From owner-freebsd-security@freebsd.org Thu Aug 25 12:49:52 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8A557BC5433 for ; Thu, 25 Aug 2016 12:49:52 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FD1B149E for ; Thu, 25 Aug 2016 12:49:51 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 52A7E2848D for ; Thu, 25 Aug 2016 14:49:43 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 380532840C for ; Thu, 25 Aug 2016 14:49:42 +0200 (CEST) Message-ID: <57BEE965.8000903@quip.cz> Date: Thu, 25 Aug 2016 14:49:41 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: freebsd security Subject: using pkg audit to show base vulnerabilities Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2016 12:49:52 -0000 I am not sure if this is the right list or not. If not, please redirect me to the right one. I noticed this post from Mark Felder https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ Great work Mark, thank you! I found it very useful. I want this to be part of the nightly reports on all our machines so I tried to write 405.base-audit. It is based on original 410.pkg-audit It can check kernel and world of a host or world in jail or chroot (if freebsd-version is installed in jail or chroot) You can my find first attempt at http://freebsd.quip.cz/script/405.base-audit.sh It would be nice if somebody skilled in periodic shell scripting can check this code and post some advices. There are some comments in the code. My main concerns are about the right way to get version info from jail or chroot. I know it is not safe to execute something in jail (or chroot) from the parent: $basedir/bin/freebsd-version -u Is it better to parse freebsd-version file by awk? awk -F= '$1 ~ /^USERLAND_VERSION/ { gsub(/"/, ""); print $2 }' $basedir/bin/freebsd-version Or should we assume that all jails and chroots must be trusted to run any checks on them from parent? The last thing - is it possible to have something like this included as a part of ports-mgmt/pkg Miroslav Lachman