FreeBSD: How to enable vulnerability check while installing a port? FreeBSD: How to enable vulnerability check while installing a port?
FreeBSD: How to enable vulnerability check while installing a port?
The FreeBSD ports system is one of the most mature package installation systems. It provides a modality for vulnerability check of each port when installing it:
[/usr/ports/www/apache13]# make install clean ===> Fetching all distfiles for apache-1.3.29_1 and dependencies ===> Vulnerability check disabled
The above message is displayed when vulnerability check is not enabled.
Enabling port vulnerability check in FreeBSD
# cd /usr/ports/ports-mgmt/portaudit && make install clean
Note: If your ports collection is very outdated, you will find this port in /usr/ports/security/portaudit, but, most probably, you will not be able to install it => update your ports collection.
Now, the vulnerability check on your FreeBSD system is enabled and every port will be check for vulnerabilities, uppon installation.
[/usr/ports/www/apache13-modssl]# make install clean apache13-modssl-1.3.30 has known vulnerabilities: => apache13-modssl -- format string vulnerability in proxy support. Reference: http://www.freebsd.org/ports/portaudit/18974c8a-1fbd-11d9-814e-0001020eed82.html> => Please update your ports tree and try again. *** Error code 1
Stop in /usr/ports/www/apache13-modssl.
This message appears after you have installed portaudit and you are trying to install a port which for which there is a vulnerability report.
In order to have the lastest vulnerability database for portaudit, run:
# portaudit -Fd
or you can put up a cron job to do this daily.
Examples: Fetch the current database and print its creation date:
# portaudit -Fd
Print a vulnerability report for all installed packages:
# portaudit -a
Print a vulnerability report for a remote machine:
DESCRIPTION portaudit checks installed packages for known vulnerabilities and gener- ates reports including references to security advisories. Its intended audience is system administrators and individual users.
portaudit uses a database maintained by port committers and the FreeBSD security team to check if security advisories for any installed packages exist. Note that a current ports tree (or any local copy of the ports tree) is not required for operation.
This package also installs a script into /usr/local/etc/periodic/security that regularly updates this database and includes a report of vulnerable packages in the daily security report.
If you have a vulnerable package installed, you are advised to update or deinstall it immediately.
OPTIONS The following options are supported:
-a Print a vulnerability report for all installed packages.
-C Print a vulnerability report for the port in the current working directory. Mostly useful for port developers.
-d Print the creation date of the database.
-F Fetch the current database from the FreeBSD servers.
-q Quiet mode.
-V Show portaudit version number.
-v Verbose mode.
-X days Download a fresh database when the local is at least days old.
-f file Check the packages listed in file for known vulnerabilities.
-r eregex Restrict listed vulnerabilities to those where a reference matches egrep(1) pattern eregex. Useful to test new entries.
pkg-name ... Test whether pkg-name is listed in the audit database.
If no options are given, portaudit prints a vulnerability report for all installed packages.
Designed and developed by Andrei Manescu. Optimized for Mozilla Firefox.
Copyright 2007 Andrei Manescu
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by those who posted them.
