product "Debian 6.0 i686" --file $f --security >> $PACMAN_LOG -done - -cp $DIR/config.db $DIR/config.db-$DATE diff --git a/src/sec-updater/.gitignore b/src/sec-updater/.gitignore new file mode 100644 index 0000000000..4c0d4c4408 --- /dev/null +++ b/src/sec-updater/.gitignore @@ -0,0 +1,2 @@ +sec-updater +sec-updater.8 diff --git a/src/sec-updater/Makefile.am b/src/sec-updater/Makefile.am new file mode 100644 index 0000000000..5546cb8f8a --- /dev/null +++ b/src/sec-updater/Makefile.am @@ -0,0 +1,18 @@ +if !USE_WINDOWS + +sbin_PROGRAMS = sec-updater + +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -DPLUGINS=\""sqlite"\" + +sec_updater_SOURCES = sec-updater.c +sec_updater_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +sec-updater.o : $(top_builddir)/config.status + +EXTRA_DIST = sec-updater.sh + +man8_MANS = sec-updater.8 +CLEANFILES = $(man8_MANS) + +endif diff --git a/src/sec-updater/sec-updater.8.in b/src/sec-updater/sec-updater.8.in new file mode 100644 index 0000000000..e58f3b99ac --- /dev/null +++ b/src/sec-updater/sec-updater.8.in @@ -0,0 +1,65 @@ +.TH SEC-UPDATER 8 "2017-08-25" "@PACKAGE_VERSION@" "strongSwan" +. +.SH "NAME" +. +sec-updater \- Extracts security update information of Linux distributions +. +.SH "SYNOPSIS" +. +.SY "sec-updater" +.OP \-\-debug level +.OP \-\-quiet +.OP \-\-security +.BI \-\-product " name" +.BI \-\-file " filename" +.YS +. +.SY "sec-updater" +.B \-h +| +.B \-\-help +.YS +. +.SH "DESCRIPTION" +. +.B sec-updater +extracts information about security updates and backports of Linux repositories +(e.g. Debian or Ubuntu). This information is used to update the package version +information stored in the strongTNC SQLite database. The "dbkg --compare-versions" +command is used to determine which package versions are affected by a given +security update. +. +.SH "OPTIONS" +. +.TP +.B "\-h, \-\-help" +Prints usage information and a short summary of the available commands. +.TP +.BI "\-v, \-\-debug " level +Set debug level, default: 1. +.TP +.B "\-q, \-\-quiet" +Disable debug output to stderr. +.TP +.B "\-s, \-\-security" +Set when parsing a distributions file with security updates. +.TP +.BI "\-p, \-\-product " name +Name of Linux version as stored in database. eg. "Ubuntu 16.04 x86_64". +.TP +.BI "\-f, \-\-file " filename +Linux package information file to parse. +. +.SH "CONFIGURATION" +. +The following parameter must be configured in strongswan.conf: +.P + sec-updater { + database = sqlite:///etc/pts/config.db + } +.P +. +.SH "SEE ALSO" +. +.BR strongswan.conf (5) + diff --git a/src/libimcv/plugins/imv_os/pacman.c b/src/sec-updater/sec-updater.c similarity index 53% rename from src/libimcv/plugins/imv_os/pacman.c rename to src/sec-updater/sec-updater.c index fbcab5eba1..d8a9fbb9e8 100644 --- a/src/libimcv/plugins/imv_os/pacman.c +++ b/src/sec-updater/sec-updater.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2017 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -22,18 +22,17 @@ #include #include #include - -#include "imv_os_state.h" +#include #include #include -typedef enum pacman_state_t pacman_state_t; +typedef enum sec_update_state_t sec_update_state_t; -enum pacman_state_t { - PACMAN_STATE_BEGIN_PACKAGE, - PACMAN_STATE_VERSION, - PACMAN_STATE_END_PACKAGE +enum sec_update_state_t { + SEC_UPDATE_STATE_BEGIN_PACKAGE, + SEC_UPDATE_STATE_VERSION, + SEC_UPDATE_STATE_END_PACKAGE }; typedef struct stats_t stats_t; @@ -42,22 +41,20 @@ struct stats_t { time_t release; int product; int packages; - int new_packages; int new_versions; int updated_versions; - int deleted_versions; }; /** * global debug output variables */ static int debug_level = 1; -static bool stderr_quiet = TRUE; +static bool stderr_quiet = FALSE; /** - * pacman dbg function + * sec_updater dbg function */ -static void pacman_dbg(debug_t group, level_t level, char *fmt, ...) +static void sec_updater_dbg(debug_t group, level_t level, char *fmt, ...) { int priority = LOG_INFO; char buffer[8192]; @@ -104,14 +101,17 @@ static void cleanup(void) static void usage(void) { - printf("Parses package information files from Debian/Ubuntu repositories and\n"); - printf("stores the extracted information in the database used by the OS IMV.\n\n"); - printf("ipsec pacman --product --file [--security]\n\n"); - printf(" --help print usage information\n"); - printf(" --product name of the Debian/Ubuntu release, as stored in the DB\n"); - printf(" --file package information file to parse\n"); - printf(" --security set this when parsing a file with security updates\n"); - printf("\n"); + printf("\ +Usage:\n\ + sec-updater --help\n\ + sec-updater [--debug ] [--quiet] [--security] --product --file \n\n\ + Options:\n\ + --help print usage information\n\ + --debug set debug level\n\ + --quiet suppress debug output to stderr\n\ + --security set when parsing a file with security updates\n\ + --product name of the Linux version as stored in the database\n\ + --file package information file to parse"); } /** @@ -120,11 +120,9 @@ static void usage(void) static bool update_database(database_t *db, char *package, char *version, bool security, stats_t *stats) { - char *cur_version, *version_update = NULL, *version_delete = NULL; - int cur_security, security_update = 0, security_delete = 0; - int pac_id = 0, vid = 0, vid_update = 0, vid_delete = 0; - u_int cur_time; - bool add_version = TRUE; + int pid = 0, vid = 0, sec_flag; + bool first = TRUE, found = FALSE; + char *release; enumerator_t *e; /* increment package count */ @@ -137,141 +135,91 @@ static bool update_database(database_t *db, char *package, char *version, { return FALSE; } - if (!e->enumerate(e, &pac_id)) + if (!e->enumerate(e, &pid)) { - pac_id = 0; + pid = 0; } e->destroy(e); - if (!pac_id && security) + if (!pid) { - if (db->execute(db, &pac_id, "INSERT INTO packages (name) VALUES (?)", - DB_TEXT, package) != 1) - { - fprintf(stderr, "could not store package '%s' to database\n", - package); - return FALSE; - } - stats->new_packages++; + return TRUE; } - /* check for package versions already in database */ + /* retrieve all package versions stored in database */ e = db->query(db, - "SELECT id, release, security, time FROM versions " - "WHERE package = ? AND product = ?", DB_INT, pac_id, - DB_INT, stats->product, DB_INT, DB_TEXT, DB_INT, DB_UINT); + "SELECT id, release, security FROM versions " + "WHERE product = ? AND package = ?", + DB_INT, stats->product, DB_INT, pid, DB_INT, DB_TEXT, DB_INT); if (!e) { return FALSE; } - while (e->enumerate(e, &vid, &cur_version, &cur_security, &cur_time)) + while (e->enumerate(e, &vid, &release, &sec_flag)) { - if (streq(version, cur_version)) + char command[BUF_LEN]; + char found_char = ' '; + bool update_version = FALSE; + + if (streq(version, release)) { - /* already