# Concern about security database and jails



## kjpetrie (Aug 25, 2015)

I run three NATted jails on my 9.3-RELEASE server, which means I get four security e-mails every morning. This morning, one of the jails told me devel/pcre was vulnerable, but not the host nor the other jail with pcre installed.

The jail reporting the vulnerability sent:

```
Checking for packages with security vulnerabilities:
pcre-8.37_3
```

The other jail concerned sent:

```
Checking for packages with security vulnerabilities:
Database fetched: Sun Aug 23 03:18:50 BST 2015
```

and the host sent:

```
Checking for packages with security vulnerabilities:
Database fetched: Mon Aug 24 03:08:21 BST 2015
```

It doesn't take a genius to work out what's going on here, or the threat it poses of a vulnerability being missed. It appears that, to save bandwidth, each machine (IP address?) is only served the database once so when my host or one of my jails downloads the database, the others are refused it or told there's no update since they last downloaded.

Therefore, there is a lottery as to which jail/host gets the database, and whether any vulnerable package is installed in that environment. If the third jail, which doesn't have pcre installed, had downloaded the database, I would have been left in blissful ignorance of the problem for at least another day. A day can be a long time when it comes to published vulnerabilities on a publicly accessible server.

This needs to be handled differently. Either only the host should download the database and then check itself and all jails for vulnerabilities (possibly this can be achieved with some configuration and scripting at my end if I know what to do) or all requests should be served the database unless some arbitrary number of downloads (beyond which my first suggestion becomes mandatory) is exceeded.

It's possible I just need some configuration information, or does the system need to change?


----------



## Uniballer (Aug 25, 2015)

FYI, I am seeing the same thing with multiple physical machines behind a NAT box - only one of them has the latest vulnerability database.


----------



## hukadan (Aug 25, 2015)

I use the following (simplistic) script to audit my NATed jails in FreeBSD 10.1 :

```
#! /bin/sh
jail_ids=$(jls -h jid | grep -v -x jid )

echo "Starting auditing jails..."

for x in $jail_ids ; do
  hostname=$(jls -j $x -h host.hostname | grep -v -x host.hostname)
  echo "=================="
  echo $hostname
  echo "------------------"
  echo "$(pkg -j $x audit -F)"
done
echo "=================="
```
and I saw the security report concerning devel/pcre for all the jails where it was installed. If I correctly understood the `-j` option, using this script should download the vulnerability database in each jail. So I cannot reproduce your problem on my system.


----------



## storvi_net (Aug 25, 2015)

For 10.1 I am using the periodic.conf

```
# Daily security Jails
pkg_jails="*"
daily_status_security_pkgaudit_jails="*"
```

Its build in and works flawless.
Regards
Markus


----------



## kjpetrie (Aug 25, 2015)

Are these overriding defaults in 10.1? There appear to be no such defaults in 9.3.

Are the "*"s meant to be literal or placeholders for other values (eg YES or NO)?


----------



## Crivens (Aug 26, 2015)

If this is indeed bound to the IP, then the problem is bigger than jails. My DSL modem is reset by the cable company to a new IP once every day, so what if I get the IP of someone who loaded the database a few minutes ago?


----------



## storvi_net (Aug 26, 2015)

You can read through the script at /usr/local/etc/periodic/security/410.pkg-audit 

Regards
Markus


----------

