The audit-system program compares the programs, utilities, libraries and

kernel with the system-vulnerabilities file and reports any known security
issues to standard output.  This output contains the name and version of
the vulnerable component, the type of vulnerability, and a URL for further
information for each vulnerability.

NOTE: NetBSD ONLY

audit-system/DESCR

@@ -0,0 +1,5 @@
+The audit-system program compares the programs, utilities, libraries and
+kernel with the system-vulnerabilities file and reports any known security
+issues to standard output.  This output contains the name and version of
+the vulnerable component, the type of vulnerability, and a URL for further
+information for each vulnerability.

audit-system/Makefile

@@ -0,0 +1,55 @@
+# $NetBSD: Makefile,v 1.1.1.1 2008/07/03 21:55:39 adrian_p Exp $
+#
+
+DISTNAME=	audit-system-0.01
+CATEGORIES=	pkgtools
+MASTER_SITES=	# empty
+DISTFILES=	# empty
+
+MAINTAINER=	adrianp@NetBSD.org
+HOMEPAGE=	http://www.NetBSD.org/support/security/
+COMMENT=	Verifier for NetBSD packages and complete pkgsrc tree
+
+WRKSRC=		${WRKDIR}
+EXTRACT_ONLY=	# empty
+NO_CHECKSUM=	yes
+NO_BUILD=	yes
+NO_MTREE=	yes
+USE_LANGUAGES=	# none
+
+#ONLY_FOR_PLATFORM=	NetBSD-*-*
+
+AS_FILES=	audit-get-ident audit-get-mtime audit-get-objdump audit-system \
+		audit-system.8
+
+USE_TOOLS+=	awk cp mv ident
+
+.include "../../mk/bsd.prefs.mk"
+
+STAT?=		/usr/bin/stat
+OBJDUMP?=	/usr/bin/objdump
+
+SUBST_CLASSES+=		tools
+SUBST_STAGE.tools=	post-configure
+SUBST_FILES.tools+=	audit-get-ident audit-get-mtime audit-get-objdump
+SUBST_FILES.tools+=	audit-system
+SUBST_SED.tools=	-e "s|@AWK@|${AWK}|g"
+SUBST_SED.tools+=	-e "s|@SH@|${SH}|g"
+SUBST_SED.tools+=	-e "s|@CP@|${CP}|g"
+SUBST_SED.tools+=	-e "s|@MV@|${MV}|g"
+SUBST_SED.tools+=	-e "s|@IDENT@|${IDENT}|g"
+SUBST_SED.tools+=	-e "s|@OBJDUMP@|${OBJDUMP}|g"
+SUBST_SED.tools+=	-e "s|@STAT@|${STAT}|g"
+
+do-extract:
+.	for f in ${AS_FILES}
+		${CP} ${FILESDIR}/${f} ${WRKSRC}
+.	endfor
+
+do-install:
+	${INSTALL_SCRIPT} ${WRKSRC}/audit-get-ident ${PREFIX}/bin
+	${INSTALL_SCRIPT} ${WRKSRC}/audit-get-mtime ${PREFIX}/bin
+	${INSTALL_SCRIPT} ${WRKSRC}/audit-get-objdump ${PREFIX}/bin
+	${INSTALL_SCRIPT} ${WRKSRC}/audit-get-system ${PREFIX}/bin
+
+.include "../../mk/bsd.pkg.mk"

audit-system/PLIST

@@ -0,0 +1,5 @@
+@comment $NetBSD: PLIST,v 1.1.1.1 2008/07/03 21:55:39 adrian_p Exp $
+bin/audit-get-ident
+bin/audit-get-mtime
+bin/audit-get-objdump
+bin/audit-system

audit-system/TODO

@@ -0,0 +1,11 @@
+- Enable ONLY_FOR_PLATFORM
+- Move scripts off to their own directory e.g. ${PREFIX}/share/audit-system ?
+- Merge all audit-get-* into one file and just .source it ?
+- Split audit-system into download-xxx-list and audit-system e.g. audit-packages
+- Update man page
+- Install man page
+- Create basic system-vulnerabilities file to test with (e.g. just 2008 issues)
+- Sign system-vulnerabilities file
+- Check signature on downloads system-vulnerabilities file
+- Merge in work from pkgsrccon '07
+- Lot's more . . . .

