Created attachment 174284 [details] add 405.pkg-base-audit for periodic/security As I posted to mailinglist https://lists.freebsd.org/pipermail/freebsd-security/2016-August/009049.html VuXML allows to check base for vulnerabilities (thanks to Mark Felder) but there are no functionality in base or pkg to check it by periodic scripts. I wrote one called 405.pkg-base-audit. It is heavily based on original 410.pkg-audit. It can check chroots and jails too. Standalone script can be found at http://freebsd.quip.cz/script/405.base-audit.sh I made a patch for ports-mgmt/pkg (we are using it on all our machines). The patch is really simple just to add 405.pkg-base-audit to ports-mgmt/pkg/files. I don't want to touch anything in source pkg tarball. It is just a proof of concept. I am not sure it is coded well and if it can be included in official ports-mgmt/pkg or not. Example output of nightly security output: Checking for security vulnerabilities in base (userland & kernel): Host system: vulnxml file up-to-date FreeBSD-10.3_3 is vulnerable: libarchive -- multiple vulnerabilities CVE: CVE-2015-2304 CVE: CVE-2013-0211 WWW: https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html FreeBSD-10.3_3 is vulnerable: FreeBSD -- Heap vulnerability in bspatch CVE: CVE-2014-9862 WWW: https://vuxml.FreeBSD.org/freebsd/7d4f4955-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-10.3_3 is vulnerable: FreeBSD -- Multiple ntp vulnerabilities CVE: CVE-2016-4957 CVE: CVE-2016-4956 CVE: CVE-2016-4955 CVE: CVE-2016-4954 CVE: CVE-2016-4953 WWW: https://vuxml.FreeBSD.org/freebsd/7cfcea05-600a-11e6-a6c3-14dae9d210b8.html 1 problem(s) in the installed packages found. vulnxml file up-to-date FreeBSD-kernel-10.3_3 is vulnerable: FreeBSD -- Kernel stack disclosure in Linux compatibility layer WWW: https://vuxml.FreeBSD.org/freebsd/7c5d64dd-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-kernel-10.3_3 is vulnerable: FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer WWW: https://vuxml.FreeBSD.org/freebsd/7cad4795-600a-11e6-a6c3-14dae9d210b8.html 1 problem(s) in the installed packages found.
This was committed: https://github.com/freebsd/pkg/commit/517752a456d2ceaf05789afe39aee08d022e877e Closing PR, thanks! Sorry the PR took so long to close.
Ooops, commented on the wrong PR, sorry.
3 years later and nobody wants to check base for security vulnerabilities as is done for ports?
Are you sure this is not already implemented? security_status_baseaudit_enable="YES" in /etc/periodic.conf is running /usr/local/etc/periodic/security/410.pkg-audit for me. Here it is manually run: $ sudo /usr/local/etc/periodic/security/410.pkg-audit Checking for packages with security vulnerabilities: Host system: Database fetched: Sat Dec 12 16:51:55 UTC 2020 curl-7.73.0 jail: ioc-clavin2 curl-7.73.0 jail: ioc-mailjail2 curl-7.73.0 jail: ioc-tallboy-mqtt curl-7.73.0 jail: ioc-wikis curl-7.73.0 jail: ioc-ns1 curl-7.73.0
(In reply to Dan Langille from comment #4) There is a difference between 410.pkg-audit and 405.pkg-base-audit. The later checks vulnerabilities in base not in packages from ports tree. Your command output shows vulnerabilities in packages, namely curl. 405.pkg-base-audit will report vulnerability in kernel or FreeBSD userland and this is still missing from pkg itself. 405.pkg-base-audit is separate port.
I also run 405.pkg-base-audit on a regular basis, usually from a Nagios check script.
(In reply to Dan Langille from comment #6) Yes, it is good to run it periodically. But I still think it should be part of the stock ports-mgmt/pkg and not separate package security/base-audit as it is now. I don't know how many users found and installed base-audit package but all users have ports-mgmt/pkg and can benefit from checked vulnerabilities in base. It is sad that we don't have a feedback from pkg maitainers after 4 years.