pavement

Portaudit

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m (redudundant)
 
(5 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
'''portaudit''' is a small FreeBSD [[ports|port]] that automatically creates and maintains a database of known vulnerabilities.  Installing this port enables port security auditing on your system.   
 
'''portaudit''' is a small FreeBSD [[ports|port]] that automatically creates and maintains a database of known vulnerabilities.  Installing this port enables port security auditing on your system.   
  
When you run <code>make</code> on a port, or use [[portupgrade]] or [[portmanager]], you may notice the mysterious but harmless warning that appears if you do not have port auditing enabled:
+
After port auditing is enabled, you will not be able to install or upgrade an insecure port.  Instead, you will receive a message that reads:
 +
===>  ''package-version'' has known vulnerabilities:
 +
=> ''package'' -- ''vulnerability summary''
 +
  Reference: &tt;http://www.FreeBSD.org/ports/portaudit/''reference''.html>
 +
=> Please update your ports tree and try again.
 +
*** Error code 1
 +
 
 +
''portaudit'' is installed to <code>/usr/local/etc/periodic/security/</code> by default, so that it will be run automatically, and will be part of the automated security report that is run by the system and mailed (by default) to the <code>root</code> user.
 +
 
 +
If you do not have port auditing enabled, you may notice the mysterious but harmless warning, when you run <code>make</code> on any port, or use [[portupgrade]] or [[portmanager]]:
 
<pre>
 
<pre>
 +
 
===>  Vulnerability check disabled, database not found
 
===>  Vulnerability check disabled, database not found
  
 
</pre>
 
</pre>
  
''portaudit'' is installed to <code>/usr/local/etc/periodic/security/</code> by default, so that it will be run automatically, and will be part of the automated security report that is run by the system and mailed (by default) to the <code>root</code> user.
+
If for some reason you need to install a port even though it has know vulnerabilities, you can use the DISABLE_VULNERABILITIES make argument
 +
<pre>
 +
cd /usr/ports/foo/bar
 +
make -DDISABLE_VULNERABILITIES
 +
</pre>
 +
or using portupgrade
 +
<pre>
 +
portupgrade -m 'DISABLE_VULNERABILITIES=yes' <package>
 +
</pre>
  
After port auditing is enabled, you will not be able to install or upgrade the insecure port.  Instead, you will receive a message that reads:
+
==Alternative==
===''package-version'' has known vulnerabilities:
+
Alternatively, you may run ''pkg audit'', to audit installed packages, but this has less features than portaudit.
=> ''package'' -- ''vulnerability summary''
+
  # pkg audit
  Reference: &tt;http://www.FreeBSD.org/ports/portaudit/''reference''.html>
+
=> Please update your ports tree and try again.
+
  *** Error code 1
+

Latest revision as of 07:20, 18 December 2014

portaudit is a small FreeBSD port that automatically creates and maintains a database of known vulnerabilities. Installing this port enables port security auditing on your system.

After port auditing is enabled, you will not be able to install or upgrade an insecure port. Instead, you will receive a message that reads:

===>  package-version has known vulnerabilities:
=> package -- vulnerability summary
  Reference: &tt;http://www.FreeBSD.org/ports/portaudit/reference.html>
=> Please update your ports tree and try again.
*** Error code 1

portaudit is installed to /usr/local/etc/periodic/security/ by default, so that it will be run automatically, and will be part of the automated security report that is run by the system and mailed (by default) to the root user.

If you do not have port auditing enabled, you may notice the mysterious but harmless warning, when you run make on any port, or use portupgrade or portmanager:


===>  Vulnerability check disabled, database not found

If for some reason you need to install a port even though it has know vulnerabilities, you can use the DISABLE_VULNERABILITIES make argument

cd /usr/ports/foo/bar
make -DDISABLE_VULNERABILITIES

or using portupgrade

portupgrade -m 'DISABLE_VULNERABILITIES=yes' <package>

[edit] Alternative

Alternatively, you may run pkg audit, to audit installed packages, but this has less features than portaudit.

# pkg audit
Personal tools