FreeBSD Applying Security Updates Using pkg/freebsd-update

last updated in Categories , , ,

I am a new FreeBSD developer and user. I have root access to my VM running in AWS cloud. How do I update packages and apply security upgrades on FreeBSD? What is the procedure for applying security updates on FreeBSD?

FreeBSD follows the concept of a base system and packages. One can apply security updates to the base system using freebsd-update command. You need to use the pkg command to upgrade FreeBSD packages. Let us see step-by-step instructions for implementing security updates polices for your FreeBSD server or desktop system.

FreeBSD Applying Security Updates

The procedure is as follows:

  1. First, login from an ordinary user to the root user using the sudo command or su command
  2. Capture a list of currently installed FreeBSD software, run: pkg list > file
  3. Apply all base OS security updates to your system, run: freebsd-update fetch install
  4. Install FreeBSD package security upgrades too, type: pkg update && pkg upgrade
  5. Reboot the FreeBSD machine to apply kernel updates, run: reboot<

Let us see all commands and examples in details.

Save software list

Login as the root user:
$ su -
OR
$ sudo -i
Note down the FreeBSD version and patch level, run:
# freebsd-version
Outputs:

12.0-RELEASE-p1

Type the following command to show information about installed packages and save in a file called /root/pre-pkg-update-YYYYMMDD format:
# pkg info > /root/pre-pkg-update-`date +%Y%m%d`
OR bash/sh user can type the following command:
# pkg info > /root/pre-pkg-update-`date +%Y%m%d`
Use the cat command or less command to view the file:
# ls -l /root/pre-pkg-update-*
# cat /root/pre-pkg-update-`date +%Y%m%d`
# less /root/pre-pkg-update-`date +%Y%m%d`

FreeBSD capture a list of currently installed software

Fetch FreeBSD base OS updates from server

Simply run:
# freebsd-update fetch
Sample outputs:

src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 12.0-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
Preparing to download files... done.

The following files will be updated as part of updating to 12.0-RELEASE-p1:
/boot/kernel/aac.ko
/boot/kernel/aacraid.ko
/boot/kernel/aesni.ko
/boot/kernel/alq.ko
....
..
...

Install downloaded updates on FreeBSD machine

Next you will apply all outstanding base OS security upgades to your system, run:
# freebsd-update install
Sample outputs:

Installing updates...done

How to see reports about vulnerable software packages

Execute the following command:
# pkg audit -F
See a list of vulnerable packages, run:
# pkg audit

Backup package database

You can dump the local package database to a file specified on the command-line:
# pkg backup -d pkg-db-`date +%Y%m%d`
Sample outputs:

Dumping database:
Backing up: 100%

By default the package database stored in /var/db/pkg/ directory:
ls -l /var/db/pkg/pkg-db-*
Dump and save FreeBSD package database for backup purposes
One can use /var/db/pkg/pkg-db-* file in order to restore the local package database. Very useful in case of a database crash or loss, to restore your database from a previous backup using the following syntax:
# pkg backup -r pkg-db-20190912

Update all FreeBSD packages database

Type:
# pkg update

Apply all outstanding packages security upgades

Run:
# pkg upgrade
FreeBSD Applying Security Updates Using pkg command line

How to reboot the FreeBSD system

Simply run:
# reboot
OR
# shutdown -r now
After rebooting the machine verify FreeBSD version, run:
# freebsd-version
Sample outputs:

12.0-RELEASE-p10

Conclusion

This page explained how to upgade your production FreeBSD machine using various commands for applying security updates. See man pages here and here.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at www.nixcraft.com

Historical Comment Archive