View Single Post
Old 24. Aug 2013, 03:14 AM   #1 (permalink)
Cthulhux
Senior Member
 
Cthulhux's Avatar
 
Join Date: Aug 2013
Posts: 271
Default Work in progress: FreeBSD updater cronjob

As someone who maintains a FreeBSD server for some random playing around I need to make updates every now and then, the portaudit tool lists security holes almost every day. (This might sound dangerous but local privilege exploits are quite common; the real awful ones are remote holes which are rather rare on the BSDs.) Good thing they are patched quite instantly.

So I have set up a cronjob, loosely based on another FreeBSD user's script which can be found on the internet but does not work with cron (and has some conflicts with my personal setup), which is executed (as root) every third day. It grabs the newest version of the port directory, tests if some ports (or the system itself) need(s) updates, rebuilds them if they do and (optionally) sends an e-mail to you, reporting what it has done. (As cron already does that by default, you won't really have to though.) When it's done, it checks if the port update also gave you a new UPDATING file. The UPDATING file usually contains useful information about if some of the updates destroy some other ports or something. If it has been changed, you're sent another e-mail with that file.

Required ports (except a set up ports directory which is required anyway):
  • freebsd-update
  • portsnap
  • portmaster
  • portaudit
  • postfix or any other mail agent; optional, only required if you want to use the mail functionality

The cron job script:

Code:
#!/bin/sh

LOG_FILE="/var/log/freebsd-update.log"
MAIL_ADDR="your@ema.il"

rm ${LOG_FILE}

echo "Starting updates: `date`" | tee -a ${LOG_FILE}
echo "***"
echo "*** Checking for FreeBSD patches..."
/usr/sbin/freebsd-update cron | tee -a ${LOG_FILE}
/usr/sbin/freebsd-update install | tee -a ${LOG_FILE}

echo "***"
echo "*** Updating ports tree..."
/usr/sbin/portsnap cron update | tee -a ${LOG_FILE}

echo "***"
echo "*** Looking for ports to update..."
/usr/local/sbin/portmaster -adH --no-confirm --delete-build-only | tee -a ${LOG_FILE}

echo "***"
echo "*** Checking installed ports for known security problems..."
/usr/local/sbin/portaudit -Fva | tee -a ${LOG_FILE}
echo "Finished updates: `date`" | tee -a ${LOG_FILE}

# the mail is usually sent by the cronjob anyway... else uncomment this line:
# mail -s 'Server update' ${MAIL_ADDR} < ${LOG_FILE}

# do we have a new UPDATING? i might want to read it :-)

if ( test ! -e /usr/ports/UPDATING.md5 ) ; then
  md5 -q /usr/ports/UPDATING > /usr/ports/UPDATING.md5
else
  currentmd5=$(cat /usr/ports/UPDATING.md5)
  newmd5=$(md5 -q /usr/ports/UPDATING)
  if [ $currentmd5 != $newmd5 ] ; then
    mail -s 'New UPDATING file!' ${MAIL_ADDR} < /usr/ports/UPDATING
  fi
fi
(The paths before the binary files are needed because cron does not know my $PATH. A bit annoying though.)

Maybe someone of you wants to use this.
__________________
Hi. I'm new here.

Last edited by Cthulhux; 24. Aug 2013 at 03:22 AM.
Cthulhux is offline   Reply With Quote