When using pkg, be sure to use 'pkg audit', not portaudit.
Maintainer of ports-mgmt/jailaudit, Please note that PR ports/186562 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/186562 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Given this is related to pkg vulnerability, should the Severity be higher than the original non-critical? FYI: I have created a Nagios script for running 'pkg audit' on every jail. https://gist.github.com/dlangille/f8cbf363aef45ced0c0f -- Dan Langille - http://langille.org
I'm adding maintainer back to PR as it was lost in conversion to bugzilla. From what I can determine, this issue was addressed a week later on 14 Feb 2014. If I'm wrong, somebody can reopen the PR and explain what the current status is.
Dan, I closed this PR but now I am doubting that is correct based on your comment. Can you review and tell me if jailaudit is still busted?
I did a test just one. Fresh install of jailaudit into a 9.2 server. Looks like jailaudit is not reporting vulnerabilities which exist. [dan@knew:/usr/ports/ports-mgmt/jailaudit] $ sudo /usr/local/bin/jailaudit generate dan@langille.org toiler.unixathome.org pg93.unixathome.org crey.unixathome.org Downloading a current audit database: pkgng support enabled, using /usr/local/sbin/pkg version 1.3.1. pkg: vulnxml file up-to-date Now let's go into the jail and try pkg audit: [dan@knew:/usr/ports/ports-mgmt/jailaudit] $ sudo ezjail-admin console crey.unixathome.org Last login: Tue Jun 10 14:15:00 on pts/3 FreeBSD 9.2-RELEASE-p10 (GENERIC) #0: Tue Jul 8 10:48:24 UTC 2014 [bunch of stuff cut from paste] Edit /etc/motd to change this login announcement. root@crey:/root # bash [root@crey:~] # pkg audit pkg: warning: database version 27 is newer than libpkg(3) version 21, but still compatible apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html 1 problem(s) in the installed packages found. [root@crey:~] #
(In reply to Dan Langille from comment #6) > Looks like jailaudit is not reporting vulnerabilities which exist. You typed "is not reporting". Did you mean to type "is now reporting"? It looks to me it is reporting vulnerabilities.
I meant not reporting. My previous post includes output from both jailaudit and pkg audit The reported vulnerability was from 'pkg audit' run within the jail. jailaudit reported nothing. Was I running the correct command?
I've no idea, I just wanted to make sure everyone is on same page, which is: Bug still exists and the PR needs to be reopened. I'm doing that now.
The "generate" command just generates the reports, to send them you need to use the "mail" command! e.g. jailaudit mail <mailaddr> <jailname> mailaddr can be "-" for stdout. jailname can be ALL for all jails with reports.
Does this look right? [dan@knew:~] $ sudo /usr/local/bin/jailaudit generate - crey.unixathome.org Password: Downloading a current audit database: pkgng support enabled, using /usr/local/sbin/pkg version 1.3.1. pkg: vulnxml file up-to-date [dan@knew:~] $
(In reply to Dan Langille from comment #11) > Does this look right? > > [dan@knew:~] $ sudo /usr/local/bin/jailaudit generate - crey.unixathome.org > Password: You are again using the "generate" command, your command should be: sudo /usr/local/bin/jailaudit mail - crey.unixathome.org
[dan@knew:~] $ sudo /usr/local/bin/jailaudit mail - crey.unixathome.org Password: portaudit for jails on knew.unixathome.org - 40 problem(s) found. portaudit for jail: crey.unixathome.org (JID: 14) 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html 1 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html 1 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 0 problem(s) in the installed packages found. 40 problem(s) found. [dan@knew:~] $
Okay so it is reporting stuff, but it seems to be reporting too much. Might be a problem with the pkg 1.3 version which I haven't tested with yet. Will try to look into that in the next days.
Created attachment 145165 [details] Fix for using jailaudit with pkg 1.3 Please try the patch. I tested with pkg 1.2.6 and 1.3.3 and it works for me.
Seems better. Duplicate, but better. [dan@knew:~] $ sudo /usr/local/bin/jailaudit mail - crey.unixathome.org portaudit for jails on knew.unixathome.org - 2 problem(s) found. portaudit for jail: crey.unixathome.org (JID: 14) apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html 2 problem(s) found.
(In reply to Dan Langille from comment #16) > Seems better. Duplicate, but better. Can you check for me if there is anything else in /var/db/pkg/ of the jail besides the .sqlite files? Maybe some leftovers from the old pkg?
[dan@knew:~] $ ls -l /var/db/pkg total 8175 drwxr-xr-x 102 root wheel 102 Apr 28 15:36 DELETEME -r--r--r-- 1 root wheel 763906 Nov 27 2013 auditfile -rw-r--r-- 1 root wheel 3642368 Jul 31 03:09 local.sqlite -rw-r--r-- 1 root wheel 163840 Jun 4 15:43 repo-FreeBSD.sqlite -rw-r--r-- 1 root wheel 234496 Jul 27 18:48 repo-local.sqlite -r--r--r-- 1 root wheel 3217434 Jul 30 21:33 vuln.xml [dan@knew:~] $ DELETEME contains the previous contents of this directory before upgrading to pkgng.
