Bug 212306
| Summary: | ports-mgmt/pkg patch to add ability to run pkg audit on base from periodic | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Miroslav Lachman <000.fbsd> | ||||
| Component: | Individual Port(s) | Assignee: | freebsd-pkg (Nobody) <pkg> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | CC: | dvl, swills, woodsb02 | ||||
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(pkg) |
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| See Also: |
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223716 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264878 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264850 |
||||||
| Attachments: |
|
||||||
|
Description
Miroslav Lachman
2016-09-01 12:39:38 UTC
This was committed: https://github.com/freebsd/pkg/commit/517752a456d2ceaf05789afe39aee08d022e877e Closing PR, thanks! Sorry the PR took so long to close. Ooops, commented on the wrong PR, sorry. 3 years later and nobody wants to check base for security vulnerabilities as is done for ports? Are you sure this is not already implemented? security_status_baseaudit_enable="YES" in /etc/periodic.conf is running /usr/local/etc/periodic/security/410.pkg-audit for me. Here it is manually run: $ sudo /usr/local/etc/periodic/security/410.pkg-audit Checking for packages with security vulnerabilities: Host system: Database fetched: Sat Dec 12 16:51:55 UTC 2020 curl-7.73.0 jail: ioc-clavin2 curl-7.73.0 jail: ioc-mailjail2 curl-7.73.0 jail: ioc-tallboy-mqtt curl-7.73.0 jail: ioc-wikis curl-7.73.0 jail: ioc-ns1 curl-7.73.0 (In reply to Dan Langille from comment #4) There is a difference between 410.pkg-audit and 405.pkg-base-audit. The later checks vulnerabilities in base not in packages from ports tree. Your command output shows vulnerabilities in packages, namely curl. 405.pkg-base-audit will report vulnerability in kernel or FreeBSD userland and this is still missing from pkg itself. 405.pkg-base-audit is separate port. I also run 405.pkg-base-audit on a regular basis, usually from a Nagios check script. (In reply to Dan Langille from comment #6) Yes, it is good to run it periodically. But I still think it should be part of the stock ports-mgmt/pkg and not separate package security/base-audit as it is now. I don't know how many users found and installed base-audit package but all users have ports-mgmt/pkg and can benefit from checked vulnerabilities in base. It is sad that we don't have a feedback from pkg maitainers after 4 years. sorry I completly missed that PR, can you provide a pull request on https://github.com/freebsd/pkg so that it is not only provided by the ports tree but officially shipped with pkg? (In reply to Baptiste Daroussin from comment #8) Never made a pull request on GitHub. I'll try it in a few days. Before this is submitted, I should amend my recent patch[1] to 405.pkg-base-audit. That patch and one[2] for 410.pkg-audit were similar. The same changes will be required. [1] - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257685 [2] - https://github.com/freebsd/pkg/pull/1973 I will do that today. (In reply to Dan Langille from comment #11) Your pull request was merged in to my repo and I created new pull request to pkg repo https://github.com/freebsd/pkg/pull/1985 Thank you! When this pull request will be merged the port security/base-audit should be removed with UPDATING entry that it is no longer needed (is conflicting). Variables in periodic.conf remains the same. (In reply to Baptiste Daroussin from comment #8) Hello, what is the status of this PR and pull request? I see it merged on GitHub and I see "* Add a script to audit base" in commit message for version 1.17.2 on the freshports.org but pkg-1.17.5 does not install any new periodic script: root@sm ~/ # pkg info -l pkg-1.17.5 | grep periodic /usr/local/etc/periodic/daily/411.pkg-backup /usr/local/etc/periodic/daily/490.status-pkg-changes /usr/local/etc/periodic/security/410.pkg-audit /usr/local/etc/periodic/security/460.pkg-checksum /usr/local/etc/periodic/weekly/400.status-pkg As I wrote before, once pkg includes 405.pkg-base-audit then base-audit port should be marked, conflict line added in to both pkg and base-audit and maybe MOVED entry or something in pkg-message to inform users of base-audit that it is no longer needed? I use etc/periodic/security/410.pkg-audit on a regular basis. I don't think they conflict. security/base-audit installs etc/periodic/security/405.pkg-base-audit They might do similar things, but in what way do they conflict? (In reply to Dan Langille from comment #15) pkg-plist of pkg-1.18.2 contains these periodic scripts: etc/periodic/daily/411.pkg-backup etc/periodic/daily/490.status-pkg-changes etc/periodic/security/405.pkg-base-audit etc/periodic/security/410.pkg-audit etc/periodic/security/460.pkg-checksum etc/periodic/weekly/400.status-pkg So etc/periodic/security/405.pkg-base-audit is already there. Older pkg version (for example 1.8.0) doesn't contain 405.pkg-base-audit This just happened to me: Installed packages to be UPGRADED: pkg: 1.17.5_1 -> 1.18.3 Number of packages to be upgraded: 1 7 MiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching pkg-1.18.3.pkg: 100% 7 MiB 7.7MB/s 00:01 Checking integrity... done (1 conflicting) - pkg-1.18.3 conflicts with base-audit-0.5 on /usr/local/etc/periodic/security/405.pkg-base-audit Checking integrity... done (0 conflicting) Conflicts with the existing packages have been found. One more solver iteration is needed to resolve them. The following 2 package(s) will be affected (of 0 checked): Installed packages to be REMOVED: base-audit: 0.5 Installed packages to be UPGRADED: pkg: 1.17.5_1 -> 1.18.3 (In reply to Dan Langille from comment #17) I am not on 1.18.3 (I am using older quarterly) but I think it is right. base-audit will be deinstalled and you will be using 405.pkg-base-audit from the "pkg" 1.8.3 package. Configuration in periodic.conf remains. |
