From owner-freebsd-security@freebsd.org Wed Sep 7 21:25:17 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33675BD053E for ; Wed, 7 Sep 2016 21:25:17 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0F9A6908 for ; Wed, 7 Sep 2016 21:25:16 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id BB88120774; Wed, 7 Sep 2016 17:25:15 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute7.internal (MEProxy); Wed, 07 Sep 2016 17:25:15 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=imBqKS2iaEZBwIP 48IwvGR5DiKs=; b=QCa8UpNoI1ydWMSfTV8sXnCkXxys/s25NHuu6bRpXucX+Yh IkFGHfpqLJ3/kd2FAL2bepHnc2qoJu8xI/s+qwusYRDYk0gKkK1CmJEum1qOHCIL E1i5+6OvonD8RxBugRJXvp0n0iQeT89hoEdo6CoFWUixiOGvgDukR2SXaOIM= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 98CEACC752; Wed, 7 Sep 2016 17:25:15 -0400 (EDT) Message-Id: <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com> X-Sasl-Enc: h94FRKGGQhn6u2R9BXTRJh4BvpmFACBYJWbernnKZyWQ 1473283515 From: Mark Felder To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd security MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-fa733828 Subject: Re: using pkg audit to show base vulnerabilities Date: Wed, 07 Sep 2016 16:25:15 -0500 In-Reply-To: <57BEE965.8000903@quip.cz> References: <57BEE965.8000903@quip.cz> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2016 21:25:17 -0000 On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote: > I am not sure if this is the right list or not. If not, please redirect > me to the right one. > > I noticed this post from Mark Felder > https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ > > Great work Mark, thank you! > > I found it very useful. I want this to be part of the nightly reports on > all our machines so I tried to write 405.base-audit. It is based on > original 410.pkg-audit > It can check kernel and world of a host or world in jail or chroot (if > freebsd-version is installed in jail or chroot) > > You can my find first attempt at > http://freebsd.quip.cz/script/405.base-audit.sh > I have been toying with the idea of creating a port that provides a script called "baseaudit" that can make it very easy to check your system for known vulns. With the majority of the logic in this script we could also include this periodic script in the package which would check nightly as well. Perhaps we should collaborate on this together? I will need to review your script in detail but at a glance it appears very thorough. Thanks! -- Mark Felder ports-secteam member feld@FreeBSD.org