audit-system/files/audit-get-ident

@@ -0,0 +1,43 @@
+#! @SH@
+#
+# $NetBSD: audit-get-ident,v 1.1.1.1 2008/07/03 21:55:40 adrian_p Exp $
+#
+# Copyright (c) 2008 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Alistair Crooks.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+@IDENT@ $1 | @AWK@ '
+NR == 1 { latest = 0; next }
+$1 == "$NetBSD:" {
+	gsub("/", "", $4);
+	if ($4 > latest) {
+		latest = $4;
+	}
+}
+END {
+	print latest
+}'

audit-system/files/audit-get-mtime

@@ -0,0 +1,58 @@
+#! @SH@
+#
+# $NetBSD: audit-get-mtime,v 1.1.1.1 2008/07/03 21:55:40 adrian_p Exp $
+#
+# Copyright (c) 2008 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Alistair Crooks.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+@STAT@ -l $1 | @AWK@ '
+BEGIN {
+	months["Jan"] = "01";
+	months["Feb"] = "02";
+	months["Mar"] = "03";
+	months["Apr"] = "04";
+	months["May"] = "05";
+	months["Jun"] = "06";
+	months["Jul"] = "07";
+	months["Aug"] = "08";
+	months["Sep"] = "09";
+	months["Oct"] = "10";
+	months["Nov"] = "11";
+	months["Dec"] = "12";
+	latest = 0;
+}
+{
+	d = sprintf("%s%s%s", $9, months[$6], $7);
+	if (d > latest) {
+		latest = d;
+	}
+}
+END {
+	print latest
+}
+'

audit-system/files/audit-get-objdump

@@ -0,0 +1,58 @@
+#! @SH@
+#
+# $NetBSD: audit-get-objdump,v 1.1.1.1 2008/07/03 21:55:40 adrian_p Exp $
+#
+# Copyright (c) 2008 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Alistair Crooks.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+@OBJDUMP@ -a $1 | @AWK@ '
+BEGIN {
+	months["Jan"] = "01";
+	months["Feb"] = "02";
+	months["Mar"] = "03";
+	months["Apr"] = "04";
+	months["May"] = "05";
+	months["Jun"] = "06";
+	months["Jul"] = "07";
+	months["Aug"] = "08";
+	months["Sep"] = "09";
+	months["Oct"] = "10";
+	months["Nov"] = "11";
+	months["Dec"] = "12";
+	latest = 0;
+}
+NF == 8 {
+	d = sprintf("%s%s%s", $7, months[$4], $5);
+	if (d > latest) {
+		latest = d;
+	}
+}
+END {
+	print latest
+}
+'

