Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Sep 2016 16:13:42 +0200
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        Mark Felder <feld@FreeBSD.org>, freebsd security <freebsd-security@freebsd.org>
Subject:   Re: using pkg audit to show base vulnerabilities
Message-ID:  <57D6B816.7060407@quip.cz>
In-Reply-To: <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com>
References:  <57BEE965.8000903@quip.cz> <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com>
index | next in thread | previous in thread | raw e-mail 

Mark Felder wrote on 09/07/2016 23:25:
>
>
> On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:
>> I am not sure if this is the right list or not. If not, please redirect
>> me to the right one.
>>
>> I noticed this post from Mark Felder
>> https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
>>
>> Great work Mark, thank you!
>>
>> I found it very useful. I want this to be part of the nightly reports on
>> all our machines so I tried to write 405.base-audit. It is based on
>> original 410.pkg-audit
>> It can check kernel and world of a host or world in jail or chroot (if
>> freebsd-version is installed in jail or chroot)
>>
>> You can my find first attempt at
>> http://freebsd.quip.cz/script/405.base-audit.sh
>>
>
> I have been toying with the idea of creating a port that provides a
> script called "baseaudit" that can make it very easy to check your
> system for known vulns. With the majority of the logic in this script we
> could also include this periodic script in the package which would check
> nightly as well. Perhaps we should collaborate on this together? I will
> need to review your script in detail but at a glance it appears very
> thorough.

I filed this PR in the meantime
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212306

We are using this patch in our Poudriere package builder. If you think 
new port is better then of course I can help with this.

Any improvement is better than current state where users cannot easily 
audit base system and jails.

Miroslav Lachman
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57D6B816.7060407>