pkg audit and fib

A

abishai

I use periodic from the host to check packages for vulnerabilities.
Code: 
daily_status_security_pkgaudit_enable="YES"
daily_status_security_pkgaudit_jails="*"
However, for jails that operating with custom routing table, i receive
Code: 
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file
jail.conf
Code: 
mail {
 ip4.addr = "em2|10.0.4.2/32";
 exec.fib = 1;
}
How can I audit this jail's packages?
 
Beeblebrox said:
Your jail is unable to resolve DNS, that's what "No address record" means.
Correct the jail's /etc/resolv.conf.
Click to expand...
My jail can't communicate at all using default routing table and periodic script doesn't prepend commands with set fib
 
What I do is to fetch the file /var/db/pkg/vuln.xml once and copy it to each jail. For this you would need to modify the default script or invoke a new one. I run the code below via cron(8).
Code: 
#!/bin/sh

# Run pkg audit -F
echo "Host system"
echo "-----------"
/usr/sbin/pkg audit -F
# Do in the jails
for jail in $(/usr/sbin/jls jid); do
Path=$(/usr/sbin/jls -j $jail path)
# Compare the vuln.xml file with the file
# in the jails.
if ! test ${Path}/var/db/pkg/vuln.xml -nt /var/db/pkg/vuln.xml
then
# Update if is does not exist or is older than the host version
echo "Update vuln.xml in jail"
cp /var/db/pkg/vuln.xml ${Path}/var/db/pkg/vuln.xml
fi
# Finally run the audit in the jails
echo
echo Jail $(/usr/sbin/jls -j $jail name)
echo "---------"
/usr/sbin/pkg -j $jail audit
done
In my case the result is send my mail as all stuff from crontab(5), you might need to find a different way. May be this is an idea, may be not.
 
You must log in or register to reply here.
Back
Top