diff options
| author | Marc.Jose | 2018-03-11 16:00:55 +0100 |
|---|---|---|
| committer | Marc.Jose | 2018-03-11 16:00:55 +0100 |
| commit | 2241e93ad2595f1c01cea836cdfc60c2982690fd (patch) | |
| tree | c0199245cd077e08140836ce3c1d7dde916e15c4 | |
| download | aur-2241e93ad2595f1c01cea836cdfc60c2982690fd.tar.gz | |
First version, v1
| -rw-r--r-- | .SRCINFO | 25 | ||||
| -rw-r--r-- | PKGBUILD | 48 | ||||
| -rw-r--r-- | arch-security.hook | 10 | ||||
| -rwxr-xr-x | arch-security.sh | 36 |
4 files changed, 119 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..f3d472b16bbf --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,25 @@ +pkgbase = arch-security + pkgdesc = Display current vulnerabilities for installed packages and scan for some possible security issues + pkgver = 1.0 + pkgrel = 1 + url = https://gitlab.marc-jose.de/marc.jose/arch-security + arch = any + license = MIT + makedepends = git + makedepends = awk + makedepends = coreutils + makedepends = grep + makedepends = python-pip + depends = python + depends = pacman + depends = sudo + provides = arch-security + source = git+https://gitlab.marc-jose.de/marc.jose/arch-security.git + source = arch-security.hook + source = arch-security.sh + sha512sums = SKIP + sha512sums = 8e107f81db0345c320d8291a5e210685ced10ab0799d63a84946146ef721a340feb7dcdda8b7c849e4a837f8cbbe38653d0a8a9a2531237a2494661ff930f91c + sha512sums = abaad6469ff25fcec1fd5c045cdfab3129d4abd868948030633b1afcef4d282d8569d2bdafd56cb9d1487c6ddea5a2034f1a8e9a228fb469f271dcd837107184 + +pkgname = arch-security + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..f8c77decc85b --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,48 @@ +# Maintainer: Marc Jose <Hering2007@web.de> +pkgname=arch-security +pkgver=1.0 +pkgrel=1 +pkgdesc="Display current vulnerabilities for installed packages and scan for some possible security issues" +arch=('any') +url="https://gitlab.marc-jose.de/marc.jose/$pkgname" +license=('MIT') +makedepends=('git' 'awk' 'coreutils' 'grep' 'python-pip') +provides=("$pkgname") +depends=('python' 'pacman' 'sudo') +source=("git+https://gitlab.marc-jose.de/marc.jose/$pkgname.git" + 'arch-security.hook' + 'arch-security.sh') +sha512sums=('SKIP' + '8e107f81db0345c320d8291a5e210685ced10ab0799d63a84946146ef721a340feb7dcdda8b7c849e4a837f8cbbe38653d0a8a9a2531237a2494661ff930f91c' + '720cb8df7e219b7609885ab3384172acfdc26ae87f4d5004efd1237139bc63093ace4e5f2d769d7393e071d4e89b3954d2d5d3c80841d95cdca25ba03bd4bdf1') + +package() { + # If hooks are not enabled then do that now + HOOK_DIR="$(/usr/bin/cat '/etc/pacman.conf' | /usr/bin/grep 'HookDir')" + if [[ "${HOOK_DIR}" == "#"* ]]; then + sudo /usr/bin/sed -i 's/^\#[\s]*HookDir/HookDir/' '/etc/pacman.conf' + fi + + # If not hook-dir is set then do that now as well + HOOK_DIR="$(/usr/bin/cat '/etc/pacman.conf' | /usr/bin/grep 'HookDir' | /usr/bin/awk '{print $3}')" + if [[ -z "${HOOK_DIR}" ]]; then + sudo /usr/bin/sed -i 's/^HookDir.