We used to use jailaudit to produce a portaudit for all our jails, but it would seem that
jailaudit need some work before they are happy in the newer ecosystem. However new pkg ng tools can audit things directly including jails. This is great, but we were lacking an easy way to audit all our jails as we used to.
For the moment we’ve written a quick and simple shell script to iterate over the jails:
That simply uses the
jls command to generate a list of jails. We iterate over that list running
pkg audit in each jail (using the
-j option to tell it which jid to run in) and store the output. If there were vulnerabilities found for a jail we echo a message and change the exit state of our script to a 1. I’ve opted to grab the jail’s hostname and display that, but you could easily adapt the script to return other data such as the jail’s name instead (if that’s all you wanted just change host.hostname to name).
Throw that in the system crontab running as root (so we can bind to the jails) and we can get the output mailed to us.
I expect the authors of the
portaudit tools may release updated versions to deal with pkg ng systems and we may switch back to those or may write a more fully featured tool that logs a history of vulnerabilities and outputs in more flexible formats for ourselves.