When installing ports from the ports tree, I was intrigued by this message for a long time:
root@t2# make
===> Vulnerability check disabled, database not found
I never really had time to check out what the vulnerability check was and what the database it refered to was. Some time later, in an unrelated context I came across portaudit under /usr/ports/security/portaudit
The package description reads
portaudit provides a system to check if installed ports are listed in a
database of published security vulnerabilities.After installation it will update this security database automatically and
include its reports in the output of the daily security run.…
This sounded like a good idea, I especially liked the idea of getting the vulnerabilities reported along with the daily output run.
Once installed the message about the vulnerability check being disabled goes away, which makes sense.
Installation from ports
root@t2# cd /usr/ports/security/portaudit
root@t2# make install
===> Installing for portaudit-0.5.10
===> Generating temporary packing list
===> Checking if security/portaudit already installed===> To check your installed ports for known vulnerabilities now, do:
/usr/local/sbin/portaudit -Fda
===> Compressing manual pages for portaudit-0.5.10
===> Registering installation for portaudit-0.5.10
Interestingly and usefully, if you try to make a port that is vulnerable, portaudit complains loudly and won’t let you build it. It suggests you cvsup the ports tree and get the latest patched version of what you are trying to install.
Here’s a sample of a mailout from one of the machine:
Checking for a current audit database:
Downloading fresh database.
32063 bytes transferred in 0.0 seconds (712.35 kBps)
New database installed.
Database created: Thu Nov 24 02:40:19 CST 2005Checking for packages with security vulnerabilities:
Affected package: squid-2.5.11_2
Type of problem: squid — FTP server response handling denial of service.
Reference: <http ://www.FreeBSD.org/ports/portaudit/1c3142a3-4ab2-11da-932d-00055d790c25.html>Affected package: lynx-2.8.5
Type of problem: lynx — remote buffer overflow.
Reference: <http ://www.FreeBSD.org/ports/portaudit/c01170bf-4990-11da-a1b8-000854d03344.html>Affected package: ruby-1.8.2_4
Type of problem: ruby — vulnerability in the safe level settings.
Reference: <http ://www.FreeBSD.org/ports/portaudit/1daea60a-4719-11da-b5c6-0004614cc33d.html>Affected package: openssl-0.9.8_1
Type of problem: openssl — potential SSL 2.0 rollback.
Reference: <http ://www.FreeBSD.org/ports/portaudit/60e26a40-3b25-11da-9484-00123ffe8333.html>
As you can see, portaudit advises of vulnerabilities in your installed software on a daily basis, allowing you to patch things in a timely manner.