FreeBSD/Jails and portaudit
From Devpit
Jails are a useful tool for servers but can present an additional layer of administration. In an attempt to decrease this cost, I thought it would be good to workout a way to use portaudit on each jail. I found a script to do it http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail but was unhappy with it and have modified the procedure somewhat.
Scripting
I placed this script in /usr/local/etc/periodic/security/420.jailportaudit . It requires portaudit be installed and is based on both the aforementioned script and 410.portaudit.
#!/bin/sh -f # # Copyright (c) 2004 Oliver Eikemeier. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are # met: # # 1. Redistributions of source code must retain the above copyright notice # this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # 3. Neither the name of the author nor the names of its contributors may be # used to endorse or promote products derived from this software without # specific prior written permission. # # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE # COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # If there is a global system configuration file, suck it in. # if [ -r /etc/defaults/periodic.conf ]; then . /etc/defaults/periodic.conf source_periodic_confs fi . /etc/rc.conf rc=0 case "${daily_status_security_jailportaudit_enable:-YES}" in [Nn][Oo]) ;; *) echo # taken from http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail # Now Lets create temp files of ports in the jails, # audit the root server all jails # and delete the temp files tmpdir=`mktemp -d /tmp/jailportaudit.XXXXXXXX` cd $tmpdir for jail in $jail_list; do # taken from /etc/rc.d/jail eval jaildir=\"\$jail_${jail}_rootdir\" echo "" echo "Checking for packages with security vulnerabilities in jail \"$jail\":" echo "" ls -1 $jaildir/var/db/pkg > $tmpdir/$jail.paf /usr/local/sbin/portaudit -f $tmpdir/$jail.paf rm $tmpdir/$jail.paf done ;; esac exit "$rc"