Daily security scripts: best practice for jails?

[patpro]

Hello,

I'm running a FreeBSD 10.1 RELEASE host with 13 web server jails. Periodic scripts run fine, but they can run for a very long time before returning a result, especially the daily security script:

Checking for packages with security vulnerabilities:
Host system:
Database fetched: Wed Apr 13 03:35:05 CEST 2016

jail: JAIL_NAME01
Database fetched: Wed Apr 13 03:58:42 CEST 2016

jail: JAIL_NAME02
Database fetched: Wed Apr 13 04:49:39 CEST 2016

jail: JAIL_NAME03
Database fetched: Wed Apr 13 05:38:02 CEST 2016

jail: JAIL_NAME04
Database fetched: Wed Apr 13 05:39:56 CEST 2016

jail: JAIL_NAME05
Database fetched: Wed Apr 13 05:41:26 CEST 2016

jail: JAIL_NAME06
Database fetched: Wed Apr 13 06:30:52 CEST 2016

jail: JAIL_NAME07
Database fetched: Wed Apr 13 07:08:56 CEST 2016

jail: JAIL_NAME08
Database fetched: Wed Apr 13 07:25:14 CEST 2016

jail: JAIL_NAME09
Database fetched: Wed Apr 13 08:23:58 CEST 2016

jail: JAIL_NAME10
Database fetched: Wed Apr 13 08:46:14 CEST 2016

jail: JAIL_NAME11
Database fetched: Wed Apr 13 09:32:06 CEST 2016

jail: JAIL_NAME12
Database fetched: Wed Apr 13 10:00:11 CEST 2016

jail: JAIL_NAME13
Database fetched: Wed Apr 13 10:36:35 CEST 2016

Is there any best practice here that would allow me to speedup the process?

thanks

 

[chrbr]

I have the script as below running by root of the host at startup via crontab.

#!/bin/sh

# Run pkg audit -F
# Compare the vuln.xml file with the file
# in the jails.
# Copy it if they are different.
# Then touch /tmp/audit in the jails

/usr/sbin/pkg audit -F
if ! test -e /usr/jails/fox/var/db/pkg/vuln.xml
then
touch /usr/jails/fox/var/db/pkg/vuln.xml
fi

nomatch=$(diff -q /var/db/pkg/vuln.xml /usr/jails/fox/var/db/pkg/vuln.xml | wc -l)
if test $nomatch -ne 0
then
cp /var/db/pkg/vuln.xml /usr/jails/box/var/db/pkg/vuln.xml
cp /var/db/pkg/vuln.xml /usr/jails/fox/var/db/pkg/vuln.xml
cp /var/db/pkg/vuln.xml /usr/jails/www/var/db/pkg/vuln.xml
fi
touch /usr/jails/box/tmp/audit
touch /usr/jails/fox/tmp/audit
touch /usr/jails/www/tmp/audit

The jails run at start

#!/bin/sh

# Wait for the file found to appear
# in the tmp directory
# Delete it when it has been found and
# run pkg audit on the system

found=0
while test $found -eq 0
do
if test -e /tmp/audit
then
found=1
fi
/bin/sleep 1
done

/bin/rm /tmp/audit
/usr/sbin/pkg audit

Results are reported by mail. This method can be of course improved by generating the list of jails automatically or so. I also appreciate any input to improve the concept or the details.

 

[Juha Nurmela]

You've noticed the artificial delay?

 19733 cron: running job (cron)
  19734 /bin/sh - /usr/sbin/periodic daily
   19736 lockf -t 0 /var/run/periodic.daily.lock /bin/sh /usr/sbin/periodic LOCKED daily
    19737 /bin/sh /usr/sbin/periodic LOCKED daily
     19745 mail -E -s hopo daily run output root
     19744 /bin/sh /usr/sbin/periodic LOCKED daily
       19823 /bin/sh /etc/periodic/daily/450.status-security
        19824 /bin/sh - /usr/sbin/periodic security
         19826 lockf -t 0 /var/run/periodic.security.lock /bin/sh /usr/sbin/periodic LOCKED security
           19827 /bin/sh /usr/sbin/periodic LOCKED security
            19835 mail -E -s hopo daily security run output root
            19834 /bin/sh /usr/sbin/periodic LOCKED security
             19956 /bin/sh -f /usr/local/etc/periodic/security/410.pkg-audit
              19964 sleep 3099

Juha

There's a knob, $daily_status_security_pkgaudit_expiry, near the randomized sleep, but I cannot decipher the mechanism.
Never mind, unrelated to the sleep.

 

[patpro]

You've noticed the artificial delay?

 19964 sleep 3099

Yes, I've noticed the delay, in fact, I've commented out the sleep line:

sleep `jot -r 1 0 3600`

And now it's way faster, but the sleep is made to prevent hammering of the server, so it's not really best practice :/

 

[patpro]

I have the script as below running by root of the host at startup via crontab.

Why crontab? You should run it on periodic, unless your box is off most of the time…

About your script, I would go this way (run from host, tested on bash):

/usr/sbin/pkg audit -F
for J in $(jls jid); do 
P=$(jls -j $J path)
[ /var/db/pkg/vuln.xml -nt ${P}/var/db/pkg/vuln.xml ] && cp /var/db/pkg/vuln.xml ${P}/var/db/pkg/vuln.xml && /usr/sbin/pkg -j $J audit
done

 

[chrbr]

Why crontab? You should run it on periodic, unless your box is off most of the time…

Yes, my box is off most of the time. It is not a server. I will try your script, too. Thank you for the idea.