FreeBSD follows the concept of a base system and packages. One can apply security updates to the base system using freebsd-update command. You need to use the pkg command to upgrade FreeBSD packages. Let us see step-by-step instructions for implementing security updates polices for your FreeBSD server or desktop system.
FreeBSD Applying Security Updates
The procedure is as follows:
- First, login from an ordinary user to the root user using the sudo command or su command
- Capture a list of currently installed FreeBSD software, run: pkg list > file
- Apply all base OS security updates to your system, run: freebsd-update fetch install
- Install FreeBSD package security upgrades too, type: pkg update && pkg upgrade
- Reboot the FreeBSD machine to apply kernel updates, run: reboot<
Let us see all commands and examples in details.
Save software list
Login as the root user:
$ su -
OR
$ sudo -i
Note down the FreeBSD version and patch level, run:
# freebsd-version
Outputs:
12.0-RELEASE-p1
Type the following command to show information about installed packages and save in a file called /root/pre-pkg-update-YYYYMMDD format:
# pkg info > /root/pre-pkg-update-`date +%Y%m%d`
OR bash/sh user can type the following command:
# pkg info > /root/pre-pkg-update-`date +%Y%m%d`
Use the cat command or less command to view the file:
# ls -l /root/pre-pkg-update-*
# cat /root/pre-pkg-update-`date +%Y%m%d`
# less /root/pre-pkg-update-`date +%Y%m%d`
Fetch FreeBSD base OS updates from server
Simply run:
# freebsd-update fetch
Sample outputs:
src component not installed, skipped Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 12.0-RELEASE from update2.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. Preparing to download files... done. The following files will be updated as part of updating to 12.0-RELEASE-p1: /boot/kernel/aac.ko /boot/kernel/aacraid.ko /boot/kernel/aesni.ko /boot/kernel/alq.ko .... .. ...
Install downloaded updates on FreeBSD machine
Next you will apply all outstanding base OS security upgades to your system, run:
# freebsd-update install
Sample outputs:
Installing updates...done
How to see reports about vulnerable software packages
Execute the following command:
# pkg audit -F
See a list of vulnerable packages, run:
# pkg audit
Backup package database
You can dump the local package database to a file specified on the command-line:
# pkg backup -d pkg-db-`date +%Y%m%d`
Sample outputs:
Dumping database: Backing up: 100%
By default the package database stored in /var/db/pkg/ directory:
ls -l /var/db/pkg/pkg-db-*
One can use /var/db/pkg/pkg-db-* file in order to restore the local package database. Very useful in case of a database crash or loss, to restore your database from a previous backup using the following syntax:
# pkg backup -r pkg-db-20190912
Update all FreeBSD packages database
Type:
# pkg update
Apply all outstanding packages security upgades
Run:
# pkg upgrade
How to reboot the FreeBSD system
Simply run:
# reboot
OR
# shutdown -r now
After rebooting the machine verify FreeBSD version, run:
# freebsd-version
Sample outputs:
12.0-RELEASE-p10
Conclusion
This page explained how to upgade your production FreeBSD machine using various commands for applying security updates. See man pages here and here.
1 comment
Have a question or comment? Try our forum thread here