Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 12 Sep 2016 16:13:42 +0200
From:      Miroslav Lachman <000.fbsd@quip.cz>
To:        Mark Felder <feld@FreeBSD.org>, freebsd security <freebsd-security@freebsd.org>
Subject:   Re: using pkg audit to show base vulnerabilities
Message-ID:  <57D6B816.7060407@quip.cz>
In-Reply-To: <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com>
References:  <57BEE965.8000903@quip.cz> <1473283515.3860529.718903225.76BE1456@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Mark Felder wrote on 09/07/2016 23:25:
>
>
> On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:
>> I am not sure if this is the right list or not. If not, please redirect
>> me to the right one.
>>
>> I noticed this post from Mark Felder
>> https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
>>
>> Great work Mark, thank you!
>>
>> I found it very useful. I want this to be part of the nightly reports on
>> all our machines so I tried to write 405.base-audit. It is based on
>> original 410.pkg-audit
>> It can check kernel and world of a host or world in jail or chroot (if
>> freebsd-version is installed in jail or chroot)
>>
>> You can my find first attempt at
>> http://freebsd.quip.cz/script/405.base-audit.sh
>>
>
> I have been toying with the idea of creating a port that provides a
> script called "baseaudit" that can make it very easy to check your
> system for known vulns. With the majority of the logic in this script we
> could also include this periodic script in the package which would check
> nightly as well. Perhaps we should collaborate on this together? I will
> need to review your script in detail but at a glance it appears very
> thorough.

I filed this PR in the meantime
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212306

We are using this patch in our Poudriere package builder. If you think 
new port is better then of course I can help with this.

Any improvement is better than current state where users cannot easily 
audit base system and jails.

Miroslav Lachman

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57D6B816.7060407>