# pkg audit and fib



## abishai (Jun 18, 2017)

I use periodic from the host to check packages for vulnerabilities. 

```
daily_status_security_pkgaudit_enable="YES"
daily_status_security_pkgaudit_jails="*"
```
However, for jails that operating with custom routing table, i receive 

```
pkg: http://vuxml.freebsd.org/freebsd/vuln.xml.bz2: No address record
pkg: cannot fetch vulnxml file
```
jail.conf

```
mail {
 ip4.addr = "em2|10.0.4.2/32";
 exec.fib = 1;
}
```
How can I audit this jail's packages?


----------



## Beeblebrox (Jun 18, 2017)

Your jail is unable to resolve DNS, that's what "No address record" means.
Correct the jail's /etc/resolv.conf.


----------



## abishai (Jun 19, 2017)

Beeblebrox said:


> Your jail is unable to resolve DNS, that's what "No address record" means.
> Correct the jail's /etc/resolv.conf.


My jail can't communicate at all using default routing table and periodic script doesn't prepend commands with `set fib`


----------



## chrbr (Jun 19, 2017)

What I do is to fetch the file /var/db/pkg/vuln.xml once and copy it to each jail. For this you would need to modify the default script or invoke a new one. I run the code below via cron(8).

```
#!/bin/sh

# Run pkg audit -F
echo "Host system"
echo "-----------"
/usr/sbin/pkg audit -F
# Do in the jails
for jail in $(/usr/sbin/jls jid); do
Path=$(/usr/sbin/jls -j $jail path)
# Compare the vuln.xml file with the file
# in the jails.
if ! test ${Path}/var/db/pkg/vuln.xml -nt /var/db/pkg/vuln.xml
then
# Update if is does not exist or is older than the host version
echo "Update vuln.xml in jail"
cp /var/db/pkg/vuln.xml ${Path}/var/db/pkg/vuln.xml
fi
# Finally run the audit in the jails
echo
echo Jail $(/usr/sbin/jls -j $jail name)
echo "---------"
/usr/sbin/pkg -j $jail audit
done
```
In my case the result is send my mail as all stuff from crontab(5), you might need to find a different way. May be this is an idea, may be not.


----------

