net-mgmt/nagios-check_ports and jails
ryanrfrederick at gmail.com
Wed Jun 21 18:09:40 UTC 2017
I took a look at ports-mgmt/jailaudit, and it works a bit differently
than ports-mgmt/nagios-check_ports. jailaudit makes a list of packages
installed in the jail and runs pkg(8) audit outside of the jail against
the list. nagios-check_ports, on the other hand, calls pkg(8) audit with
the -j option to run inside the jail and thus requires a copy of
vuln.xml within the jail.
I would suggest running `pkg audit -F` within the jails regularly or
setup something to copy vuln.xml into the jails.
That being said I do have a bugfix to commit upstream that unbreaks
checking for updates within a jail from outside the jail. I'll hopefully
get that released soon.
On 06/21/2017 06:59 AM, Ryan Frederick wrote:
> Hi Andrea,
> I have a pending pull request upstream that might resolve your issue.
> I'll take a look at it later today if time permits.
> On Jun 21, 2017 04:52, "Andrea Venturoli" <ml at netfence.it
> <mailto:ml at netfence.it>> wrote:
> I can't seem to get net-mgmt/nagios-check_ports for jails to work.
> # pkg audit -F
> vulnxml file up-to-date
> 0 problem(s) in the installed packages found.
> # /usr/local/libexec/nagios/check_ports -j cacti pkg: vulnxml
> file (null) does not exist. Try running 'pkg audit -F' first
> [: -gt: unexpected operator
> PORTS OK - security problem(s). | total_updates=0;0;0
> # /usr/local/etc/periodic/security/410.jailaudit
> Downloading a current audit database:
> pkgng support enabled, using /usr/local/sbin/pkg version 1.10.1.
> portaudit for jails on xxxx.xxxxx - 5 problem(s) found.
> portaudit for jail: cacti (JID: 3)
> apache24-2.4.25_1 is vulnerable:
> Apache httpd -- several vulnerabilities
> CVE: CVE-2017-7679
> CVE: CVE-2017-7668
> CVE: CVE-2017-7659
> CVE: CVE-2017-3169
> CVE: CVE-2017-3167
> 1 problem(s) found.
> This host is using UFS and the jails on are created with EZJail.
> Any hint?
> bye & Thanks
More information about the freebsd-ports