in data base */ - add_version = FALSE; - break; + found = TRUE; + found_char = '*'; } - else if (stats->release >= cur_time) + else if (security) { - if (security) + snprintf(command, BUF_LEN, "dpkg --compare-versions %s lt %s", + release, version); + if (system(command) == 0) { - if (cur_security) + found_char = '!'; + if (!sec_flag) { - vid_update = vid; - version_update = strdup(cur_version); - security_update = cur_security; - } - else - { - vid_delete = vid; - version_delete = strdup(cur_version); - security_delete = cur_security; - } - } - else - { - if (!cur_security) - { - vid_update = vid; - version_update = strdup(cur_version); - security_update = cur_security; + if (db->execute(db, NULL, "UPDATE versions " + "SET security = 1 WHERE id = ?", DB_INT, vid) != 1) + { + DBG1(DBG_IMV, " could not update version"); + e->destroy(e); + return FALSE; + } + update_version = TRUE; + stats->updated_versions++; } } } - else + if (debug_level < 2 && !update_version) { - if (security == cur_security) - { - add_version = FALSE; - } + continue; } + if (first) + { + DBG1(DBG_IMV, "%s", package); + first = FALSE; + } + DBG1(DBG_IMV, " %c%s %s", found_char , sec_flag ? "s" : " ", release); } e->destroy(e); - if ((!vid && !security) || (vid && !add_version)) - { - free(version_update); - free(version_delete); - return TRUE; - } - - if ((!vid && security) || (vid && !vid_update)) + if (!found) { - printf("%s (%s) %s\n", package, version, security ? "[s]" : ""); + if (first) + { + DBG1(DBG_IMV, "%s", package); + } + DBG1(DBG_IMV, " + %s", version); if (db->execute(db, &vid, "INSERT INTO versions " "(package, product, release, security, time) " - "VALUES (?, ?, ?, ?, ?)", DB_INT, pac_id, DB_INT, stats->product, - DB_TEXT, version, DB_INT, security, DB_INT, stats->release) != 1) + "VALUES (?, ?, ?, 0, ?)", DB_INT, pid, DB_INT, stats->product, + DB_TEXT, version, DB_INT, stats->release) != 1) { - fprintf(stderr, "could not store version '%s' to database\n", - version); - free(version_update); - free(version_delete); + DBG1(DBG_IMV, " could not store version to database"); return FALSE; } stats->new_versions++; } - else - { - printf("%s (%s) %s updated by\n", - package, version_update, security_update ? "[s]" : ""); - printf("%s (%s) %s\n", package, version, security ? "[s]" : ""); - - if (db->execute(db, NULL, - "UPDATE versions SET release = ?, time = ? WHERE id = ?", - DB_TEXT, version, DB_INT, stats->release, DB_INT, vid_update) <= 0) - { - fprintf(stderr, "could not update version '%s' to database\n", - version); - free(version_update); - free(version_delete); - return FALSE; - } - stats->updated_versions++; - } - - if (vid_delete) - { - printf("%s (%s) %s deleted\n", - package, version_delete, security_delete ? "[s]" : ""); - if (db->execute(db, NULL, - "DELETE FROM versions WHERE id = ?", - DB_INT, vid_delete) <= 0) - { - fprintf(stderr, "could not delete version '%s' from database\n", - version_delete); - free(version_update); - free(version_delete); - return FALSE; - } - stats->deleted_versions++; - } - free(version_update); - free(version_delete); return TRUE; } @@ -282,7 +230,7 @@ static bool update_database(database_t *db, char *package, char *version, static void process_packages(char *filename, char *product, bool security) { char *uri, line[BUF_LEN], *pos, *package = NULL, *version = NULL; - pacman_state_t