I abandoned this post back in March h202 because I was unable to get keycloak to contact samducker. I’m publishing it now mostly because of SamDrucker.
keycloak is a vnet jail. Interesting things happen there.
From time to time, security issues are found within software. The FreeBSD package management system relies upon pkg-audit and the Vulnerability database to alert system administrators that attention is required.
Case in point, My Nagios monitoring is showing a host with some vulnerable packages, specifically:
- nginx-1.16.1_9,2
- sudo-1.8.30
When this situation arises, there is usually more than one host which needs upgrading. In this post I’ll show you:
- FreeBSD 12.1
- SamDruckerClientShell: 0.0.2_1
- how I installed the Sam Drucker client
- how I found a list of hosts with a given package installed
- how I used SamDrucker to compile a list of hosts to upgrade
Fair warning: It turns out I had only one host to upgrade and that host wasn’t in my SamDrucker database. Why? It was a relatively new host which had been powered off for a while and did not have the SamDrucker client installed.
Which hosts have nginx installed?
This is the command I used to find the list of hosts which had Nginx installed:
samdrucker=# select * from hostswithpackageshowversion('nginx') order by 2;
host | package_version
-------------------------------+-------------------
samdrucker.int.example.org | nginx-1.16.1_11,2
mqtt01.int.example.org | nginx-1.16.1_11,2
pkg01.int.example.org | nginx-1.16.1_11,2
x8dtu-nginx01.vpn.example.org | nginx-1.16.1_11,2
bacula-sd-02.int.example.org | nginx-1.16.1_11,2
tallboy-mqtt.vpn.example.org | nginx-1.16.1_11,2
serpico.int.example.org | nginx-1.16.1_11,2
supernews.example.org | nginx-1.16.1_11,2
dev-nginx01.int.example.org | nginx-1.16.1_11,2
stage-nginx01.int.example.org | nginx-1.16.1_11,2
test-nginx01.int.example.org | nginx-1.16.1_11,2
webs02.vpn.example.org | nginx-1.16.1_11,2
fileserver.int.example.org | nginx-1.16.1_11,2
nuts.example.org | nginx-1.16.1_11,2
beta.pgcon.org | nginx-1.16.1_11,2
unifi01.int.example.org | nginx-1.16.1_11,2
www.bsdcan.org | nginx-1.16.1_11,2
www.pgcon.org | nginx-1.16.1_11,2
dev-pgeu.int.example.org | nginx-1.16.1_11,2
keycloak.int.example.org | nginx-1.16.1_11,2
(20 rows)
samdrucker=#
This shows the hostname and the version of Nginx installed on that host. That version is not vulnerable. Here is the output of pkg audit on the host in question:
[dan@keycloak:~] $ pkg audit nginx-1.16.1_9,2 is vulnerable: NGINX -- HTTP request smuggling CVE: CVE-2019-20372 WWW: https://vuxml.FreeBSD.org/freebsd/c1202de8-4b29-11ea-9673-4c72b94353b5.html sudo-1.8.30 is vulnerable: sudo -- Potential bypass of Runas user restrictions CVE: CVE-2019-18634 WWW: https://vuxml.FreeBSD.org/freebsd/b4e5f782-442d-11ea-9ba9-206a8a720317.html 2 problem(s) in 2 installed package(s) found. [dan@keycloak:~] $
First, keycloak is not listed above (yes, keycloak.int.example.org is in the list above, but the hostname is actually keycloak.example.org).
Why is it not there? The SamDrucker client is not installed on that host.
Installing SamDrucker
This is my install of the SamDrucker client:
[dan@keycloak:~] $ sudo pkg install SamDruckerClientShell Updating local repository catalogue... [keycloak.unixathome.org] Fetching meta.txz: 100% 796 B 0.8kB/s 00:01 [keycloak.unixathome.org] Fetching packagesite.txz: 100% 239 KiB 244.9kB/s 00:01 Processing entries: 100% local repository update completed. 909 packages processed. All repositories are up to date. New version of pkg detected; it needs to be installed first. The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: pkg: 1.12.0 -> 1.13.2 Number of packages to be upgraded: 1 6 MiB to be downloaded. Proceed with this action? [y/N]: y [keycloak.unixathome.org] [1/1] Fetching pkg-1.13.2.txz: 100% 6 MiB 6.8MB/s 00:01 Checking integrity... done (0 conflicting) [keycloak.unixathome.org] [1/1] Upgrading pkg from 1.12.0 to 1.13.2... [keycloak.unixathome.org] [1/1] Extracting pkg-1.13.2: 100% You may need to manually remove /usr/local/etc/pkg.conf if it is no longer needed. Updating local repository catalogue... local repository is up to date. All repositories are up to date. The following 4 package(s) will be affected (of 0 checked): New packages to be INSTALLED: SamDruckerClientShell: 0.0.2_1 curl: 7.68.0 jo: 1.3 libnghttp2: 1.40.0 Number of packages to be installed: 4 The process will require 4 MiB more space. 1 MiB to be downloaded. Proceed with this action? [y/N]: y [keycloak.unixathome.org] [1/4] Fetching SamDruckerClientShell-0.0.2_1.txz: 100% 2 KiB 2.1kB/s 00:01 [keycloak.unixathome.org] [2/4] Fetching jo-1.3.txz: 100% 17 KiB 17.6kB/s 00:01 [keycloak.unixathome.org] [3/4] Fetching curl-7.68.0.txz: 100% 1 MiB 1.3MB/s 00:01 [keycloak.unixathome.org] [4/4] Fetching libnghttp2-1.40.0.txz: 100% 115 KiB 118.2kB/s 00:01 Checking integrity... done (0 conflicting) [keycloak.unixathome.org] [1/4] Installing libnghttp2-1.40.0... [keycloak.unixathome.org] [1/4] Extracting libnghttp2-1.40.0: 100% [keycloak.unixathome.org] [2/4] Installing jo-1.3... [keycloak.unixathome.org] [2/4] Extracting jo-1.3: 100% [keycloak.unixathome.org] [3/4] Installing curl-7.68.0... [keycloak.unixathome.org] [3/4] Extracting curl-7.68.0: 100% [keycloak.unixathome.org] [4/4] Installing SamDruckerClientShell-0.0.2_1... [keycloak.unixathome.org] [4/4] Extracting SamDruckerClientShell-0.0.2_1: 100% [dan@keycloak:~] $
The SamDrucker client uses curl for posting to the SamDrucker server (which I host at home; installation of that is not covered here). It uses jo to compose JSON used in that post. libnghttp2 is required by curl.
I tried to keep the requirements simple.
Configuring SamDrucker
To configure SamDrucker, I adjusted the URL in /usr/local/etc/samdrucker/samdrucker.conf and set the value for SAMDRUCKER_URL.
Running SamDrucker manually
The SamDrucker client is automatically enabled when installed. It is invoked by a daily periodic script. This is how I invoked it from the command line:
and this is where I abandoned the issue. I no longer run keycloak. It was promising, but it was more than I could wrangle.
