FreeBSD Tools: portaudit – FreeBSD’s Third Party Security Audit

Portaudit is a software vulnerability auditing tool for FreeBSD systems. FreeBSD's Portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities.

The ports-mgmt/portaudit port polls a database for known security issues. This database is updated and maintained by the FreeBSD Security Team and ports developers.

To begin using Portaudit, install it from the Ports Collection:

cd /usr/ports/ports-mgmt/portaudit
make install clean

During the install process, the configuration files for periodic(8) utility will be updated, permitting Portaudit output in the daily security run. The database will automatically be updated by periodic(8) utility as well.

After installation, you can update the database by invoking the following command:

portaudit -Fd

The -F actually updates the database, and the -d option prints out the creation date of the database. Once that is done, the system is ready to be checked for vulnerabilities:

portaudit -a

portaudit - Third Party Security Audit for FreeBSD

There are no known vulnerabilities on my FreeBSD system.

To print a vulnerability report for all installed packages on your system as part of the Ports Collection at anytime, you may want to run the following command ( this will update the database as well ) :

portaudit -Fda

To print a vulnerability report for all installed packages on a remote FreeBSD system, you may want to run the following command:

ssh ipaddress pkg_info | awk '{ print $1 }' | xargs portaudit -Fda

To print a vulnerability report for the local INDEX ( assuming that we are using FreeBSD 8.x ):

portaudit -f /usr/ports/INDEX-8

To print a vulnerability report for the current set of prebuild packages:

curl -l | sed -n -e 's/.t[bg]z[[:cntrl:]]*$//p' | portaudit -f -

The canonical example from the FreeBSD Handbook of what happens when you get a security vulnerability looks like this:

portaudit -a

Affected package: apache-1.3.29_1
Type of problem: Apache 1.3 IP address access control failure on some 64-bit platforms.
Reference: <>

1 problem(s) in your installed packages found.

By pointing a web browser to the URL, you may obtain more information about the vulnerability in question. This will include versions affected, by FreeBSD Port version, along with other web sites which may contain security advisories.

With portaudit , the vulnerability check on your FreeBSD system is also enabled and every port will be checked for vulnerabilities, upon installation:

cd /usr/ports/ftp/wgetpro
make install clean

===> wgetpro-0.1.3_3 has known vulnerabilities:
=> wget -- multiple vulnerabilities.
=> Please update your ports tree and try again.
*** Error code 1

To disable the vulnerability check during port installation:

cd /usr/ports/ftp/wgetpro
make DISABLE_VULNERABILITIES=yes install clean

wgetpro-0.1.3.tgz doesn't seem to exist in /usr/ports/distfiles/.
Attempting to fetch from
wgetpro-0.1.3.tgz 100% of 981 kB 582 kBps

Remember that this should be an act only of the last resort. The preferred option, when faced with a vulnerability in a software, is to upgrade to a fixed version or uninstall the vulnerable software and install an alternative that does not have known vulnerabilities.

With a comprehensive software management system such as the FreeBSD ports system, this also means that even for third-party software you generally don’t have to search the Web and go through individual software distributors to find vulnerabilities that may affect your FreeBSD system. Known vulnerabilities are brought to you, like front-door delivery service.

Print This Post Print This Post
Comments (0) Trackbacks (1)

No comments yet.

Leave a comment