Bug 212306 - ports-mgmt/pkg patch to add ability to run pkg audit on base from periodic
Summary: ports-mgmt/pkg patch to add ability to run pkg audit on base from periodic
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-pkg mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-01 12:39 UTC by Miroslav Lachman
Modified: 2019-09-03 00:00 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (pkg)

Attachments
add 405.pkg-base-audit for periodic/security (7.53 KB, patch)
2016-09-01 12:39 UTC, Miroslav Lachman 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Miroslav Lachman 2016-09-01 12:39:38 UTC 
Created attachment 174284 [details]
add 405.pkg-base-audit for periodic/security

As I posted to mailinglist https://lists.freebsd.org/pipermail/freebsd-security/2016-August/009049.html
VuXML allows to check base for vulnerabilities (thanks to Mark Felder) but there are no functionality in base or pkg to check it by periodic scripts.

I wrote one called 405.pkg-base-audit. It is heavily based on original 410.pkg-audit. It can check chroots and jails too.

Standalone script can be found at http://freebsd.quip.cz/script/405.base-audit.sh

I made a patch for ports-mgmt/pkg (we are using it on all our machines).
The patch is really simple just to add 405.pkg-base-audit to ports-mgmt/pkg/files. I don't want to touch anything in source pkg tarball. 
It is just a proof of concept. 
I am not sure it is coded well and if it can be included in official ports-mgmt/pkg or not.

Example output of nightly security output:

Checking for security vulnerabilities in base (userland & kernel):
Host system:
vulnxml file up-to-date
FreeBSD-10.3_3 is vulnerable:
libarchive -- multiple vulnerabilities
CVE: CVE-2015-2304
CVE: CVE-2013-0211
WWW: https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html

FreeBSD-10.3_3 is vulnerable:
FreeBSD -- Heap vulnerability in bspatch
CVE: CVE-2014-9862
WWW: https://vuxml.FreeBSD.org/freebsd/7d4f4955-600a-11e6-a6c3-14dae9d210b8.html

FreeBSD-10.3_3 is vulnerable:
FreeBSD -- Multiple ntp vulnerabilities
CVE: CVE-2016-4957
CVE: CVE-2016-4956
CVE: CVE-2016-4955
CVE: CVE-2016-4954
CVE: CVE-2016-4953
WWW: https://vuxml.FreeBSD.org/freebsd/7cfcea05-600a-11e6-a6c3-14dae9d210b8.html

1 problem(s) in the installed packages found.
vulnxml file up-to-date
FreeBSD-kernel-10.3_3 is vulnerable:
FreeBSD -- Kernel stack disclosure in Linux compatibility layer
WWW: https://vuxml.FreeBSD.org/freebsd/7c5d64dd-600a-11e6-a6c3-14dae9d210b8.html

FreeBSD-kernel-10.3_3 is vulnerable:
FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer
WWW: https://vuxml.FreeBSD.org/freebsd/7cad4795-600a-11e6-a6c3-14dae9d210b8.html

1 problem(s) in the installed packages found.
Comment 1 Steve Wills freebsd_committer 2017-11-21 16:19:36 UTC 
This was committed:

https://github.com/freebsd/pkg/commit/517752a456d2ceaf05789afe39aee08d022e877e

Closing PR, thanks! Sorry the PR took so long to close.
Comment 2 Steve Wills freebsd_committer 2017-11-21 16:29:29 UTC 
Ooops, commented on the wrong PR, sorry.
Comment 3 Miroslav Lachman 2019-09-03 00:00:10 UTC 
3 years later and nobody wants to check base for security vulnerabilities as is done for ports?