Contributed by Tom Rhodes.
In recent years, the security world has made many improvements to how vulnerability
assessment is handled. The threat of system intrusion increases as third party utilities
are installed and configured for virtually any operating system available today.
Vulnerability assessment is a key factor in security, and while FreeBSD releases
advisories for the base system, doing so for every third party utility is beyond the
FreeBSD Project's capability. There is a way to mitigate third party vulnerabilities and
warn administrators of known security issues. A FreeBSD add on utility known as Portaudit exists solely for this purpose.
The ports-mgmt/portaudit port polls a database, updated and
maintained by the FreeBSD Security Team and ports developers, for known security
issues.
To begin using Portaudit, one must install it from the
Ports Collection:
# cd /usr/ports/ports-mgmt/portaudit && make install clean
During the install process, the configuration files for periodic(8) will be
updated, permitting Portaudit output in the daily security
runs. Ensure the daily security run emails, which are sent to root's email account, are being read. No more configuration will be
required here.
After installation, an administrator can update the database and view known
vulnerabilities in installed packages by invoking the following command:
# portaudit -Fda
Note: The database will automatically be updated during the periodic(8) run; thus,
the previous command is completely optional. It is only required for the following
examples.
To audit the third party utilities installed as part of the Ports Collection at
anytime, an administrator need only run the following command:
# portaudit -a
Portaudit will produce something like this for vulnerable
packages:
Affected package: cups-base-1.1.22.0_1
Type of problem: cups-base -- HPGL buffer overflow vulnerability.
Reference: <https://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html>
1 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s) immediately.
By pointing a web browser to the URL shown, an
administrator may obtain more information about the vulnerability in question. This will
include versions affected, by FreeBSD Port version, along with other web sites which may
contain security advisories.
In short, Portaudit is a powerful utility and extremely
useful when coupled with the Portupgrade port.