Find all pkg audit issues in FreeBSD jails and hosts.

pkg-audit.sh

#!/bin/sh

JLS="/usr/sbin/jls"
PKG="/usr/sbin/pkg"

# list of the jail ids for all jails
JAILS=`${JLS} jid`
RESULT=""

CHECKING=$1

if [ "${CHECKING}" != 'host' ]
then
  for jail in ${JAILS}
  do
    JAILSTATUS=`${PKG} -j ${jail} audit -q`
    if [ "${JAILSTATUS}" != "" ] 
    then
      HOSTNAME=`${JLS} -j ${jail} host.hostname`
      RESULT="${RESULT}${HOSTNAME}: ${JAILSTATUS} "
    fi
  done
else
  RESULT=`${PKG} audit -q`
  if [ "${RESULT}" != "" ]
  then
    RESULT="`hostname`: ${RESULT}"
  fi
fi

if [ "${RESULT}" == "" ]
then
  echo 'No problems found'
  exit 0
else
  echo ${RESULT}
  exit 2
fi

Sample output:

$ sudo ~/bin/jails-pkg-audit.sh
Problems found in these jails
serpico python27-2.7.6_1

The above searches all jails.

The following does just the host:

$ ~/bin/jails-pkg-audit.sh host
No problems found

I am writing this because portaudit does not like pkg: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/186562

I'm also still unsure if pkg audit really covers everything portaudit did.
On my systems, it looked just fine, but now after updating base it reports no issues at all.
Maybe because the packages are from tinderbox, I have no idea.

I'll try with yours and see if "audit" sees more than "pkg audit" (yay for uniformity)

Nevermind, this does just the same, was too tired in the morning :)

If you look at the bitbucket link I gave, you can do it like this:
I'll put a link, useless markup trying to make me go suicidal.

http://hastebin.com/utijotomif.vhdl

I think the goals of these scripts can be replaced with:

• /usr/local/etc/periodic/security/405.pkg-base-audit
• /usr/local/etc/periodic/security/410.pkg-audit

And these /etc/periodic.conf settings:

pkg_jails='*'
security_status_baseaudit_enable="YES"