Bug 186562

Summary: [UPDATE] ports-mgmt/jailaudit make it work with pkg
Product: Ports & Packages Reporter: Dan Langille <Dan>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: cryx-ports, dan, dvl, marino
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
jailaudit.diff
none
Fix for using jailaudit with pkg 1.3 none

Description Dan Langille 2014-02-08 16:20:00 UTC 
When using pkg, be sure to use 'pkg audit', not portaudit.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2014-02-08 16:20:08 UTC 
Maintainer of ports-mgmt/jailaudit,

Please note that PR ports/186562 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/186562

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2014-02-08 16:20:09 UTC 
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 Dan Langille 2014-05-12 02:26:46 UTC 
Given this is related to pkg vulnerability, should the Severity be higher than the original non-critical?


FYI: I have created a Nagios script for running 'pkg audit' on every jail.

https://gist.github.com/dlangille/f8cbf363aef45ced0c0f

-- 
Dan Langille - http://langille.org
Comment 4 John Marino freebsd_committer freebsd_triage 2014-07-26 10:30:05 UTC 
I'm adding maintainer back to PR as it was lost in conversion to bugzilla.

From what I can determine, this issue was addressed a week later on 14 Feb 2014.

If I'm wrong, somebody can reopen the PR and explain what the current status is.
Comment 5 John Marino freebsd_committer freebsd_triage 2014-07-26 10:31:22 UTC 
Dan, 
I closed this PR but now I am doubting that is correct based on your comment.  Can you review and tell me if jailaudit is still busted?
Comment 6 Dan Langille freebsd_committer freebsd_triage 2014-07-27 19:11:48 UTC 
I did a test just one. Fresh install of jailaudit into a 9.2 server.

Looks like jailaudit is not reporting vulnerabilities which exist.

[dan@knew:/usr/ports/ports-mgmt/jailaudit] $ sudo /usr/local/bin/jailaudit generate dan@langille.org toiler.unixathome.org pg93.unixathome.org crey.unixathome.org

Downloading a current audit database:
pkgng support enabled, using /usr/local/sbin/pkg version 1.3.1.
pkg: vulnxml file up-to-date


Now let's go into the jail and try pkg audit:

[dan@knew:/usr/ports/ports-mgmt/jailaudit] $ sudo ezjail-admin console crey.unixathome.org
Last login: Tue Jun 10 14:15:00 on pts/3
FreeBSD 9.2-RELEASE-p10 (GENERIC) #0: Tue Jul  8 10:48:24 UTC 2014

[bunch of stuff cut from paste]

Edit /etc/motd to change this login announcement.

root@crey:/root # bash
[root@crey:~] # pkg audit
pkg: warning: database version 27 is newer than libpkg(3) version 21, but still compatible
apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

1 problem(s) in the installed packages found.
[root@crey:~] #
Comment 7 John Marino freebsd_committer freebsd_triage 2014-07-27 19:17:23 UTC 
(In reply to Dan Langille from comment #6)
> Looks like jailaudit is not reporting vulnerabilities which exist.

You typed "is not reporting".  Did you mean to type "is now reporting"?

It looks to me it is reporting vulnerabilities.
Comment 8 Dan Langille freebsd_committer freebsd_triage 2014-07-27 19:19:20 UTC 
I meant not reporting.  

My previous post includes output from both jailaudit and pkg audit

The reported vulnerability was from 'pkg audit' run within the jail.  jailaudit reported nothing.

Was I running the correct command?
Comment 9 John Marino freebsd_committer freebsd_triage 2014-07-27 19:21:34 UTC 
I've no idea, I just wanted to make sure everyone is on same page, which is: Bug still exists and the PR needs to be reopened.

I'm doing that now.
Comment 10 Philipp Wuensche 2014-07-27 19:42:42 UTC 
The "generate" command just generates the reports, to send them you need to use the "mail" command!

e.g. jailaudit mail <mailaddr> <jailname>

mailaddr can be "-" for stdout. jailname can be ALL for all jails with reports.
Comment 11 Dan Langille freebsd_committer freebsd_triage 2014-07-27 20:21:59 UTC 
Does this look right?

