OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: chemlud on February 10, 2017, 06:37:20 pm
-
Hi again!
Maybe I'm just a little.. **cough**... unfit, but for some time now I have in the Firmware Menu close to the "Check for updates" a button called "Audit now". Can somebody please enlighten me with 1-2 sentences what this function does, I could not find... it :-)
-
Hey chemlud,
*cough cough* sorry to hear that u are not feeling well. :(
As far as i know that "clickable thingi" let u have a look at known FreeBSD port vulnerabilities.
In short: U can see which security updates are needed and will hopefully be released in the next opnsense security patch.
The only Use case i can consider is the following one:
U click on "audit now" and it tells you that OpenSSL is completely dead and vulnerable
(for example: the well known Heartbleed bug)
In this case u can decide for yourself if u let this issue bleed until the next update is getting released or if u decide to switch to LibreSSL for example. :)
Other example would probably be the one that people are able to manage their ports (services) for themselves by using portmaster. (Don't ask me how they do it.... i have no idea at all. 8)) but that would be another use case i can think about.
Hopefully that helps! ;D
Best *cough* regards
Oxy
-
Hi guys,
Yes, this is essentially running FreeBSD's package audit:
# pkg audit -F
FreeBSD registers vulnerabilities for its packages and we though that made a nice addition to a security project to create visibility and awareness.
What it is not: It is not meant as an indication for OPNsense having to release updates. ;)
What it should be: It helps with vulnerability management, to know to temporarily disable affected services, reading about the scope of these problems and how to mitigate the attacks.
Cheers,
Franco
-
What it is not: It is not meant as an indication for OPNsense having to release updates. ;)
ohh.... ;(
-
I'm not saying it's not an indication of when updates are necessary. But since we decided *not* to control the contents of that file you get the full truth and nothing but the truth, which may overlap our release schedules.
Creating a new release takes about two days (without images), so in that time frame vulnerabilities may appear that we cannot incorporate unless we stop the release process and start again. We will do this occasionally, but not always.
Maybe that is a bit clearer? :)
Cheers,
Franco
-
Creating a new release takes about two days (without images), so in that time frame vulnerabilities may appear that we cannot incorporate unless we stop the release process and start again.[...]
Maybe that is a bit clearer? :)
Thats way better to say so. I forgot the obvious reason that updates would need to be reworked every time a vulnerability would occure before an update release.
It helps with vulnerability management, to know to temporarily disable affected services
I guess thats the whole point overall but as chemlud already said it wasn't quite clear to get an understanding what this feature "could" or "should" do in the first place.
Now we know! :) Thanks!
Best regards
Oxy