audit-system/files/audit-system

@@ -0,0 +1,252 @@
+#! @SH@
+#
+# $NetBSD: audit-system,v 1.1.1.1 2008/07/03 21:55:40 adrian_p Exp $
+#
+# Copyright (c) 2008 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Alistair Crooks.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+AWK=@AWK@
+CHMOD=/bin/chmod
+CKSUM=/usr/bin/cksum
+MKDIR=/bin/mkdir
+FIND=/usr/bin/find
+FTP=/usr/bin/ftp
+MV=/bin/mv
+RM=/bin/rm
+
+ERR_DOWNLOAD="Please run $0 -d."
+ERR_UPGRADE="Please upgrade audit-system to the newest version."
+
+: ${SYSVULNDIR=/var/db}
+: ${FETCH_PROTO=ftp}
+: ${FTP=ftp}
+
+FTP_ARGS="-o"
+
+FORMAT_MAJOR=1
+FORMAT_MINOR=0
+FORMAT_TEENY=0
+
+# print a usage message and then die
+usage() {
+        argv0="${1##*/}"
+        cat <<EOF
+$2
+Usage: $argv0 [-dv]
+    -d : Run download-vulnerability-list before anything else.
+    -v : Verbose mode
+EOF
+        exit 1
+}
+
+# script directory
+scriptdir="/usr/sbin"
+
+# use a non-null errmsg to indicate that something went wrong
+errmsg=""
+errsolution=""
+
+# check the integrity of the file
+check_integrity() {
+	recordedsum=$(${AWK} '$1 == "#CHECKSUM" { print $3 }' $1)
+	recordedalg=$(${AWK} '$1 == "#CHECKSUM" { print $2 }' $1)
+	case "$recordedsum" in
+	"")	errmsg="No checksum found in $2"
+		errsolution="$ERR_DOWNLOAD"
+		;;
+	*)	case "$recordedalg" in
+		"")	errmsg="No checksum algorithm found in $2"
+			errsolution="$ERR_DOWNLOAD"
+			;;
+		*)	calcsum=$(${AWK} '$1 == "#CHECKSUM" || /\$NetBSD.*/ { next } { print }' $1 | ${CKSUM} -a $recordedalg)
+			if [ "$recordedsum" != "$calcsum" ]; then
+				errmsg="Checksum mismatch - recorded $recordedalg checksum \"$recordedsum\", calculated checksum \"$calcsum\""
+				errsolution="$ERR_DOWNLOAD"
+			fi
+			;;
+		esac
+		;;
+	esac
+}
+
+# if we have any configuration information, then read it
+settingsmsg=""
+if [ -r /etc/audit-system.conf ]; then
+        settingsmsg="Reading settings from /etc/audit-system.conf"
+        . /etc/audit-system.conf
+fi
+
+#vulsource="${FETCH_PROTO}://ftp.NetBSD.org/pub/NetBSD/audit-system/system-vulnerabilities" # XXX
+vulsource="${FETCH_PROTO}://ftp.NetBSD.org/pub/NetBSD/misc/agc/audit-system/system-vulnerabilities"
+vuls="${SYSVULNDIR}/system-vulnerabilities"
+newvullist=system-vulnerabilities.$$
+
+# process any command line arguments
+download=no
+verbose=no
+while [ $# -gt 0 ]; do
+        case "$1" in
+        -d)     download=yes ;;
+        -v)     verbose=yes ;;
+        *)	usage "$0" "Unknown option $1"
+        esac
+        shift
+done
+
+# if we're verbose, tell the user what we already did
+case $verbose in
+yes)    case "$settingsmsg" in
+        "")     ;;
+        *)      echo "$settingsmsg"
+                ;;
+        esac
+        ;;
+esac
+
+# try to download the system vulnerability list, as requested
+# the integrity of the list is checked below
+# so just issue a warning if there was a failure
+case "$download" in
+yes)    if [ ! -d ${SYSVULNDIR}/. ]; then
+		echo "Creating ${SYSVULNDIR}"
+		${MKDIR} -p ${SYSVULNDIR} || (echo "Can't create ${SYSVULNDIR}" 1>&2; exit 1)
+	fi
+	case ${FETCH_PROTO} in
+	http) 	;;
+	ftp)	;;
+	*)	echo "Unknown FETCH_PROTO specified - Only http and ftp are currently supported."
+		exit 1
+		;;
+	esac
+
+	(cd ${SYSVULNDIR}
+	${FTP} ${FTP_ARGS} "${newvullist}" "${vulsource}"