[dan@knew:~] $ sudo /usr/local/bin/jailaudit generate - crey.unixathome.org
Password:

Downloading a current audit database:
pkgng support enabled, using /usr/local/sbin/pkg version 1.3.1.
pkg: vulnxml file up-to-date

[dan@knew:~] $
Comment 12 Philipp Wuensche 2014-07-27 20:29:02 UTC 
(In reply to Dan Langille from comment #11)
> Does this look right?
> 
> [dan@knew:~] $ sudo /usr/local/bin/jailaudit generate - crey.unixathome.org
> Password:

You are again using the "generate" command, your command should be:

sudo /usr/local/bin/jailaudit mail - crey.unixathome.org
Comment 13 Dan Langille freebsd_committer freebsd_triage 2014-07-27 20:54:23 UTC 
[dan@knew:~] $ sudo /usr/local/bin/jailaudit mail - crey.unixathome.org
Password:
portaudit for jails on knew.unixathome.org - 40 problem(s) found.

portaudit for jail: crey.unixathome.org (JID: 14)

0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

1 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

1 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
0 problem(s) in the installed packages found.
40 problem(s) found.
[dan@knew:~] $
Comment 14 Philipp Wuensche 2014-07-27 21:07:32 UTC 
Okay so it is reporting stuff, but it seems to be reporting too much. Might be a problem with the pkg 1.3 version which I haven't tested with yet. Will try to look into that in the next days.
Comment 15 Philipp Wuensche 2014-07-30 21:13:36 UTC 
Created attachment 145165 [details]
Fix for using jailaudit with pkg 1.3

Please try the patch. I tested with pkg 1.2.6 and 1.3.3 and it works for me.
Comment 16 Dan Langille freebsd_committer freebsd_triage 2014-07-30 21:35:26 UTC 
Seems better.  Duplicate, but better.


[dan@knew:~] $ sudo /usr/local/bin/jailaudit mail - crey.unixathome.org
portaudit for jails on knew.unixathome.org - 2 problem(s) found.

portaudit for jail: crey.unixathome.org (JID: 14)

apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

2 problem(s) found.
Comment 17 Philipp Wuensche 2014-07-30 22:09:53 UTC 
(In reply to Dan Langille from comment #16)
> Seems better.  Duplicate, but better.

Can you check for me if there is anything else in /var/db/pkg/ of the jail besides the .sqlite files?

Maybe some leftovers from the old pkg?
Comment 18 Dan Langille freebsd_committer freebsd_triage 2014-07-31 12:56:51 UTC 
[dan@knew:~] $ ls -l /var/db/pkg
total 8175
drwxr-xr-x  102 root  wheel      102 Apr 28 15:36 DELETEME
-r--r--r--    1 root  wheel   763906 Nov 27  2013 auditfile
-rw-r--r--    1 root  wheel  3642368 Jul 31 03:09 local.sqlite
-rw-r--r--    1 root  wheel   163840 Jun  4 15:43 repo-FreeBSD.sqlite
-rw-r--r--    1 root  wheel   234496 Jul 27 18:48 repo-local.sqlite
-r--r--r--    1 root  wheel  3217434 Jul 30 21:33 vuln.xml
[dan@knew:~] $ 

DELETEME contains the previous contents of this directory before upgrading to pkgng.
Comment 19 Dan Langille freebsd_committer freebsd_triage 2014-07-31 12:58:40 UTC 
The previous comment was from the jailhost.  The following is from the jail:

[root@crey:/var/db/pkg] # pkg audit
pkg: warning: database version 27 is newer than libpkg(3) version 21, but still compatible
apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

1 problem(s) in the installed packages found.
[root@crey:/var/db/pkg] # ls -l
total 33051
-rw-r--r--  1 root  wheel  47179776 Aug  5  2013 INDEX-9.db
drwxr-xr-x  2 root  wheel         3 Apr 28 15:55 apache22-2.2.27_2
drwxr-xr-x  2 root  wheel         3 Apr 28 15:59 apr-1.5.1.1.5.3
-r--r--r--  1 root  wheel    769562 Dec 30  2013 auditfile
drwxr-xr-x  2 root  wheel         3 Apr 28 15:49 db48-4.8.30.0
drwxr-xr-x  2 root  wheel         3 Apr 28 15:48 libiconv-1.14_3
-rw-r--r--  1 root  wheel   2382848 Jul 31 03:09 local.sqlite
drwxr-xr-x  2 root  wheel         3 Apr 28 15:50 pcre-8.34
drwxr-xr-x  2 root  wheel         3 Apr 28 15:55 perl5.14-5.14.4_6
drwxr-xr-x  2 root  wheel         3 Apr 28 15:48 pkg-1.2.7_2
-rw-r--r--  1 root  wheel     84992 Jul  5 21:55 repo-FreeBSD.sqlite
-r--r--r--  1 root  wheel   3217434 Jul 31 03:02 vuln.xml
[root@crey:/var/db/pkg] #
Comment 20 Philipp Wuensche 2014-07-31 13:01:13 UTC 
Thats the problem, there are still old-style pkg directories in /var/db/pkg of the jail. So jailaudit will list both, new and old-style packages because it can not know for sure which one you are really using.