The previous comment was from the jailhost. The following is from the jail: [root@crey:/var/db/pkg] # pkg audit pkg: warning: database version 27 is newer than libpkg(3) version 21, but still compatible apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html 1 problem(s) in the installed packages found. [root@crey:/var/db/pkg] # ls -l total 33051 -rw-r--r-- 1 root wheel 47179776 Aug 5 2013 INDEX-9.db drwxr-xr-x 2 root wheel 3 Apr 28 15:55 apache22-2.2.27_2 drwxr-xr-x 2 root wheel 3 Apr 28 15:59 apr-1.5.1.1.5.3 -r--r--r-- 1 root wheel 769562 Dec 30 2013 auditfile drwxr-xr-x 2 root wheel 3 Apr 28 15:49 db48-4.8.30.0 drwxr-xr-x 2 root wheel 3 Apr 28 15:48 libiconv-1.14_3 -rw-r--r-- 1 root wheel 2382848 Jul 31 03:09 local.sqlite drwxr-xr-x 2 root wheel 3 Apr 28 15:50 pcre-8.34 drwxr-xr-x 2 root wheel 3 Apr 28 15:55 perl5.14-5.14.4_6 drwxr-xr-x 2 root wheel 3 Apr 28 15:48 pkg-1.2.7_2 -rw-r--r-- 1 root wheel 84992 Jul 5 21:55 repo-FreeBSD.sqlite -r--r--r-- 1 root wheel 3217434 Jul 31 03:02 vuln.xml [root@crey:/var/db/pkg] #
Thats the problem, there are still old-style pkg directories in /var/db/pkg of the jail. So jailaudit will list both, new and old-style packages because it can not know for sure which one you are really using. Remove the stale old-style pkg directories and the dupe will be gone.
Hmmm. Removed files. Now we have this in the jail: [root@crey:/var/db/pkg] # ls -l total 32918 -rw-r--r-- 1 root wheel 47179776 Aug 5 2013 INDEX-9.db -r--r--r-- 1 root wheel 769562 Dec 30 2013 auditfile -rw-r--r-- 1 root wheel 2382848 Jul 31 03:09 local.sqlite -rw-r--r-- 1 root wheel 84992 Jul 5 21:55 repo-FreeBSD.sqlite -r--r--r-- 1 root wheel 3217434 Jul 31 03:02 vuln.xml [root@crey:/var/db/pkg] # Running the test again on the host. [dan@knew:/var/db/pkg] $ sudo /usr/local/bin/jaill/bin/jailaudit mail - crey.unixathome.org portaudit for jails on knew.unixathome.org - 2 problem(s) found. portaudit for jail: crey.unixathome.org (JID: 14) apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html 2 problem(s) found. [dan@knew:/var/db/pkg] $
(In reply to Dan Langille from comment #21) > Hmmm. Removed files. Now we have this in the jail: > > [root@crey:/var/db/pkg] # ls -l > total 32918 > -rw-r--r-- 1 root wheel 47179776 Aug 5 2013 INDEX-9.db > -r--r--r-- 1 root wheel 769562 Dec 30 2013 auditfile > -rw-r--r-- 1 root wheel 2382848 Jul 31 03:09 local.sqlite > -rw-r--r-- 1 root wheel 84992 Jul 5 21:55 repo-FreeBSD.sqlite > -r--r--r-- 1 root wheel 3217434 Jul 31 03:02 vuln.xml > [root@crey:/var/db/pkg] # > > Running the test again on the host. Did you run a "jailaudit generate" after deleting the files?
I did not. [dan@knew:~] $ sudo /usr/local/bin/jailaudit generate athome.org Password: Downloading a current audit database: pkgng support enabled, using /usr/local/sbin/pkg version 1.3.1. [dan@knew:~] $ [dan@knew:~] $ sudo /usr/local/bin/jailaudit mail - crey.unixathome.org portaudit for jails on knew.unixathome.org - 1 problem(s) found. portaudit for jail: crey.unixathome.org (JID: 14) apache22-2.2.27_2 is vulnerable: apache22 -- several vulnerabilities CVE: CVE-2014-0226 CVE: CVE-2014-0231 CVE: CVE-2014-0118 WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html 1 problem(s) found. [dan@knew:~] $
> [dan@knew:~] $ sudo /usr/local/bin/jailaudit mail - crey.unixathome.org > portaudit for jails on knew.unixathome.org - 1 problem(s) found. > > portaudit for jail: crey.unixathome.org (JID: 14) > > apache22-2.2.27_2 is vulnerable: > apache22 -- several vulnerabilities > CVE: CVE-2014-0226 > CVE: CVE-2014-0231 > CVE: CVE-2014-0118 > WWW: http://portaudit.FreeBSD.org/f927e06c-1109-11e4-b090-20cf30e32f6d.html > > 1 problem(s) found. Looks good to me, will roll up a new version of jailaudit with the fix included. Thanks for testing!
Fixed in bug 192376 (I think)