+
+	# see if we got a file
+	if [ ! -f "${newvullist}" ]; then
+		echo "***WARNING*** Download of vulnerabilities file failed" 1>&2
+		exit 1
+	fi
+
+	# see if the file got damaged while it was being downloaded
+	check_integrity "${newvullist}" "downloaded vulnerability list"
+	case "$errmsg" in
+	"")	;;
+	*)	echo "$errmsg" 1>&2
+		${RM} -f "${newvullist}"
+		exit 1
+		;;
+	esac
+
+	# test to see if file has been changed
+	neednew=false
+	if [ -f "$vuls" ]; then
+		oldsum=$(${AWK} '$1 == "#CHECKSUM" { print $3 }' "$vuls")
+		if [ "$oldsum" != "$calcsum" ]; then
+			neednew=true
+		fi
+	else
+		neednew=true
+	fi
+
+	# if we need the new file, move it into position
+	if $neednew; then
+		echo "System vulnerabilities file has been updated"
+		${CHMOD} a+r ${newvullist}
+		${MV} -f ${newvullist} "$vuls"
+	else
+		echo "No change from existing system vulnerabilities file"
+		${RM} -f ${newvullist}
+	fi)
+esac
+
+errmsg=""
+
+# check for missing vulnerabilities file
+if [ ! -f "$vuls" ]; then
+        errmsg="Missing vulnerabilities file $vuls"
+        errsolution="$ERR_DOWNLOAD"
+fi
+
+# check for old vulnerabilities file if we're being verbose
+case "$errmsg" in
+"")     case "$verbose" in
+        # XXX: quote vuls
+        yes)    [ -n "$(${FIND} $vuls -ctime +7)" ] && echo "*** WARNING - $vuls more than a week old, continuing..." ;;
+        esac
+        ;;
+esac
+
+# check format version of vulnerabilities file
+case "$errmsg" in
+"")     file_major=$(${AWK} '/^#[ \t]*FORMAT/ { split($NF, a, "\\."); print a[1]; exit; }' "$vuls")
+        file_minor=$(${AWK} '/^#[ \t]*FORMAT/ { split($NF, a, "\\."); print a[2]; exit; }' "$vuls")
+        file_teeny=$(${AWK} '/^#[ \t]*FORMAT/ { split($NF, a, "\\."); print a[3]; exit; }' "$vuls")
+        if [ -z "$file_teeny" ] ; then
+                file_teeny=0
+        fi
+        if [ "x$file_major" = "x" -o "x$file_minor" = "x" ]; then
+                errmsg="No file format version found in $vuls"
+                errsolution="$ERR_DOWNLOAD"
+        elif [ "$file_major" -ne "$FORMAT_MAJOR" -o "$file_minor" -gt "$FORMAT_MINOR" ]; then
+                errmsg="Unsupported file format version $file_major.$file_minor${file_teeny:+.${file_teeny}} in $vuls (supported version: $FORMAT_MAJOR.$FORM
+AT_MINOR.$FORMAT_TEENY)."
+                if [ "$file_major" -le "$FORMAT_MAJOR" -o
+                     \( "$file_major" -eq "$FORMAT_MAJOR" -a
+                        "$file_minor" -lt "$FORMAT_MINOR" \) ]; then
+                        errsolution="$ERR_DOWNLOAD"
+                else
+                        errsolution="$ERR_UPGRADE"
+                fi
+        fi
+        ;;
+esac
+
+# check integrity of vulnerabilities file
+check_integrity "$vuls" "$vuls"
+
+# if we have found an error, then complain and exit
+case "$errmsg" in
+"")     ;;
+*)      echo "***ERROR*** $errmsg" 1>&2
+        echo "*** $errsolution" 1>&2
+        exit 1
+        ;;
+esac
+
+${AWK} -v scriptdir="$scriptdir" '
+/^#.*/	{ next }
+{
+	cmd = sprintf("v=$(%s/audit-%s %s) && test -e %s && test $v -lt %s && echo %c%s (version $v before %s) could have a %s vulnerability (severity %s) - see %s%c",
+		scriptdir, $2, $1,
+		$1,
+		$3,
+		34, $1, $3, $4, $5, $6, 34);
+	system(cmd);
+}
+' "$vuls"