*/HookDir = \/etc\/pacman\.d\/hooks/' '/etc/pacman.conf' + /usr/bin/mkdir -p '/etc/pacman.d/hooks' + fi + + # Get actual hook dir + HOOK_DIR="$(/usr/bin/cat '/etc/pacman.conf' | /usr/bin/grep 'HookDir' | /usr/bin/awk '{print $3}')" + + # Install files + install -Dm644 'arch-security.hook' "$pkgdir/${HOOK_DIR}/arch-security.hook" + install -Dm644 "$srcdir/$pkgname/LICENSE" "$pkgdir/usr/share/licenses/$pkgname/LICENSE" + install -Dm777 'arch-security.sh' "$pkgdir/usr/bin/arch-security" + install -Dm744 "$srcdir/$pkgname/update_database.py" "$pkgdir/opt/$pkgname/update_database.py" + install -Dm744 "$srcdir/$pkgname/arch-security.py" "$pkgdir/opt/$pkgname/arch-security.py" + /usr/bin/cp -r "$srcdir/$pkgname/security_tests" "$pkgdir/opt/$pkgname/security_tests" + install -Dm644 "$srcdir/$pkgname/requirements.txt" "$pkgdir/opt/$pkgname/requirements.txt" + /usr/bin/python3 -m venv "$pkgdir/opt/$pkgname/env" || /usr/bin/virtualenv -p python3 "$pkgdir/opt/$pkgname/env" + $pkgdir/opt/$pkgname/env/bin/pip3 install --quiet -r "$pkgdir/opt/$pkgname/requirements.txt" + /usr/bin/touch "$pkgdir/opt/$pkgname/database.sqli" + /usr/bin/chmod g+r,o+r "$pkgdir/opt/$pkgname/database.sqli" +} diff --git a/arch-security.hook b/arch-security.hook new file mode 100644 index 000000000000..7b0dc97c7dbd --- /dev/null +++ b/arch-security.hook @@ -0,0 +1,10 @@ +[Trigger] +Operation=Install +Operation=Upgrade +Operation=Remove +Type=Package +Target=* + +[Action] +When=PostTransaction +Exec=/opt/arch-security/env/bin/python3 /opt/arch-security/update_database.py diff --git a/arch-security.sh b/arch-security.sh new file mode 100755 index 000000000000..6fe29b404c67 --- /dev/null +++ b/arch-security.sh @@ -0,0 +1,36 @@ + #!/bin/bash + + # Print help message +function help { + printf 'arch-security by default checks after every package update/install/removal the security tracker of ArchLinux at https://security.archlinux.org and compares it with installed packages.\n' + printf 'For each of that package it can display currently known CVE entries as well as explanations for them.\n' + printf 'On top you can scan your system for some default security configurations as described on https://wiki.archlinux.org/index.php/security.\n' + printf 'Please keep in mind that these advises do not guarantee security and are based on personal experiences.\n' + printf 'Usage:\n' + printf '\tarch-security [-h|--help] [-v|--vulnerabilities] [-p|--package <Package_Name>] [-c|--cve <CVE-XXXX-XXXX>] [-s|--scan] [-q|--quiet]\n\n' + printf 'Arguments:\n' + printf '\t-h, --help\t\t\tshow this help message and exit\n' + printf '\t-v, --vulnerabilities\t\tDisplay current package vulnerabilities\n' + printf '\t-p, --package <Package>\t\tDisplay known CVEs for specific package\n' + printf '\t-c, --cve <CVE-XXXX-XXXX>\tDisplay informations about specific CVE\n' + printf '\t-s, --scan\t\t\tDisplay possible security issues\n' + printf '\t-q, --quiet\t\t\tDisplay short outputs only\n' + printf '\tdefaults: --vulnerabilities --quiet\n' +} + +# If no arguments given call the script +if [[ -z "$@" ]]; then + /opt/arch-security/env/bin/python3 /opt/arch-security/arch-security.py +fi + +# Otherwise loop over the arguments +for arg in "$@" +do + if [[ "$arg" == '--help' ]] || [[ "$arg" == '-h' ]]; then + help + exit 0 + else + /opt/arch-security/env/bin/python3 /opt/arch-security/arch-security.py $@ + exit 0 + fi +done |