pacman_state; + sec_update_state_t state; enumerator_t *e; database_t *db; int pid; @@ -297,26 +245,26 @@ static void process_packages(char *filename, char *product, bool security) stats.release = time(NULL); /* opening package file */ - printf("loading\"%s\"\n", filename); + DBG1(DBG_IMV, "loading \"%s\"", filename); file = fopen(filename, "r"); if (!file) { - fprintf(stderr, "could not open \"%s\"\n", filename); + DBG1(DBG_IMV, " could not open \"%s\"", filename); exit(EXIT_FAILURE); } /* connect package database */ - uri = lib->settings->get_str(lib->settings, "pacman.database", NULL); + uri = lib->settings->get_str(lib->settings, "sec-updater.database", NULL); if (!uri) { - fprintf(stderr, "database URI pacman.database not set\n"); + DBG1(DBG_IMV, "database URI sec-updater.database not set"); fclose(file); exit(EXIT_FAILURE); } db = lib->db->create(lib->db, uri); if (!db) { - fprintf(stderr, "could not connect to database '%s'\n", uri); + DBG1(DBG_IMV, "could not connect to database '%s'", uri); fclose(file); exit(EXIT_FAILURE); } @@ -337,7 +285,7 @@ static void process_packages(char *filename, char *product, bool security) if (db->execute(db, &pid, "INSERT INTO products (name) VALUES (?)", DB_TEXT, product) != 1) { - fprintf(stderr, "could not store product '%s' to database\n", + DBG1(DBG_IMV, "could not store product '%s' to database", product); fclose(file); db->destroy(db); @@ -346,16 +294,16 @@ static void process_packages(char *filename, char *product, bool security) stats.product = pid; } - pacman_state = PACMAN_STATE_BEGIN_PACKAGE; + state = SEC_UPDATE_STATE_BEGIN_PACKAGE; while (fgets(line, sizeof(line), file)) { /* set read pointer to beginning of line */ pos = line; - switch (pacman_state) + switch (state) { - case PACMAN_STATE_BEGIN_PACKAGE: + case SEC_UPDATE_STATE_BEGIN_PACKAGE: pos = strstr(pos, "Package: "); if (!pos) { @@ -367,10 +315,10 @@ static void process_packages(char *filename, char *product, bool security) if (pos) { package = strndup(package, pos - package); - pacman_state = PACMAN_STATE_VERSION; + state = SEC_UPDATE_STATE_VERSION; } break; - case PACMAN_STATE_VERSION: + case SEC_UPDATE_STATE_VERSION: pos = strstr(pos, "Version: "); if (!pos) { @@ -382,10 +330,10 @@ static void process_packages(char *filename, char *product, bool security) if (pos) { version = strndup(version, pos - version); - pacman_state = PACMAN_STATE_END_PACKAGE; + state = SEC_UPDATE_STATE_END_PACKAGE; } break; - case PACMAN_STATE_END_PACKAGE: + case SEC_UPDATE_STATE_END_PACKAGE: if (*pos != '\n') { continue; @@ -399,15 +347,15 @@ static void process_packages(char *filename, char *product, bool security) db->destroy(db); exit(EXIT_FAILURE); } - pacman_state = PACMAN_STATE_BEGIN_PACKAGE; + state = SEC_UPDATE_STATE_BEGIN_PACKAGE; } } - switch (pacman_state) + switch (state) { - case PACMAN_STATE_END_PACKAGE: + case SEC_UPDATE_STATE_END_PACKAGE: free(version); /* fall-through */ - case PACMAN_STATE_VERSION: + case SEC_UPDATE_STATE_VERSION: free(package); break; default: @@ -416,10 +364,9 @@ static void process_packages(char *filename, char *product, bool security) fclose(file); db->destroy(db); - printf("processed %d packages, %d new packages, %d new versions, " - "%d updated versions, %d deleted versions\n", - stats.packages, stats.new_packages, stats.new_versions, - stats.updated_versions, stats.deleted_versions); + DBG1(DBG_IMV, "processed \"%s\": %d packages, %d new versions, " + "%d updated versions", filename, stats.packages, + stats.new_versions, stats.updated_versions); } static void do_args(int argc, char *argv[]) @@ -436,8 +383,10 @@ static void do_args(int argc, char *argv[]) struct option long_opts[] = { { "help", no_argument, NULL, 'h' }, + { "debug", required_argument, NULL, 'd' }, { "file", required_argument, NULL, 'f' }, { "product", required_argument, NULL, 'p' }, + { "quiet", no_argument, NULL, 'q' }, { "security", no_argument, NULL, 's' }, { 0,0,0,0 } }; @@ -450,12 +399,18 @@ static void do_args(int argc, char *argv[]) case 'h': usage(); exit(EXIT_SUCCESS); + case 'd': + debug_level = atoi(optarg); + continue; case 'f': filename = optarg; continue; case 'p': product = optarg; continue; + case 'q': + stderr_quiet = TRUE; + continue; case 's': security = TRUE; continue; @@ -477,18 +432,18 @@ static void do_args(int argc, char *argv[]) int main(int argc, char *argv[]) { /* enable attest debugging hook */ - dbg = pacman_dbg; - openlog("pacman", 0, LOG_DEBUG); + dbg = sec_updater_dbg; + openlog("sec-updater", 0, LOG_DEBUG); atexit(cleanup); /* initialize library */ - if (!library_init(NULL, "pacman")) + if (!library_init(NULL, "sec-updater")) { exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); } if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "pacman.load", "sqlite"))) + lib->settings->get_str(lib->settings, "sec-updater.load", "sqlite"))) { exit(SS_RC_INITIALIZATION_FAILED); } diff --git a/src/sec-updater/sec-updater.sh b/src/sec-updater/sec-updater.sh new file mode 100755 index 0000000000..1f4b694650 --- /dev/null +++ b/src/sec-updater/sec-updater.sh @@ -0,0 +1,69 @@ +#!/bin/sh + +DIR="/etc/pts" +DATE=`date +%Y%m%d-%H%M` +UBUNTU="http://security.ubuntu.com/ubuntu/dists" +UBUNTU_VERSIONS="xenial" +UBUNTU_DIRS="main multiverse restricted universe" +UBUNTU_ARCH="binary-amd64" +DEBIAN="http://security.debian.org/dists" +DEBIAN_VERSIONS="jessie" +DEBIAN_DIRS="main contrib non-free" +DEBIAN_ARCH="binary-amd64" +CMD=/usr/sbin/sec-updater +CMD_LOG="$DIR/$DATE-sec-update.log" + +mkdir -p $DIR/dists +cd $DIR/dists + +# Download Ubuntu distribution information + +for v in $UBUNTU_VERSIONS +do + for a in $UBUNTU_ARCH + do + mkdir -p $v-security/$a $v-updates/$a + for d in $UBUNTU_DIRS + do + wget $UBUNTU/$v-security/$d/$a/Packages.xz -O $v-security/$a/Packages-$d.xz + unxz -f $v-security/$a/Packages-$d.xz + wget $UBUNTU/$v-updates/$d/$a/Packages.xz -O $v-updates/$a/Packages-$d.xz + unxz -f $v-updates/$a/Packages-$d.xz + done + done +done + +# Download Debian distribution information + +for v in $DEBIAN_VERSIONS +do + for a in $DEBIAN_ARCH + do + mkdir -p $v-updates/$a + for d in $DEBIAN_DIRS + do + wget $DEBIAN/$v/updates/$d/$a/Packages.bz2 -O $v-updates/$a/Packages-$d.bz2 + bunzip2 -f $v-updates/$a/Packages-$d.bz2 + done + done +done + +# Run sec-updater in distribution information + +for f in xenial-security/binary-amd64/* +do + echo "security: $f" + $CMD --product "Ubuntu 16.04 x86_64" --file $f --security >> $CMD_LOG 2>&1 +done +echo +for f in xenial-updates/binary-amd64/* +do + echo "updates: $f" + $CMD --product "Ubuntu 16.04 x86_64" --file $f >> $CMD_LOG 2>&1 +done +echo +for f in jessie-updates/binary-amd64/* +do + echo "security: $f" + $CMD --product "Debian 8.0 x86_64" --file $f --security >> $CMD_LOG 2>&1 +done