audit-system/files/audit-system.8

@@ -0,0 +1,214 @@
+.\" $NetBSD: audit-system.8,v 1.1.1.1 2008/07/03 21:55:40 adrian_p Exp $
+.\"
+.\"
+.Dd October 6, 2006
+.Os
+.Dt AUDIT-SYSTEM 8
+.Sh NAME
+.Nm audit-system
+.Nd show vulnerabilities in system, utilities and libraries
+.Sh SYNOPSIS
+.Nm
+.Op Fl dv
+.Sh DESCRIPTION
+The
+.Nm
+program compares the programs, utilities, libraries and kernel with the
+.Pa system-vulnerabilities
+file and reports any known security issues to standard output.
+This output contains the name and version of the vulnerable component, the
+type of vulnerability, and a URL for further information for each
+vulnerability.
+.Pp
+The following flags are supported:
+.Bl -tag -width Ar
+.It Fl d
+.Nm
+will attempt to download the vulnerabilities
+file before scanning
+the system for vulnerabilities.
+.It Fl v
+Set verbose mode.
+.Nm
+will warn when the system vulnerabilities file is more than a week old.
+.El
+.Pp
+The
+.Nm
+program downloads this file from
+.Pa ftp://ftp.NetBSD.org/pub/NetBSD/misc/agc/audit-system/system-vulnerabilities
+using
+.Xr ftp 1 .
+This vulnerabilities file documents all known security issues in
+.Nx
+the system
+and is kept up-to-date by the
+.Nx
+security-officer team.
+.Pp
+Each line lists the component and vulnerable versions, the type of exploit,
+and an Internet address for further information:
+.Bl -item
+.It
+.Aq package pattern
+.Aq type
+.Aq url
+.El
+.Pp
+The type of exploit can be any text, although
+some common types of exploits listed are:
+.Bl -bullet -compact -offset indent
+.It
+cross-site-html
+.It
+cross-site-scripting
+.It
+denial-of-service
+.It
+file-permissions
+.It
+local-access
+.It
+local-code-execution
+.It
+local-file-read
+.It
+local-file-removal
+.It
+local-file-write
+.It
+local-root-file-view
+.It
+local-root-shell
+.It
+local-symlink-race
+.It
+local-user-file-view
+.It
+local-user-shell
+.It
+privacy-leak
+.It
+remote-code-execution
+.It
+remote-command-inject
+.It
+remote-file-creation
+.It
+remote-file-read
+.It
+remote-file-view
+.It
+remote-file-write
+.It
+remote-key-theft
+.It
+remote-root-access
+.It
+remote-root-shell
+.It
+remote-script-inject
+.It
+remote-server-admin
+.It
+remote-use-of-secret
+.It
+remote-user-access
+.It
+remote-user-file-view
+.It
+remote-user-shell
+.It
+unknown
+.It
+weak-authentication
+.It
+weak-encryption
+.It
+weak-ssl-authentication
+.El
+.Pp
+By default, the vulnerabilities file is stored in the
+/etc
+directory.
+This can be changed by defining the environment variable
+.Ev SYSVULNDIR
+to the directory containing the vulnerabilities file.
+.Sh EXIT STATUS
+.Ex -std audit-packages
+.Sh ENVIRONMENT
+These variables can also be defined in the
+/etc/audit-system.conf
+file.
+.Pp
+.Bl -tag -width SYSVULNDIR
+.It Ev SYSVULNDIR
+Specifies the directory containing the
+.Pa system-vulnerabilities
+file.
+.It Ev FETCH_ARGS
+Specifies optional arguments for the ftp client.
+.It Ev FETCH_PROTO
+Specifies the protocol to use when fetching the 
+.Pa system-vulnerabilities
+file. Currently supports only http and ftp. The default is ftp.
+.El
+.Sh FILES
+/etc/system-vulnerabilities
+.Pp
+/etc/audit-system.conf
+.Sh EXAMPLES
+The
+.Nm
+utility can be run via
+.Xr cron 8
+(or with
+.Nx Ap s
+.Pa /etc/security.local
+daily security script).
+.Pp
+export FETCH_PROTO="http"
+.Pp
+.Sh DIAGNOSTICS
+The following errors can occur:
+.Bl -tag -width 10n
+.It Checksum mismatch
+The vulnerabilities file has been corrupted.
+Run
+.Nm -d .
+.It Missing vulnerabilities file
+The vulnerabilities file could not be found.
+Run
+.Nm -d .
+.It \&No checksum algorithm found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm -d .
+.It \&No checksum found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm -d .
+.It \&No file format version found
+The vulnerabilities file is too old or incomplete.
+Run
+.Nm -d .
+.It Unsupported file format version
+The vulnerabilities file is too old or too new.
+If it's too old, run
+.Nm -d .
+If it's too new, update the
+.Nm
+utility.
+.El
+.Sh SEE ALSO
+.Xr ftp 1 ,
+.Xr audit-packages pkgsrc ,
+.Xr audit-system.conf 5 ,
+.Sh HISTORY
+The
+.Nm
+command was originally implemented and added to
+.Nx
+by
+.An Alistair Crooks
+on October 6, 2006.