Perform NetBSD security audit with pkg_admin
Perform NetBSD security audit
Security audit of NetBSD software packages with pkg_admin
NetBSD is especially known for it’s diverse platforms it can run on. What is less known is the ability to audit the installed packages. In this article we have a look on how to audit NetBSD and ensure the file integrity of your packages. Performing a security audit is easy, as long as you use the right tool!
Packages
When using packages, their metadata will be installed in directory within /var/db/pkg. This tree contains information about the packages.
netbsd# cd /var/db/pkg netbsd# ls -l total 146 drwxr-xr-x 2 root wheel 512 Dec 3 17:23 atf-0.20 drwxr-xr-x 2 root wheel 512 Nov 24 2013 libidn-1.28 -rw-r--r-- 1 root wheel 106391 Dec 3 17:07 pkg-vulnerabilities drwxr-xr-x 2 root wheel 512 Nov 24 2013 pkg_install-20130902 -rw-r--r-- 1 root wheel 28672 Dec 3 17:23 pkgdb.byfile.db drwxr-xr-x 2 root wheel 512 Nov 24 2013 pkgin-0.6.4nb1 drwxr-xr-x 2 root wheel 512 Dec 3 17:23 shtk-1.4 drwxr-xr-x 2 root wheel 512 Dec 3 17:23 sysupgrade-1.5nb1 drwxr-xr-x 2 root wheel 512 Dec 3 17:13 wget-1.14nb3
This directory can also contain a file named pkg-vulnerabilities. This file contains information about software vulnerabilities and can be used to check what installed software packages are vulnerable.
Moving deeper
When we look into the subdirectories within /var/db/pkgs, we see a structured format of files, which include the actual metadata about the package.
# ls -l total 78 -r--r--r-- 1 root wheel 3455 Nov 24 2013 +BUILD_INFO -r--r--r-- 1 root wheel 398 Nov 24 2013 +BUILD_VERSION -r--r--r-- 1 root wheel 46 Nov 24 2013 +COMMENT -rw-r--r-- 1 root wheel 3784 Nov 24 2013 +CONTENTS -r-xr-xr-x 1 root wheel 4075 Nov 24 2013 +DEINSTALL -r--r--r-- 1 root wheel 530 Nov 24 2013 +DESC -rwxr-xr-x 1 root wheel 9090 Nov 24 2013 +DIRS -rwxr-xr-x 1 root wheel 11075 Nov 24 2013 +FILES -rwxr-xr-x 1 root wheel 2838 Nov 24 2013 +INFO_FILES -r-xr-xr-x 1 root wheel 28793 Nov 24 2013 +INSTALL -r--r--r-- 1 root wheel 8 Nov 24 2013 +SIZE_ALL -r--r--r-- 1 root wheel 8 Nov 24 2013 +SIZE_PKG
Besides normal information (like a version number), there are actually some shell scripts. Mostly they deal with the directories, files and permissions.
Install pkg-vulnerabilities file
Before checking the system, it will need the pkg-vulnerabilities file. Installing is as easy as running the pkg_admin tool with the fetch-pkg-vulnerabilities parameter.
# pkg_admin fetch-pkg-vulnerabilities
Checking the integrity of the vulnerabilities file
The pkg_admin tool is also able to check the integrity of the fetched file. Normally it should show no output, meaning everything is fine. If not, something like this shows up:
# pkg_admin check-pkg-vulnerabilities /var/db/pkg/pkg-vulnerabilities pkg_admin: SHA1 hash doesn't match
Running vulnerability scan
With the audit parameter we can start a vulnerability scan. It perform a security audit on the installed packages. Every package which matches a specific version, will be flagged.
Discovered vulnerability in wget after running audit
Integrity check
Another thing the pkg_admin tool can perform, is an integrity check of the installed files. It uses the metadata from the packages directory and compares them with the actual files on disk.
pkg_admin discovered mismatches during file integrity check
This small NetBSD utility is very nifty tool and a sign that NetBSD is taking security serious as well. Happy auditing!
Security scanning with Lynis and Lynis Enterprise
3:54 PM
I think my PATH is screwy – could you please tell me where pkg_admin should be by doing a ‘which’ on it?
Ta v much for a nicely put together article!
Alex
4:08 PM
I guess you are missing /usr/pkg/bin:/usr/pkg/sbin in your PATH.
Thanks, feel free to share it with others.
Michael
10:28 PM
Is there a way to setup a similar security audit on ubuntu?
4:04 PM
Yes you can find that information from the -security repository. Or make it yourself easy and use Lynis to detect if you have any vulnerable packages.