Mark Felder wrote on 09/07/2016 23:25:
On Thu, Aug 25, 2016, at 07:49, Miroslav Lachman wrote:
I am not sure if this is the right list or not. If not, please redirect
me to the right one.
I noticed this post from Mark Felder
https://blog.feld.me/posts/2016/08/monitoring-freebsd-base-system-vulnerabilities-with-pkg-audit/
Great work Mark, thank you!
I found it very useful. I want this to be part of the nightly reports on
all our machines so I tried to write 405.base-audit. It is based on
original 410.pkg-audit
It can check kernel and world of a host or world in jail or chroot (if
freebsd-version is installed in jail or chroot)
You can my find first attempt at
http://freebsd.quip.cz/script/405.base-audit.sh
I have been toying with the idea of creating a port that provides a
script called "baseaudit" that can make it very easy to check your
system for known vulns. With the majority of the logic in this script we
could also include this periodic script in the package which would check
nightly as well. Perhaps we should collaborate on this together? I will
need to review your script in detail but at a glance it appears very
thorough.
I filed this PR in the meantime
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212306
We are using this patch in our Poudriere package builder. If you think
new port is better then of course I can help with this.
Any improvement is better than current state where users cannot easily
audit base system and jails.
Miroslav Lachman
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
