On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:> I am not sure if this is the right list or not. If not, please redirect > me to the right one. > > I noticed this post from Mark Felder > https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ > > Great work Mark, thank you! > > I found it very useful. I want this to be part of the nightly reports on > all our machines so I tried to write 405.base-audit. It is based on > original 410.pkg-audit > It can check kernel and world of a host or world in jail or chroot (if > freebsd-version is installed in jail or chroot) > > You can my find first attempt at > http://freebsd.quip.cz/script/405.base-audit.sh >I have been toying with the idea of creating a port that provides a script called "baseaudit" that can make it very easy to check your system for known vulns. With the majority of the logic in this script we could also include this periodic script in the package which would check nightly as well. Perhaps we should collaborate on this together? I will need to review your script in detail but at a glance it appears very thorough. Thanks! -- Mark Felder ports-secteam member feld at FreeBSD.org
On 8 September 2016 at 05:25, Mark Felder <feld at freebsd.org> wrote:> I have been toying with the idea of creating a port that provides a > script called "baseaudit" that can make it very easy to check your > system for known vulns. With the majority of the logic in this script we > could also include this periodic script in the package which would check > nightly as well. Perhaps we should collaborate on this together? I will > need to review your script in detail but at a glance it appears very > thorough. > > > Thanks! > > -- > Mark Felder > ports-secteam member > feld at FreeBSD.org >Just a thought, once we move to PkgBase, will this simply work work "pkg audit"? Are the new vuxml entries in the correct format to detect for individual base packages? E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development Are the new vuxml entries in a format that would support PkgBase for releases as well as for stable/current? E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939 Regards, Ben
Mark Felder wrote on 09/07/2016 23:25:> > > On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote: >> I am not sure if this is the right list or not. If not, please redirect >> me to the right one. >> >> I noticed this post from Mark Felder >> https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/ >> >> Great work Mark, thank you! >> >> I found it very useful. I want this to be part of the nightly reports on >> all our machines so I tried to write 405.base-audit. It is based on >> original 410.pkg-audit >> It can check kernel and world of a host or world in jail or chroot (if >> freebsd-version is installed in jail or chroot) >> >> You can my find first attempt at >> http://freebsd.quip.cz/script/405.base-audit.sh >> > > I have been toying with the idea of creating a port that provides a > script called "baseaudit" that can make it very easy to check your > system for known vulns. With the majority of the logic in this script we > could also include this periodic script in the package which would check > nightly as well. Perhaps we should collaborate on this together? I will > need to review your script in detail but at a glance it appears very > thorough.I filed this PR in the meantime https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212306 We are using this patch in our Poudriere package builder. If you think new port is better then of course I can help with this. Any improvement is better than current state where users cannot easily audit base system and jails. Miroslav Lachman