Skip to content

Instantly share code, notes, and snippets.

@dlangille dlangille/pkg-audit.sh
Last active Mar 17, 2019

Embed
What would you like to do?
Find all pkg audit issues in FreeBSD jails and hosts.
#!/bin/sh
JLS="/usr/sbin/jls"
PKG="/usr/sbin/pkg"
# list of the jail ids for all jails
JAILS=`${JLS} jid`
RESULT=""
CHECKING=$1
if [ "${CHECKING}" != 'host' ]
then
for jail in ${JAILS}
do
JAILSTATUS=`${PKG} -j ${jail} audit -q`
if [ "${JAILSTATUS}" != "" ]
then
HOSTNAME=`${JLS} -j ${jail} host.hostname`
RESULT="${RESULT}${HOSTNAME}: ${JAILSTATUS} "
fi
done
else
RESULT=`${PKG} audit -q`
if [ "${RESULT}" != "" ]
then
RESULT="`hostname`: ${RESULT}"
fi
fi
if [ "${RESULT}" == "" ]
then
echo 'No problems found'
exit 0
else
echo ${RESULT}
exit 2
fi
@dlangille

This comment has been minimized.

Copy link
Owner Author

commented May 11, 2014

Sample output:

$ sudo ~/bin/jails-pkg-audit.sh
Problems found in these jails
serpico python27-2.7.6_1

The above searches all jails.

The following does just the host:

$ ~/bin/jails-pkg-audit.sh host
No problems found

@dlangille

This comment has been minimized.

Copy link
Owner Author

commented May 11, 2014

I am writing this because portaudit does not like pkg: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/186562

@FlorianHeigl

This comment has been minimized.

Copy link

commented May 12, 2014

I'm also still unsure if pkg audit really covers everything portaudit did.
On my systems, it looked just fine, but now after updating base it reports no issues at all.
Maybe because the packages are from tinderbox, I have no idea.

I'll try with yours and see if "audit" sees more than "pkg audit" (yay for uniformity)

@FlorianHeigl

This comment has been minimized.

Copy link

commented May 12, 2014

Nevermind, this does just the same, was too tired in the morning :)

If you look at the bitbucket link I gave, you can do it like this:
I'll put a link, useless markup trying to make me go suicidal.

http://hastebin.com/utijotomif.vhdl

@dlangille

This comment has been minimized.

Copy link
Owner Author

commented Mar 17, 2019

I think the goals of these scripts can be replaced with:

  • /usr/local/etc/periodic/security/405.pkg-base-audit
  • /usr/local/etc/periodic/security/410.pkg-audit

And these /etc/periodic.conf settings:

pkg_jails='*'
security_status_baseaudit_enable="YES"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.