Remove the stale old-style pkg directories and the dupe will be gone.
Comment 21 Dan Langille freebsd_committer freebsd_triage 2014-07-31 13:07:01 UTC 
Hmmm.  Removed files.  Now we have this in the jail:

[root@crey:/var/db/pkg] # ls -l
total 32918
-rw-r--r--  1 root  wheel  47179776 Aug  5  2013 INDEX-9.db
-r--r--r--  1 root  wheel    769562 Dec 30  2013 auditfile
-rw-r--r--  1 root  wheel   2382848 Jul 31 03:09 local.sqlite
-rw-r--r--  1 root  wheel     84992 Jul  5 21:55 repo-FreeBSD.sqlite
-r--r--r--  1 root  wheel   3217434 Jul 31 03:02 vuln.xml
[root@crey:/var/db/pkg] #

Running the test again on the host.

[dan@knew:/var/db/pkg] $ sudo /usr/local/bin/jaill/bin/jailaudit mail - crey.unixathome.org
portaudit for jails on knew.unixathome.org - 2 problem(s) found.

portaudit for jail: crey.unixathome.org (JID: 14)

apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

2 problem(s) found.
[dan@knew:/var/db/pkg] $
Comment 22 Philipp Wuensche 2014-07-31 21:44:02 UTC 
(In reply to Dan Langille from comment #21)
> Hmmm.  Removed files.  Now we have this in the jail:
> 
> [root@crey:/var/db/pkg] # ls -l
> total 32918
> -rw-r--r--  1 root  wheel  47179776 Aug  5  2013 INDEX-9.db
> -r--r--r--  1 root  wheel    769562 Dec 30  2013 auditfile
> -rw-r--r--  1 root  wheel   2382848 Jul 31 03:09 local.sqlite
> -rw-r--r--  1 root  wheel     84992 Jul  5 21:55 repo-FreeBSD.sqlite
> -r--r--r--  1 root  wheel   3217434 Jul 31 03:02 vuln.xml
> [root@crey:/var/db/pkg] #
> 
> Running the test again on the host.


Did you run a "jailaudit generate" after deleting the files?
Comment 23 Dan Langille freebsd_committer freebsd_triage 2014-07-31 21:54:53 UTC 
I did not.

[dan@knew:~] $ sudo /usr/local/bin/jailaudit generate                  athome.org
Password:

Downloading a current audit database:
pkgng support enabled, using /usr/local/sbin/pkg version 1.3.1.

[dan@knew:~] $ 


[dan@knew:~] $ sudo /usr/local/bin/jailaudit mail - crey.unixathome.org
portaudit for jails on knew.unixathome.org - 1 problem(s) found.

portaudit for jail: crey.unixathome.org (JID: 14)

apache22-2.2.27_2 is vulnerable:
apache22 -- several vulnerabilities
CVE: CVE-2014-0226
CVE: CVE-2014-0231
CVE: CVE-2014-0118
WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html

1 problem(s) found.
[dan@knew:~] $
Comment 24 Philipp Wuensche 2014-07-31 22:13:33 UTC 
> [dan@knew:~] $ sudo /usr/local/bin/jailaudit mail - crey.unixathome.org
> portaudit for jails on knew.unixathome.org - 1 problem(s) found.
> 
> portaudit for jail: crey.unixathome.org (JID: 14)
> 
> apache22-2.2.27_2 is vulnerable:
> apache22 -- several vulnerabilities
> CVE: CVE-2014-0226
> CVE: CVE-2014-0231
> CVE: CVE-2014-0118
> WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html
> 
> 1 problem(s) found.


Looks good to me, will roll up a new version of jailaudit with the fix included. Thanks for testing!
Comment 25 John Marino freebsd_committer freebsd_triage 2014-10-05 22:13:26 UTC 
Fixed in bug 192376 (I think)