using pkg audit to show base vulnerabilities

Miroslav Lachman 000.fbsd at
Thu Aug 25 12:49:52 UTC 2016

I am not sure if this is the right list or not. If not, please redirect 
me to the right one.

I noticed this post from Mark Felder

Great work Mark, thank you!

I found it very useful. I want this to be part of the nightly reports on 
all our machines so I tried to write 405.base-audit. It is based on 
original 410.pkg-audit
It can check kernel and world of a host or world in jail or chroot (if 
freebsd-version is installed in jail or chroot)

You can my find first attempt at

It would be nice if somebody skilled in periodic shell scripting can 
check this code and post some advices. There are some comments in the code.

My main concerns are about the right way to get version info from jail 
or chroot.
I know it is not safe to execute something in jail (or chroot) from the 
$basedir/bin/freebsd-version -u

Is it better to parse freebsd-version file by awk?

awk -F= '$1 ~ /^USERLAND_VERSION/ { gsub(/"/, ""); print $2 }' 

Or should we assume that all jails and chroots must be trusted to run 
any checks on them from parent?

The last thing - is it possible to have something like this included as 
a part of ports-mgmt/pkg

Miroslav Lachman

More information about the freebsd-security mailing list