info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
using pkg audit to show base vulnerabilities
7 views
Skip to first unread message
Miroslav Lachman
Aug 25, 2016, 8:50:19 AM8/25/16
to freebsd security
I am not sure if this is the right list or not. If not, please redirect
me to the right one.
I noticed this post from Mark Felder
https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
Great work Mark, thank you!
I found it very useful. I want this to be part of the nightly reports on
all our machines so I tried to write 405.base-audit. It is based on
original 410.pkg-audit
It can check kernel and world of a host or world in jail or chroot (if
freebsd-version is installed in jail or chroot)
You can my find first attempt at
http://freebsd.quip.cz/script/405.base-audit.sh
It would be nice if somebody skilled in periodic shell scripting can
check this code and post some advices. There are some comments in the code.
My main concerns are about the right way to get version info from jail
or chroot.
I know it is not safe to execute something in jail (or chroot) from the
parent:
$basedir/bin/freebsd-version -u
Is it better to parse freebsd-version file by awk?
awk -F= '$1 ~ /^USERLAND_VERSION/ { gsub(/"/, ""); print $2 }'
$basedir/bin/freebsd-version
Or should we assume that all jails and chroots must be trusted to run
any checks on them from parent?
The last thing - is it possible to have something like this included as
a part of ports-mgmt/pkg
Miroslav Lachman
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
me to the right one.
I noticed this post from Mark Felder
https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
Great work Mark, thank you!
I found it very useful. I want this to be part of the nightly reports on
all our machines so I tried to write 405.base-audit. It is based on
original 410.pkg-audit
It can check kernel and world of a host or world in jail or chroot (if
freebsd-version is installed in jail or chroot)
You can my find first attempt at
http://freebsd.quip.cz/script/405.base-audit.sh
It would be nice if somebody skilled in periodic shell scripting can
check this code and post some advices. There are some comments in the code.
My main concerns are about the right way to get version info from jail
or chroot.
I know it is not safe to execute something in jail (or chroot) from the
parent:
$basedir/bin/freebsd-version -u
Is it better to parse freebsd-version file by awk?
awk -F= '$1 ~ /^USERLAND_VERSION/ { gsub(/"/, ""); print $2 }'
$basedir/bin/freebsd-version
Or should we assume that all jails and chroots must be trusted to run
any checks on them from parent?
The last thing - is it possible to have something like this included as
a part of ports-mgmt/pkg
Miroslav Lachman
_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
Mark Felder
Sep 7, 2016, 5:25:42 PM9/7/16
to Miroslav Lachman, freebsd security
On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:
> I am not sure if this is the right list or not. If not, please redirect
> me to the right one.
>
> I noticed this post from Mark Felder
> https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
>
> Great work Mark, thank you!
>
> I found it very useful. I want this to be part of the nightly reports on
> all our machines so I tried to write 405.base-audit. It is based on
> original 410.pkg-audit
> It can check kernel and world of a host or world in jail or chroot (if
> freebsd-version is installed in jail or chroot)
>
> You can my find first attempt at
> http://freebsd.quip.cz/script/405.base-audit.sh
>
script called "baseaudit" that can make it very easy to check your
system for known vulns. With the majority of the logic in this script we
could also include this periodic script in the package which would check
nightly as well. Perhaps we should collaborate on this together? I will
need to review your script in detail but at a glance it appears very
thorough.
Thanks!
--
Mark Felder
ports-secteam member
fe...@FreeBSD.org
Ben Woods
Sep 7, 2016, 7:24:12 PM9/7/16
to Mark Felder, freebsd security, Miroslav Lachman
On 8 September 2016 at 05:25, Mark Felder <fe...@freebsd.org> wrote:
> I have been toying with the idea of creating a port that provides a
> script called "baseaudit" that can make it very easy to check your
> system for known vulns. With the majority of the logic in this script we
> could also include this periodic script in the package which would check
> nightly as well. Perhaps we should collaborate on this together? I will
> need to review your script in detail but at a glance it appears very
> thorough.
>
>
> Thanks!
