FreeBSD Enable Security Port Auditing to Avoid Vulnerabilities With portaudit
This is new nifty and long term demanded feature in FreeBSD. A port called portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. After installation it will update this security database automatically and include its reports in the output of the daily security run. If you get message like as follows
Vulnerability check disabled, database not found
You need install small port called portaudit. From the man page:
portaudit checks installed packages for known vulnerabilities and generates reports including references to security advisories. Its intended audience is system administrators and individual users. portaudit checks installed packages for known vulnerabilities and generates reports including references to security advisories. Its intended audience is system administrators and individual users.
Install portaudit
1) Install port auditing (login as root)
# cd /usr/ports/ports-mgmt/portaudit
Please note that old portaudit port was located at /usr/ports/security/portaudit/.
2) Install portaudit:
# make install clean
Output:
===> WARNING: Vulnerability database out of date, checking anyway ===> Extracting for portaudit-0.5.12 ===> Patching for portaudit-0.5.12 ===> Configuring for portaudit-0.5.12 ===> Building for portaudit-0.5.12 ===> Installing for portaudit-0.5.12 ===> Generating temporary packing list ===> Checking if ports-mgmt/portaudit already installed ===> Compressing manual pages for portaudit-0.5.12 ===> Registering installation for portaudit-0.5.12 ===> Cleaning for portaudit-0.5.12
3) Fetch the database so that port auditing get activated immediately. By default it install a shell script 'portaudit' in /usr/local/etc/periodic/security/:
# /usr/local/sbin/portaudit -Fda
Output:
auditfile.tbz 100% of 47 kB 405 kBps New database installed. Database created: Wed Feb 27 06:10:01 CST 2008 0 problem(s) in your installed packages found.
Where,
- -F: Fetch the current database from the FreeBSD servers.
- -d: Print the creation date of the database.
- -a: Print a vulnerability report for all installed packages
4) portaudit script automatically get called via FreeBSD's periodic (cron job) facility. So your database get updated automatically everyday.
Let us assume you would like to install a port called sudo. If it has known vulnerabilities it will not install sudo:
# cd /usr/ports/security/sudo
# make install clean
===> sudo-1.6.8.7 has known vulnerabilities: => sudo -- local race condition vulnerability. Reference: &tt;http://www.FreeBSD.org/ports/portaudit/3bf157fa- e1c6-11d9-b875-0001020eed82.html> => Please update your ports tree and try again. *** Error code 1 Stop in /usr/ports/security/sudo.
For more information refer portaudit man page:
$ man portaudit
E-mail this to a friend
Printable version
You may also be interested in other helpful articles:
- FreeBSD keep ports collection up to date in two easy steps
- AIX UNIX: File auditing to track reads and writes changes
- Take a FreeBSD Security Survey
- Security Alert: FreeBSD-SA-08:06.bind DNS cache Poisoning
- How to export display from Linux to FreeBSD
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: /usr/ports/security/portaudit, auditing, FreeBSD, freebsd package management, freebsd_security_vulnerabilities_database, make command, make install clean, periodic security, portaudit command, ports, security advisories, security vulnerabilities, security_database, system administrators, vulnerability check, vulnerability database
Thanks. I was wondering how to get rid of that Vulnerability message.
Yes, that vulnerability check warning really should include a reference to this useful port.
thank you for the grt contribution.