FreeBSD/Jails and portaudit

Jails are a useful tool for servers but can present an additional layer of administration. In an attempt to decrease this cost, I thought it would be good to workout a way to use portaudit on each jail. I found a script to do it http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail but was unhappy with it and have modified the procedure somewhat.

Scripting
I placed this script in /usr/local/etc/periodic/security/420.jailportaudit. It requires portaudit be installed and is based on both the aforementioned script and 410.portaudit.


 * 1) !/bin/sh -f
 * 2) Copyright (c) 2004 Oliver Eikemeier. All rights reserved.
 * 3) Redistribution and use in source and binary forms, with or without
 * 4) modification, are permitted provided that the following conditions are
 * 5) met:
 * 6) 1. Redistributions of source code must retain the above copyright notice
 * 7)    this list of conditions and the following disclaimer.
 * 8) 2. Redistributions in binary form must reproduce the above copyright
 * 9)    notice, this list of conditions and the following disclaimer in the
 * 10)    documentation and/or other materials provided with the distribution.
 * 11) 3. Neither the name of the author nor the names of its contributors may be
 * 12)    used to endorse or promote products derived from this software without
 * 13)    specific prior written permission.
 * 14) THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
 * 15) INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 * 16) AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * 17) COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * 18) INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * 19) NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * 20) DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * 21) THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * 22) (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * 23) THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 * 1) INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * 2) NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * 3) DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * 4) THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * 5) (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * 6) THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

if [ -r /etc/defaults/periodic.conf ]; then . /etc/defaults/periodic.conf source_periodic_confs fi
 * 1) If there is a global system configuration file, suck it in.

. /etc/rc.conf

rc=0 case "${daily_status_security_jailportaudit_enable:-YES}" in       [Nn][Oo])                ;;        *) echo # taken from http://www.section6.net/wiki/index.php/Creating_a_FreeBSD_Jail # Now Lets create temp files of ports in the jails, # audit the root server all jails # and delete the temp files tmpdir=`mktemp -d /tmp/jailportaudit.XXXXXXXX` cd $tmpdir for jail in $jail_list; do                       # taken from /etc/rc.d/jail eval jaildir=\"\$jail_${jail}_rootdir\"

echo "" echo "Checking for packages with security vulnerabilities in jail \"$jail\":" echo "" ls -1 $jaildir/var/db/pkg > $tmpdir/$jail.paf /usr/local/sbin/portaudit -f $tmpdir/$jail.paf rm $tmpdir/$jail.paf done ;; esac

exit "$rc"