net-mgmt/nagios-check_ports and jails

Ryan Frederick ryanrfrederick at gmail.com
Wed Jun 21 18:09:40 UTC 2017 

Andrea,

I took a look at ports-mgmt/jailaudit, and it works a bit differently
than ports-mgmt/nagios-check_ports. jailaudit makes a list of packages
installed in the jail and runs pkg(8) audit outside of the jail against
the list. nagios-check_ports, on the other hand, calls pkg(8) audit with
the -j option to run inside the jail and thus requires a copy of
vuln.xml within the jail.

I would suggest running `pkg audit -F` within the jails regularly or
setup something to copy vuln.xml into the jails.

That being said I do have a bugfix to commit upstream that unbreaks
checking for updates within a jail from outside the jail. I'll hopefully
get that released soon.

Ryan


On 06/21/2017 06:59 AM, Ryan Frederick wrote:
> Hi Andrea,
> 
> I have a pending pull request upstream that might resolve your issue.
> I'll take a look at it later today if time permits.
> 
> Ryan
> 
> On Jun 21, 2017 04:52, "Andrea Venturoli" <ml at netfence.it
> <mailto:ml at netfence.it>> wrote:
> 
>     Hello.
> 
>     I can't seem to get net-mgmt/nagios-check_ports for jails to work.
> 
>     Example:
> 
>         # pkg audit -F
>         vulnxml file up-to-date
>         0 problem(s) in the installed packages found.
>         # /usr/local/libexec/nagios/check_ports -j cacti pkg: vulnxml
>         file (null) does not exist. Try running 'pkg audit -F' first
>         [: -gt: unexpected operator
>         PORTS OK -  security problem(s). | total_updates=0;0;0
>         security_problems=;0;0
>         # /usr/local/etc/periodic/security/410.jailaudit
>         Downloading a current audit database:
>         pkgng support enabled, using /usr/local/sbin/pkg version 1.10.1.
> 
>         portaudit for jails on xxxx.xxxxx - 5 problem(s) found.
> 
>         portaudit for jail: cacti (JID: 3)
> 
>         apache24-2.4.25_1 is vulnerable:
>         Apache httpd -- several vulnerabilities
>         CVE: CVE-2017-7679
>         CVE: CVE-2017-7668
>         CVE: CVE-2017-7659
>         CVE: CVE-2017-3169
>         CVE: CVE-2017-3167
>         WWW:
>         https://vuxml.FreeBSD.org/freebsd/0c2db2aa-5584-11e7-9a7d-b499baebfeaf.html
>         <https://vuxml.FreeBSD.org/freebsd/0c2db2aa-5584-11e7-9a7d-b499baebfeaf.html>
> 
>         1 problem(s) found.
>         ...
> 
> 
>     This host is using UFS and the jails on are created with EZJail.
> 
>     Any hint?
> 
>      bye & Thanks
>             av.
>

More information about the freebsd-ports mailing list