>
> --
> Mark Felder
> ports-secteam member
> fe...@FreeBSD.org
>
Just a thought, once we move to PkgBase, will this simply work work "pkg
> I have been toying with the idea of creating a port that provides a
> script called "baseaudit" that can make it very easy to check your
> system for known vulns. With the majority of the logic in this script we
> could also include this periodic script in the package which would check
> nightly as well. Perhaps we should collaborate on this together? I will
> need to review your script in detail but at a glance it appears very
> thorough.
>
>
> Thanks!
>
> --
> Mark Felder
> ports-secteam member
> fe...@FreeBSD.org
>
audit"?
Are the new vuxml entries in the correct format to detect for individual
base packages?
E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development
Are the new vuxml entries in a format that would support PkgBase for
releases as well as for stable/current?
E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939
Regards,
Ben
Mark Felder
Sep 7, 2016, 8:21:51 PM9/7/16
to Ben Woods, freebsd security, Miroslav Lachman
On Wed, Sep 7, 2016, at 18:23, Ben Woods wrote:
>
> Just a thought, once we move to PkgBase, will this simply work work "pkg
> audit"?
>
> Are the new vuxml entries in the correct format to detect for individual
> base packages?
> E.g. FreeBSD-libxo, FreeBSD-libxo-debug, FreeBSD-libxo-development
>
to a FreeBSD release that has pkg base. This is just a stopgap that has
been hacked up. I also do not know what the base package names will be
yet as I haven't played around with it, but we will be ensuring that
vuxml entries are correctly added once pkg base is finalized. It will be
possible to add entries that match for both older FreeBSD releases and
new pkg base releases.
> Are the new vuxml entries in a format that would support PkgBase for
> releases as well as for stable/current?
> E.g. FreeBSD-libxo-12.0_2, FreeBSD-libxo-12.0.s20160903042939
>
Depends on the versioning scheme.
--
Mark Felder
ports-secteam member
fe...@FreeBSD.org
Miroslav Lachman
Sep 12, 2016, 10:22:20 AM9/12/16
to Mark Felder, freebsd security
Mark Felder wrote on 09/07/2016 23:25:
>
>
> On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:
>> I am not sure if this is the right list or not. If not, please redirect
>> me to the right one.
>>
>> I noticed this post from Mark Felder
>> https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
>>
>> Great work Mark, thank you!
>>
>> I found it very useful. I want this to be part of the nightly reports on
>> all our machines so I tried to write 405.base-audit. It is based on
>> original 410.pkg-audit
>> It can check kernel and world of a host or world in jail or chroot (if
>> freebsd-version is installed in jail or chroot)
>>
>> You can my find first attempt at
>> http://freebsd.quip.cz/script/405.base-audit.sh
>>
>
> I have been toying with the idea of creating a port that provides a
> script called "baseaudit" that can make it very easy to check your
> system for known vulns. With the majority of the logic in this script we
> could also include this periodic script in the package which would check
> nightly as well. Perhaps we should collaborate on this together? I will
> need to review your script in detail but at a glance it appears very
> thorough.
I filed this PR in the meantime
>
>
> On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:
>> I am not sure if this is the right list or not. If not, please redirect
>> me to the right one.
>>
>> I noticed this post from Mark Felder
>> https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
>>
>> Great work Mark, thank you!
>>
>> I found it very useful. I want this to be part of the nightly reports on
>> all our machines so I tried to write 405.base-audit. It is based on
>> original 410.pkg-audit
>> It can check kernel and world of a host or world in jail or chroot (if
>> freebsd-version is installed in jail or chroot)
>>
>> You can my find first attempt at
>> http://freebsd.quip.cz/script/405.base-audit.sh
>>
>
> I have been toying with the idea of creating a port that provides a
> script called "baseaudit" that can make it very easy to check your
> system for known vulns. With the majority of the logic in this script we
> could also include this periodic script in the package which would check
> nightly as well. Perhaps we should collaborate on this together? I will
> need to review your script in detail but at a glance it appears very
> thorough.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212306
We are using this patch in our Poudriere package builder. If you think
new port is better then of course I can help with this.
Any improvement is better than current state where users cannot easily
audit base system and jails.
Miroslav Lachman
0 new messages