using pkg audit to show base vulnerabilities
Miroslav Lachman
000.fbsd at quip.cz
Mon Sep 12 14:21:55 UTC 2016
Mark Felder wrote on 09/07/2016 23:25:
>
>
> On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:
>> I am not sure if this is the right list or not. If not, please redirect
>> me to the right one.
>>
>> I noticed this post from Mark Felder
>> https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
>>
>> Great work Mark, thank you!
>>
>> I found it very useful. I want this to be part of the nightly reports on
>> all our machines so I tried to write 405.base-audit. It is based on
>> original 410.pkg-audit
>> It can check kernel and world of a host or world in jail or chroot (if
>> freebsd-version is installed in jail or chroot)
>>
>> You can my find first attempt at
>> http://freebsd.quip.cz/script/405.base-audit.sh
>>
>
> I have been toying with the idea of creating a port that provides a
> script called "baseaudit" that can make it very easy to check your
> system for known vulns. With the majority of the logic in this script we
> could also include this periodic script in the package which would check
> nightly as well. Perhaps we should collaborate on this together? I will
> need to review your script in detail but at a glance it appears very
> thorough.
I filed this PR in the meantime
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212306
We are using this patch in our Poudriere package builder. If you think
new port is better then of course I can help with this.
Any improvement is better than current state where users cannot easily
audit base system and jails.
Miroslav Lachman
More information about the freebsd-security
mailing list