In recent years, the security world has made many improvements to how vulnerability assessment is handled. The threat of system intrusion increases as third party utilities are installed and configured for virtually any operating system available today.
Vulnerability assessment is a key factor in security. While FreeBSD releases advisories for the base system, doing so for every third party utility is beyond the FreeBSD Project's capability. There is a way to mitigate third party vulnerabilities and warn administrators of known security issues. A FreeBSD add on utility known as portaudit exists solely for this purpose.
The
ports-mgmt/portaudit
port polls a database, which is updated and maintained by the
FreeBSD Security Team and ports developers, for known security
issues.
To install portaudit from the Ports Collection:
#
cd /usr/ports/ports-mgmt/portaudit && make install clean
During the installation, the configuration files for
periodic(8) will be updated, permitting
portaudit output in the daily
security runs. Ensure that the daily security run emails, which
are sent to root
's email account, are
being read. No other configuration is required.
After installation, an administrator can update the database and view known vulnerabilities in installed packages by invoking the following command:
#
portaudit -Fda
The database is automatically updated during the periodic(8) run. The above command is optional and can be used to manually update the database now.
To audit the third party utilities installed as part of the Ports Collection at anytime, an administrator can run the following command:
#
portaudit -a
portaudit will display messages for any installed vulnerable packages:
By pointing a web browser to the displayed URL, an administrator may obtain more information about the vulnerability. This will include the versions affected, by FreeBSD port version, along with other web sites which may contain security advisories.
portaudit is a powerful utility and is extremely useful when coupled with the portmaster port.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.