FreeBSD Tools: portaudit – FreeBSD’s Third Party Security Audit
Portaudit is a software vulnerability auditing tool for FreeBSD systems. FreeBSD's Portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities.
The ports-mgmt/portaudit port polls a database for known security issues. This database is updated and maintained by the FreeBSD Security Team and ports developers.
To begin using Portaudit, install it from the Ports Collection:
cd /usr/ports/ports-mgmt/portaudit make install clean
During the install process, the configuration files for periodic(8) utility will be updated, permitting Portaudit output in the daily security run. The database will automatically be updated by periodic(8) utility as well.
After installation, you can update the database by invoking the following command:
portaudit -Fd
The -F actually updates the database, and the -d option prints out the creation date of the database. Once that is done, the system is ready to be checked for vulnerabilities:
portaudit -a
There are no known vulnerabilities on my FreeBSD system.
To print a vulnerability report for all installed packages on your system as part of the Ports Collection at anytime, you may want to run the following command ( this will update the database as well ) :
portaudit -Fda
To print a vulnerability report for all installed packages on a remote FreeBSD system, you may want to run the following command:
ssh ipaddress pkg_info | awk '{ print $1 }' | xargs portaudit -Fda
To print a vulnerability report for the local INDEX ( assuming that we are using FreeBSD 8.x ):
portaudit -f /usr/ports/INDEX-8
To print a vulnerability report for the current set of prebuild packages:
curl -l ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-current/All/ | sed -n -e 's/.t[bg]z[[:cntrl:]]*$//p' | portaudit -f -
The canonical example from the FreeBSD Handbook of what happens when you get a security vulnerability looks like this:
portaudit -a
Affected package: apache-1.3.29_1
Type of problem: Apache 1.3 IP address access control failure on some 64-bit platforms.
Reference: <http://people.freebsd.org/~eik/portaudit/09d418db-70fd-11d8-873f-0020ed76ef5a.html>
1 problem(s) in your installed packages found.
By pointing a web browser to the URL, you may obtain more information about the vulnerability in question. This will include versions affected, by FreeBSD Port version, along with other web sites which may contain security advisories.
With portaudit , the vulnerability check on your FreeBSD system is also enabled and every port will be checked for vulnerabilities, upon installation:
cd /usr/ports/ftp/wgetpro make install clean
===> wgetpro-0.1.3_3 has known vulnerabilities:
=> wget -- multiple vulnerabilities.
Reference:
=> Please update your ports tree and try again.
*** Error code 1
To disable the vulnerability check during port installation:
cd /usr/ports/ftp/wgetpro make DISABLE_VULNERABILITIES=yes install clean
wgetpro-0.1.3.tgz doesn't seem to exist in /usr/ports/distfiles/.
Attempting to fetch from http://heanet.dl.sourceforge.net/project/wgetpro/wgetpro/0.1.3/.
wgetpro-0.1.3.tgz 100% of 981 kB 582 kBps
Remember that this should be an act only of the last resort. The preferred option, when faced with a vulnerability in a software, is to upgrade to a fixed version or uninstall the vulnerable software and install an alternative that does not have known vulnerabilities.
With a comprehensive software management system such as the FreeBSD ports system, this also means that even for third-party software you generally don’t have to search the Web and go through individual software distributors to find vulnerabilities that may affect your FreeBSD system. Known vulnerabilities are brought to you, like front-door delivery service.
Print This Post