«
»
 

Portauditing jails

| January 7th, 2010

I run most of the services in separate jails (that’s all easy to set up and maintain with ezjail) and quite often end up having 10+ jails even on simple mail/web server installations.

Installing portaudit, updating its database and running it every day in each jail seems to be a waste of space and resources. Instead I decided to check all jails from the host system during nightly security checks.

This should be saved as /usr/local/etc/periodic/security/420.jailportaudit (with chmod 555):

#!/bin/sh

RET_VAL=”"

get_jail_name()
{
jid=$1
RET_VAL=`jls | egrep “^ +$jid ” | awk ‘{print $3}’`
}

check_jail()
{
jid=$1

get_jail_name $jid
echo “==== checking jail :: ” $RET_VAL ” :: ====”
/usr/sbin/jexec $jid pkg_info | /usr/bin/awk ‘{print $1}’ | /usr/bin/xargs /usr/local/sbin/portaudit
echo
}

main()
{
param=$1

for i in `jls | tail +2 | awk ‘{print $1}’`
do
check_jail $i
done
}

main $@

Posted on Thursday, January 7th, 2010 at 12:41 pm in bsd | rss feed for comments| You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

You must be logged in to post a comment.