pkgsrc hardenining
The following section, included in mk.conf(5) implements more stricter hardening options (some of them are enabled by default already)
ALLOW_VULNERABLE_PACKAGES=NO
# stack protector
PKGSRC_USE_SSP?=strong
# fortify source
PKGSRC_USE_FORTIFY?=strong
# position-independent executables
PKGSRC_MKPIE?=yes
# link with RELRO
PKGSRC_USE_RELRO?=partial
# stack boundary verification
PKGSRC_USE_STACK_CHECK?= yes
checking for vulnerabilities in installed packages
The NetBSD pkgsrc Security Team and package maintainers keep a list of known security vulnerabilities in packages which are (or have been) included in pkgsrc. The list is available from the NetBSD FTP site at:
ftp.NetBSD.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities
This file is signed with the pkgsrc-security GPG key.
Through pkg_admin, this list can be downloaded automatically, and a security audit of all packages installed on a system can take place.
From pkgtools/pkg_install MESSAGE:
There are two parts to this workflow. The first part is running pkg_admin fetch-pkg-vulnerabilities, for downloading the list of vulnerabilities from the NetBSD FTP site. The second part is running pkg_admin audit to check if any of your installed packages are vulnerable.
You may wish to have the vulnerabilities file downloaded daily so that it
remains current. This may be done by adding an appropriate entry to the root
users crontab(5) entry. For example the entry
# Download vulnerabilities file
0 3 * * * ${PREFIX}/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1
# Audit the installed packages and email results to root
9 3 * * * ${PREFIX}/sbin/pkg_admin audit |mail -s "Installed package audit result" \
root >/dev/null 2>&1
will update the vulnerability list every day at 3AM, followed by an audit at
3:09AM. The result of the audit are then emailed to root. On NetBSD this may be
accomplished instead by adding the following line to /etc/daily.conf:
fetch_pkg_vulnerabilities=YES
to fetch the vulnerability list from the daily security script. The system is
set to audit the packages by default but can be set explicitly, if desired (not
required), by adding the follwing line to /etc/security.conf:
check_pkg_vulnerabilities=YES
signed packages
If you want to use GPG signature verification you will need to install
GnuPG and set the path for GPG appropriately in your pkg_install.conf.
To do that, provided security/gnupg2 is installed and properly configured, add this to your /etc/mk.conf:
SIGN_PACKAGES=gpg
GPG=/usr/pkg/bin/gpg2
GPG_SIGN_AS=<PGP Key ID>
VERIFIED_INSTALLATIONS=always
## Alternatively, sign packages with a trusted CA cert
#SIGN_PACKAGES=x509
#X509_CERTIFICATE=/etc/openssl/certs/pkgsrc.crt
#X509_KEY=/etc/openssl/private/pkgsrc.key