keeping my freebsd secure...

Haim Ashkenazi haim at babysnakes.org
Sat Jun 12 09:03:05 GMT 2004


Hi

I just installed FreeBSD 4.10 (my first one) and I fail to see the "big
picture" about keeping my system up-to-date with security fixes. I read
some relevant sections in the handbook, mailing list entries etc...
and here's what I understand:

1. I need to follow the security advisories to see if there are
vulnerabilities in the base system (I didn't find any regarding 4.10, am I
right?)
2. I installed portaudit to tell me if there are vulnerabilities in the
ports.
3. there are some tools (don't remember their names) that automatically
downloads and installs upgrades.

these are all bits and pieces I got here and there, but I'm looking for a
document that describes all the aspects of keeping my system up-to-date
with security. here are some of the things I don't fully understand:

how do I update my ports without breaking anything and without downtime
for important services (apache, mysql, etc...)? the one port I installed
from pre-compiled binary (screen) took 99% cpu, and I had to compile it
so it'll work ok. so how do I upgrade any of the above daemons without
having to uninstall -> compile -> reinstall (which takes a long time).
also, if the PNG library having vulnerabilities (as it is now on my
system) and I update the ports and compile it, do I have to update all the
ports or only this one (will php break if I won't upgrade it)?

basically I'm looking for some kind of mechanism that acts more or less
like my debian system (please don't start a flame war here, it's just the
system I'm using now...) and that includes notifications of security
updates, very minimal downtime (a second or two) and most important I'm
always sure that my configurations are valid (in debian it's
achieved by never upgrading the version of the package, only patching for
security fixes).

I'll appreciate any input on this, because I have to setup the system as
production server in 2 days...

thanx
-- 
Haim




More information about the freebsd-stable mailing list