Solved Package vulnerability vuxml warning on desktop startup

S

sidetone

I kind of have an idea for how to make a popup for when a vulnerability is presented. For the root crontab I have

Code: 
@reboot pkg audit -F
@hourly pkg audit -F

I can use pkg audit as a non-root user to find the alert, but this doesn't alert me automatically when it becomes present. Next, I found the program x11/xmessage which comes with xorg, that can pop up a window with a message.

An example of a shown (old) vulnerability is
Code: 
vuxml file up-to-date
example-3.1.2_6,1 is vulnerable:
example -- RCE vulnerability
CVE: CVE-2016-1541
WWW: https://vuxml.FreeBSD.org/freebsd/2b4c8e1f-1609-11e6-b55e-b499baebfeaf.html

1 problem(s) in the installed packages found.

as opposed to
Code: 
0 problem(s) in the installed packages found.

It will take a non-root user crontab, to alert me, and a conditional statement to call xmessage when an alert is made. This would be easy for experienced shell users, and I can find the answer after some work, but I also wanted to present this topic on a script to alert users on package vulnerabilities.
------------------
user crontab:
Code: 
@reboot pkg audit | grep "is vulnerable"
@hourly pkg audit | grep "is vulnerable"
then a conditional call to xmessage. Then there would need to be another conditional statement, so the message doesn't repeat if a previous xmessage warning is still running, when there is a vulnerability.
 
Why don't you simply route root's mail to a proper mailbox? This check is part of daily security check done by periodic(8):

Code: 
Checking for packages with security vulnerabilities:
openssl-1.0.2_12
php56-gd-5.6.22
php56-5.6.22
php56-mbstring-5.6.22
php56-zip-5.6.22
 
Mine doesn't show up in root's mail. But then how would I route any message to xmessage, or have it pop up with a console message, not just on reboots, and on a different schedule. I just need it to tell me I have a vulnerability, not be specific about which package, because after I get the notice, I'll check it out myself.
 
pkg-audit(8) can be run as a regular user. So you could just add it to your ~/.xinitrc or one of the many ways Window managers use startup scripts.
 
I already use pkg audit as a regular user. The option on it that needs root is with the -F option, but I already run that through root's crontab. > or | can pipe the message, but x11/xmessage doesn't seem to take the argument that's piped in from grep, like other programs do. I wanted xmessage to pop up a message, as soon as my root's crontab received the warning. That's ok, I'll take time to look at it. xmessage's "-file -" option didn't seem to work last time, but perhaps I interpreted that particular command on the command-line/script wrong.
 
I just insert
Code: 
<StartupCommand>xterm -e /usr/local/bin/mksh -l -c "pkg audit| less"</StartupCommand>
into my .jwmrc file. | less is required to make the notice stay on the screen, until you close it.

This also requires:
Code: 
@reboot pkg audit -F
@daily pkg audit -F
in root's crontab -e

Similar configurations to this would be .xsession or other window manager initialization script, and a different shell command.

* xterm -e "pkg audit|less" from desktop startup file for sh.
 
Last edited:
You must log in or register to reply here.
Back
Top