BSDwiki/ Determine which software have outstanding security advisories

Determine which software have outstanding security advisories

Author: name contact BSD flavour

Reviewer: name contact BSD flavour

Reviewer: Chris Silva racerx@makeworld.com FreeBSD/OpenBSD

Concept

Recognize the importance of being aware of software security (((security))) vulnerabilities (((vulnerabilities))). Also recognize the third-party utilities which integrate with the BSD package(((package))) managers to determine which software has outstanding vulnerabilities.

Introduction

FreeBSD uses the portaudit system.

portaudit: system to check installed packages for known vulnerabilities (((portaudit)))

portaudit -a prints a vulnerability report for all installed packages

portaudit -F fetches current database from FreeBSD servers

portaudit -Fa (does both at one time, very useful)

TODO: mention enabling periodic portaudit script

DragonFlyBSD and FreeBSD can both use the following command to check for known vulnerabilities in installed applications: pkg audit -F

NetBSD uses pkg_admin in a two-command sequence to getting the latest package vulnerabilities database and check your installed packages against it: pkg_admin fetch-pkg-vulnerabilities pkg_admin audit

OpenBSD users should monitor relevant mailing lists [see http://www.openbsd.org/mail.html] and follow-Unix-related security announcement websites and mailing lists, to allow updates to the BASE operating system. One strategy to accomplish this is to maintain a local CVS repository using the CVSync or rsync programs, and build STABLE releases incorporating any desired security fixes [see http://www.openbsd.org/faq/faq5.html]. For fixing security vulnerabilities in OpenBSD packages or ports, you should subscribe to mailing lists or other security related resources relevant for EACH application you are using beyond the BASE system. Also it could be helpful to monitor results from security-related testing of applications that appear on various sites like CERT [https://www.us-cert.gov/ncas/alerts etc.]

More information and ideas for fixing security vulnerabilities on OpenBSD (and some for FreeBSD too) can be found here: http://serverfault.com/questions/209027/openbsd-freebsd-your-update-philosophy

Examples

The following is an example of using portaudit on FreeBSD. (The "-d" option prints the date of the vulnerability database.)

""$ /usr/local/sbin/portaudit -Fda ""New database installed. ""Database created: Fri Jan 26 09:40:17 PST 2007 ""Affected package: php5-5.1.2_1 ""Type of problem: php -- open_basedir Race Condition Vulnerability. ""Reference: <http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html> "" ""1 problem(s) in your installed packages found. "" ""You are advised to update or deinstall the affected package(s) immediately.

Practice Exercises

More information

audit-packages(((audit-packages))) for Dragonfly and NetBSD; portaudit(((portaudit))) and vuxml(((vuxml))) for FreeBSD and OpenBSD

TODO: verify for OpenBSD?