Perform NetBSD security audit with pkg_admin

Perform NetBSD security audit

Security audit of NetBSD software packages with pkg_admin

NetBSD is especially known for it’s diverse platforms it can run on. What is less known is the ability to audit the installed packages. In this article we have a look on how to audit NetBSD and ensure the file integrity of your packages. Performing a security audit is easy, as long as you use the right tool!

Packages

When using packages, their metadata will be installed in directory within /var/db/pkg. This tree contains information about the packages.

netbsd# cd /var/db/pkg
netbsd# ls -l
total 146
drwxr-xr-x  2 root  wheel     512 Dec  3 17:23 atf-0.20
drwxr-xr-x  2 root  wheel     512 Nov 24  2013 libidn-1.28
-rw-r--r--  1 root  wheel  106391 Dec  3 17:07 pkg-vulnerabilities
drwxr-xr-x  2 root  wheel     512 Nov 24  2013 pkg_install-20130902
-rw-r--r--  1 root  wheel   28672 Dec  3 17:23 pkgdb.byfile.db
drwxr-xr-x  2 root  wheel     512 Nov 24  2013 pkgin-0.6.4nb1
drwxr-xr-x  2 root  wheel     512 Dec  3 17:23 shtk-1.4
drwxr-xr-x  2 root  wheel     512 Dec  3 17:23 sysupgrade-1.5nb1
drwxr-xr-x  2 root  wheel     512 Dec  3 17:13 wget-1.14nb3

This directory can also contain a file named pkg-vulnerabilities. This file contains information about software vulnerabilities and can be used to check what installed software packages are vulnerable.

Moving deeper

When we look into the subdirectories within /var/db/pkgs, we see a structured format of files, which include the actual metadata about the package.

# ls -l
total 78
-r--r--r--  1 root  wheel   3455 Nov 24  2013 +BUILD_INFO
-r--r--r--  1 root  wheel    398 Nov 24  2013 +BUILD_VERSION
-r--r--r--  1 root  wheel     46 Nov 24  2013 +COMMENT
-rw-r--r--  1 root  wheel   3784 Nov 24  2013 +CONTENTS
-r-xr-xr-x  1 root  wheel   4075 Nov 24  2013 +DEINSTALL
-r--r--r--  1 root  wheel    530 Nov 24  2013 +DESC
-rwxr-xr-x  1 root  wheel   9090 Nov 24  2013 +DIRS
-rwxr-xr-x  1 root  wheel  11075 Nov 24  2013 +FILES
-rwxr-xr-x  1 root  wheel   2838 Nov 24  2013 +INFO_FILES
-r-xr-xr-x  1 root  wheel  28793 Nov 24  2013 +INSTALL
-r--r--r--  1 root  wheel      8 Nov 24  2013 +SIZE_ALL
-r--r--r--  1 root  wheel      8 Nov 24  2013 +SIZE_PKG

Besides normal information (like a version number), there are actually some shell scripts. Mostly they deal with the directories, files and permissions.

Install pkg-vulnerabilities file

Before checking the system, it will need the pkg-vulnerabilities file. Installing is as easy as running the pkg_admin tool with the fetch-pkg-vulnerabilities parameter.

# pkg_admin fetch-pkg-vulnerabilities

Checking the integrity of the vulnerabilities file

The pkg_admin tool is also able to check the integrity of the fetched file. Normally it should show no output, meaning everything is fine. If not, something like this shows up:

# pkg_admin check-pkg-vulnerabilities /var/db/pkg/pkg-vulnerabilities
pkg_admin: SHA1 hash doesn't match

Running vulnerability scan

With the audit parameter we can start a vulnerability scan. It perform a security audit on the installed packages. Every package which matches a specific version, will be flagged.

screenshot of netbsd pkg_admin audit output

Discovered vulnerability in wget after running audit

Integrity check

Another thing the pkg_admin tool can perform, is an integrity check of the installed files. It uses the metadata from the packages directory and compares them with the actual files on disk.

Screen output of pkg_admin check command while performing file integrity check

pkg_admin discovered mismatches during file integrity check

 

This small NetBSD utility is very nifty tool and a sign that NetBSD is taking security serious as well. Happy auditing!

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


4 comments

  • AuditorAuditor

    I think my PATH is screwy – could you please tell me where pkg_admin should be by doing a ‘which’ on it?

    Ta v much for a nicely put together article!

    Alex

    Reply
    • I guess you are missing /usr/pkg/bin:/usr/pkg/sbin in your PATH.
      Thanks, feel free to share it with others.

      Michael

      Reply
  • SteveGSteveG

    Is there a way to setup a similar security audit on ubuntu?

    Reply
    • Yes you can find that information from the -security repository. Or make it yourself easy and use Lynis to detect if you have any vulnerable packages.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *