I am not sure if this is the right list or not. If not, please redirect
me to the right one.
I noticed this post from Mark Felder
https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
Great work Mark, thank you!
I found it very useful. I want this to be part of the nightly reports on
all our machines so I tried to write 405.base-audit. It is based on
original 410.pkg-audit
It can check kernel and world of a host or world in jail or chroot (if
freebsd-version is installed in jail or chroot)
You can my find first attempt at
http://freebsd.quip.cz/script/405.base-audit.sh
It would be nice if somebody skilled in periodic shell scripting can
check this code and post some advices. There are some comments in the code.
My main concerns are about the right way to get version info from jail
or chroot.
I know it is not safe to execute something in jail (or chroot) from the
parent:
$basedir/bin/freebsd-version -u
Is it better to parse freebsd-version file by awk?
awk -F= '$1 ~ /^USERLAND_VERSION/ { gsub(/"/, ""); print $2
}'
$basedir/bin/freebsd-version
Or should we assume that all jails and chroots must be trusted to run
any checks on them from parent?
The last thing - is it possible to have something like this included as
a part of ports-mgmt/pkg
Miroslav Lachman
On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:> I am not sure if this is the right list or not. If not, please redirect > me to the right one. > > I noticed this post from Mark Felder > https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ > > Great work Mark, thank you! > > I found it very useful. I want this to be part of the nightly reports on > all our machines so I tried to write 405.base-audit. It is based on > original 410.pkg-audit > It can check kernel and world of a host or world in jail or chroot (if > freebsd-version is installed in jail or chroot) > > You can my find first attempt at > http://freebsd.quip.cz/script/405.base-audit.sh >I have been toying with the idea of creating a port that provides a script called "baseaudit" that can make it very easy to check your system for known vulns. With the majority of the logic in this script we could also include this periodic script in the package which would check nightly as well. Perhaps we should collaborate on this together? I will need to review your script in detail but at a glance it appears very thorough. Thanks! -- Mark Felder ports-secteam member feld at FreeBSD.org