We used to use jailaudit to produce a portaudit for all our jails, but it would seem that portaudit and jailaudit need some work before they are happy in the newer ecosystem. However new pkg ng tools can audit things directly including jails. This is great, but we were lacking an easy way to audit all our jails as we used to.

For the moment we’ve written a quick and simple shell script to iterate over the jails:

for jail in `jls -n jid host.hostname`; do
  i=`echo $jail | awk -F "=|[ ]*" '{print $2}'`
  h=`echo $jail | awk -F "=|[ ]*" '{print $4}'`
  audit=`pkg -j $i audit`
  if [ "$?" == "0" ]; then
    echo "+------------------------------------------------------------"
    echo "| $h (jid: $i)"
    echo "+------------------------------------------------------------"
    echo "$audit"
exit $x

That simply uses the jls command to generate a list of jails. We iterate over that list running pkg audit in each jail (using the -j option to tell it which jid to run in) and store the output. If there were vulnerabilities found for a jail we echo a message and change the exit state of our script to a 1. I’ve opted to grab the jail’s hostname and display that, but you could easily adapt the script to return other data such as the jail’s name instead (if that’s all you wanted just change host.hostname to name).

Throw that in the system crontab running as root (so we can bind to the jails) and we can get the output mailed to us.

I expect the authors of the jailaudit and portaudit tools may release updated versions to deal with pkg ng systems and we may switch back to those or may write a more fully featured tool that logs a history of vulnerabilities and outputs in more flexible formats for ourselves.