Created attachment 174284 [details] add 405.pkg-base-audit for periodic/security As I posted to mailinglist https://lists.freebsd.org/pipermail/freebsd-security/2016-August/009049.html VuXML allows to check base for vulnerabilities (thanks to Mark Felder) but there are no functionality in base or pkg to check it by periodic scripts. I wrote one called 405.pkg-base-audit. It is heavily based on original 410.pkg-audit. It can check chroots and jails too. Standalone script can be found at http://freebsd.quip.cz/script/405.base-audit.sh I made a patch for ports-mgmt/pkg (we are using it on all our machines). The patch is really simple just to add 405.pkg-base-audit to ports-mgmt/pkg/files. I don't want to touch anything in source pkg tarball. It is just a proof of concept. I am not sure it is coded well and if it can be included in official ports-mgmt/pkg or not. Example output of nightly security output: Checking for security vulnerabilities in base (userland & kernel): Host system: vulnxml file up-to-date FreeBSD-10.3_3 is vulnerable: libarchive -- multiple vulnerabilities CVE: CVE-2015-2304 CVE: CVE-2013-0211 WWW: https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html FreeBSD-10.3_3 is vulnerable: FreeBSD -- Heap vulnerability in bspatch CVE: CVE-2014-9862 WWW: https://vuxml.FreeBSD.org/freebsd/7d4f4955-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-10.3_3 is vulnerable: FreeBSD -- Multiple ntp vulnerabilities CVE: CVE-2016-4957 CVE: CVE-2016-4956 CVE: CVE-2016-4955 CVE: CVE-2016-4954 CVE: CVE-2016-4953 WWW: https://vuxml.FreeBSD.org/freebsd/7cfcea05-600a-11e6-a6c3-14dae9d210b8.html 1 problem(s) in the installed packages found. vulnxml file up-to-date FreeBSD-kernel-10.3_3 is vulnerable: FreeBSD -- Kernel stack disclosure in Linux compatibility layer WWW: https://vuxml.FreeBSD.org/freebsd/7c5d64dd-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-kernel-10.3_3 is vulnerable: FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer WWW: https://vuxml.FreeBSD.org/freebsd/7cad4795-600a-11e6-a6c3-14dae9d210b8.html 1 problem(s) in the installed packages found.
This was committed: https://github.com/freebsd/pkg/commit/517752a456d2ceaf05789afe39aee08d022e877e Closing PR, thanks! Sorry the PR took so long to close.
Ooops, commented on the wrong PR, sorry.
3 years later and nobody wants to check base for security vulnerabilities as is done for ports?
Are you sure this is not already implemented? security_status_baseaudit_enable="YES" in /etc/periodic.conf is running /usr/local/etc/periodic/security/410.pkg-audit for me. Here it is manually run: $ sudo /usr/local/etc/periodic/security/410.pkg-audit Checking for packages with security vulnerabilities: Host system: Database fetched: Sat Dec 12 16:51:55 UTC 2020 curl-7.73.0 jail: ioc-clavin2 curl-7.73.0 jail: ioc-mailjail2 curl-7.73.0 jail: ioc-tallboy-mqtt curl-7.73.0 jail: ioc-wikis curl-7.73.0 jail: ioc-ns1 curl-7.73.0
(In reply to Dan Langille from comment #4) There is a difference between 410.pkg-audit and 405.pkg-base-audit. The later checks vulnerabilities in base not in packages from ports tree. Your command output shows vulnerabilities in packages, namely curl. 405.pkg-base-audit will report vulnerability in kernel or FreeBSD userland and this is still missing from pkg itself. 405.pkg-base-audit is separate port.
I also run 405.pkg-base-audit on a regular basis, usually from a Nagios check script.
(In reply to Dan Langille from comment #6) Yes, it is good to run it periodically. But I still think it should be part of the stock ports-mgmt/pkg and not separate package security/base-audit as it is now. I don't know how many users found and installed base-audit package but all users have ports-mgmt/pkg and can benefit from checked vulnerabilities in base. It is sad that we don't have a feedback from pkg maitainers after 4 years.
sorry I completly missed that PR, can you provide a pull request on https://github.com/freebsd/pkg so that it is not only provided by the ports tree but officially shipped with pkg?
(In reply to Baptiste Daroussin from comment #8) Never made a pull request on GitHub. I'll try it in a few days.
Before this is submitted, I should amend my recent patch[1] to 405.pkg-base-audit. That patch and one[2] for 410.pkg-audit were similar. The same changes will be required. [1] - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257685 [2] - https://github.com/freebsd/pkg/pull/1973 I will do that today.
see https://github.com/MirLach/freebsd-ports/pull/1
(In reply to Dan Langille from comment #11) Your pull request was merged in to my repo and I created new pull request to pkg repo https://github.com/freebsd/pkg/pull/1985 Thank you!
When this pull request will be merged the port security/base-audit should be removed with UPDATING entry that it is no longer needed (is conflicting). Variables in periodic.conf remains the same.
(In reply to Baptiste Daroussin from comment #8) Hello, what is the status of this PR and pull request? I see it merged on GitHub and I see "* Add a script to audit base" in commit message for version 1.17.2 on the freshports.org but pkg-1.17.5 does not install any new periodic script: root@sm ~/ # pkg info -l pkg-1.17.5 | grep periodic /usr/local/etc/periodic/daily/411.pkg-backup /usr/local/etc/periodic/daily/490.status-pkg-changes /usr/local/etc/periodic/security/410.pkg-audit /usr/local/etc/periodic/security/460.pkg-checksum /usr/local/etc/periodic/weekly/400.status-pkg As I wrote before, once pkg includes 405.pkg-base-audit then base-audit port should be marked, conflict line added in to both pkg and base-audit and maybe MOVED entry or something in pkg-message to inform users of base-audit that it is no longer needed?
I use etc/periodic/security/410.pkg-audit on a regular basis. I don't think they conflict. security/base-audit installs etc/periodic/security/405.pkg-base-audit They might do similar things, but in what way do they conflict?
(In reply to Dan Langille from comment #15) pkg-plist of pkg-1.18.2 contains these periodic scripts: etc/periodic/daily/411.pkg-backup etc/periodic/daily/490.status-pkg-changes etc/periodic/security/405.pkg-base-audit etc/periodic/security/410.pkg-audit etc/periodic/security/460.pkg-checksum etc/periodic/weekly/400.status-pkg So etc/periodic/security/405.pkg-base-audit is already there. Older pkg version (for example 1.8.0) doesn't contain 405.pkg-base-audit
This just happened to me: Installed packages to be UPGRADED: pkg: 1.17.5_1 -> 1.18.3 Number of packages to be upgraded: 1 7 MiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching pkg-1.18.3.pkg: 100% 7 MiB 7.7MB/s 00:01 Checking integrity... done (1 conflicting) - pkg-1.18.3 conflicts with base-audit-0.5 on /usr/local/etc/periodic/security/405.pkg-base-audit Checking integrity... done (0 conflicting) Conflicts with the existing packages have been found. One more solver iteration is needed to resolve them. The following 2 package(s) will be affected (of 0 checked): Installed packages to be REMOVED: base-audit: 0.5 Installed packages to be UPGRADED: pkg: 1.17.5_1 -> 1.18.3
(In reply to Dan Langille from comment #17) I am not on 1.18.3 (I am using older quarterly) but I think it is right. base-audit will be deinstalled and you will be using 405.pkg-base-audit from the "pkg" 1.8.3 package. Configuration in periodic.conf remains.