FreeBSD - Tutorials, Security
Home   Archives   Sitemap   About   Contact

How to check for vulnerabilities installed ports on FreeBSD box

Home NEW! Unix Forum News 100 Tips and Tricks Website Development Server Operating Systems Databases
 Ivorde.ROarrow Server Operating Systems arrowServer SecurityarrowHow to check for vulnerabilities installed ports on FreeBSD box 

Article Sections

    Hello, Guest !
User name:
Password:
 
Google

 SSD VPS Hosting - Vpsie.com
 Mo.nitor.me
 Ivorde forum
 FreeBSD Tutorials
 Linux LVM Commands
 Free Shell Accounts
 FreeBSD Project
 FreeBSD Handbook
 Advanced Bash-Scripting Guide
 The OpenBSD Project
 Distrowatch
 FreeBSD Handbook


Apache Webserver Home Page

Posted on: 18 Oct 2007
Author: real_mc
Section: Server Operating Systems | Server Security
Views: 577
Comments: 0 (Add)

How to check for vulnerabilities installed ports on FreeBSD box
This tut shows how to use portaudit and pkg_version to list your installed ports that have known vulnerabilities and if they have newer versions. A simple script that will make a security audit of your installed ports, it will check for each port that has vulnerabilities for newer versions (in your ports tree, which must be updated in order to receive a newer report) and will send everything to your mail box.

 



In order for us to actually have a relevant result we need to have our ports tree up-to-date or at least updated in the near past.

First of all we'll take a look at pkg_version and portaudit utilities in FreeBSD:

$ man pkg_version

NAME
pkg_version -- summarize installed versions of packages
(output ommited)

The pkg_version command is used to produce a report of non-base software
packages installed using the pkg_add(1) command.

Each package's version number is checked against one of two sources to
see if that package may require updating. If the package contains infor-
mation about its origin in the FreeBSD ports tree, and a version number
can be determined from the port's Makefile, then the version number from
the Makefile will be used to determine whether the installed package is
up-to-date or requires updating.
(output ommited)
-v Enable verbose output. Verbose output includes some English-text
interpretations of the version number comparisons, as well as the
version numbers compared for each package. Non-verbose output is
probably easier for programs or scripts to parse.

 

$ man portaudit

NAME
portaudit -- system to check installed packages for known vulnerabilities

DESCRIPTION
portaudit checks installed packages for known vulnerabilities and gener-
ates reports including references to security advisories. Its intended
audience is system administrators and individual users.

portaudit uses a database maintained by port committers and the FreeBSD
security team to check if security advisories for any installed packages
exist. Note that a current ports tree (or any local copy of the ports
tree) is not required for operation.

This package also installs a script into /usr/local/etc/periodic/security
that regularly updates this database and includes a report of vulnerable
packages in the daily security report.

-a Print a vulnerability report for all installed packages.


If you do not have portaudit installed you can easily install it from /usr/ports/ports-mgmt/portaudit && make install clean. Now comes the script:

$!/bin/sh

portaudit=/usr/local/sbin/portaudit
pkg_version=/usr/sbin/pkg_version

for i in $(${portaudit} -a|grep Affected|awk '{print $NF}')
do
${pkg_version} -v | grep $i
done

we save this to security-audit.sh chmod u+x security-audit.sh and we run it:

$ ./security-audit.sh
png-1.2.18 < needs updating (port has 1.2.22)
php4-4.4.6 < needs updating (port has 4.4.7_2)
gtar-1.15.1_2 < needs updating (port has 1.18_1)
freetype2-2.2.1_1 < needs updating (port has 2.2.1_2)
php4-session-4.4.6 < needs updating (port has 4.4.7_2)
php4-4.4.6 < needs updating (port has 4.4.7_2)
gtar-1.15.1_2 < needs updating (port has 1.18_1)

Now, you can put this script into a separate file and have it mailed to you.
The following script will make a security audit of your installed ports, it will check for each port that has vulnerabilities for newer versions (in your ports tree, which must be updated in order to receive a newer report) and will send everything to your mail box:

#!/bin/sh
email="Your_mail@your_domain.com"
date=$(date "+%Y-%m-%d")
audit_output=/tmp/portaudit.${date}
host=$(hostname)
subject="raport pentru $host - $date"
portaudit=/usr/local/sbin/portaudit
pkg_version=/usr/sbin/pkg_version

$portaudit -a >$audit_output 2>&1

for i in $($portaudit -a|grep Affected|awk '{print $NF}')
do
$pkg_version -v | grep $i
done >>$audit_output 2>&1
cat $audit_output | mail -s "PSA-Ports Security Audit for $host - $date" $email
rm -rf $audit_output

That's about it !!!

Also read: FreeBSD force port installation/upgrade even though portaudit reports vulnerability for it

Bookmarks: Echo "How to check for vulnerabilities installed ports on FreeBSD box" around:
del.icio.usdiggFurlYahooMyWebGoogleBookmarksFaceBookTechnocratti
Test king is the world leader in offering testing services with tests such as JN0-531 which are designed from the real exam patterns. Test king prepares and trains students for Cisco certifications in tests such as 642-104 and 642-104. The Cisco certification tests equip the students with the test taking strategies with tests such as 642-586 and 642-432. Test king is also known for imparting Microsoft training sessions in tests such as 70-299 and 70-282.

Other articles in Server Operating Systems / Server Security
» FreeBSD force port installation/upgrade even though portaudit reports vulnerability for it
» FreeBSD: How to enable vulnerability check while installing a port?
» How to check if an rpm package is installed on a Red Hat Linux server
» How to install lighttpd on FreeBSD
» List established connections on Unix servers




Contact webmaster regarding this article
Register or Login to post your article
Hello, Guest ! You can Login or Register to www.ivorde.ro!

 Post comment:

Name:
Title:
Comment:
Please type the word you see in the image (anti-spam verification). Refresh the page if you don't understand the word.
Allowed HTML Tags for comments:<p><strong><em><u><h1><h2><h3><h4><h5><h6><img><li>
<ol><ul><span><div><br><ins><del>

0 comment(s) to How to check for vulnerabilities installed ports on FreeBSD box:

   Latest topics on the forum:
 
   Most viewed articles:
How to copy a mysql database using mysqldump - 10087 views
How to change a user's password in AIX with the output from ECHO command - 9286 views
FreeBSD: Add/remove an additional IP alias - 6453 views
Qmail relay to smarthost: How to route all mail to a smarthost - 4364 views
Change user shell on FreeBSD Linux and AIX - 3118 views

   Latest 10 articles:
Qmail relay to smarthost: How to route all mail to a smarthost - 03 Feb 2009
EXIM 4 relay to smarthost: How to route all mail except local domain - 03 Feb 2009
Windows XP: print LISTEN ports and network connections using netstat - 30 Jan 2009
How to cut out first last n characters from each file name, from a filelist - 04 Nov 2008
Mozilla Firefox3 is now released - 18 Jun 2008
How to switch lower case to upper case and upper case to lower case in a string - 17 Jun 2008
How to rename files/directories to uppercase/lowercase character names - 17 Jun 2008
How to convert lower case to upper case letters in a shell script/command - 17 Jun 2008
Unix,Linux,FreeBSD - How to rename a list of files, replacing spaces inside their names - 12 Jun 2008
How to change a user's password in AIX with the output from ECHO command - 21 May 2008


Archives
» 2007  |  June  |  October  |  November  |  December
» 2008  |  January  |  February  |  March  |  April  |  May  |  June  |  November
» 2009  |  January  |  February



Home | Archives | Sitemap | About | Contact

Designed and developed by Andrei Manescu. Optimized for Mozilla Firefox.  
Copyright 2007 Andrei Manescu
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by those who posted them.
Valid W3 Document Valid XHTML 1.0 Transitional Valid CSS! The FreeBSD Project Viewable With Any Browser