Gizmo's Freeware Forum

Gizmo's Freeware Forum (https://www.techsupportalert.com/freeware-forum/)
-   Linux (https://www.techsupportalert.com/freeware-forum/linux/)
-   -   Work in progress: FreeBSD updater cronjob (https://www.techsupportalert.com/freeware-forum/linux/12322-work-in-progress-freebsd-updater-cronjob.html)

Cthulhux 24. Aug 2013 03:14 AM

Work in progress: FreeBSD updater cronjob
 
As someone who maintains a FreeBSD server for some random playing around I need to make updates every now and then, the portaudit tool lists security holes almost every day. (This might sound dangerous but local privilege exploits are quite common; the real awful ones are remote holes which are rather rare on the BSDs.) Good thing they are patched quite instantly.

So I have set up a cronjob, loosely based on another FreeBSD user's script which can be found on the internet but does not work with cron (and has some conflicts with my personal setup), which is executed (as root) every third day. It grabs the newest version of the port directory, tests if some ports (or the system itself) need(s) updates, rebuilds them if they do and (optionally) sends an e-mail to you, reporting what it has done. (As cron already does that by default, you won't really have to though.) When it's done, it checks if the port update also gave you a new UPDATING file. The UPDATING file usually contains useful information about if some of the updates destroy some other ports or something. If it has been changed, you're sent another e-mail with that file.

Required ports (except a set up ports directory which is required anyway):
  • freebsd-update
  • portsnap
  • portmaster
  • portaudit
  • postfix or any other mail agent; optional, only required if you want to use the mail functionality

The cron job script:

Code:

#!/bin/sh

LOG_FILE="/var/log/freebsd-update.log"
MAIL_ADDR="your@ema.il"

rm ${LOG_FILE}

echo "Starting updates: `date`" | tee -a ${LOG_FILE}
echo "***"
echo "*** Checking for FreeBSD patches..."
/usr/sbin/freebsd-update cron | tee -a ${LOG_FILE}
/usr/sbin/freebsd-update install | tee -a ${LOG_FILE}

echo "***"
echo "*** Updating ports tree..."
/usr/sbin/portsnap cron update | tee -a ${LOG_FILE}

echo "***"
echo "*** Looking for ports to update..."
/usr/local/sbin/portmaster -adH --no-confirm --delete-build-only | tee -a ${LOG_FILE}

echo "***"
echo "*** Checking installed ports for known security problems..."
/usr/local/sbin/portaudit -Fva | tee -a ${LOG_FILE}
echo "Finished updates: `date`" | tee -a ${LOG_FILE}

# the mail is usually sent by the cronjob anyway... else uncomment this line:
# mail -s 'Server update' ${MAIL_ADDR} < ${LOG_FILE}

# do we have a new UPDATING? i might want to read it :-)

if ( test ! -e /usr/ports/UPDATING.md5 ) ; then
  md5 -q /usr/ports/UPDATING > /usr/ports/UPDATING.md5
else
  currentmd5=$(cat /usr/ports/UPDATING.md5)
  newmd5=$(md5 -q /usr/ports/UPDATING)
  if [ $currentmd5 != $newmd5 ] ; then
    mail -s 'New UPDATING file!' ${MAIL_ADDR} < /usr/ports/UPDATING
  fi
fi

(The paths before the binary files are needed because cron does not know my $PATH. A bit annoying though.)

Maybe someone of you wants to use this.

Cthulhux 24. Aug 2013 05:03 PM

There is no "edit" button in the initial posting anymore. Why?

J_L 25. Aug 2013 03:31 AM

It's gone after a short period of time (at most an hour I think). It's unfortunate, but that's the way this forum works.

Anupam 25. Aug 2013 07:12 AM

Yes, unfortunately, that's how the forum works, and that's how it will continue. We cannot allow indefinite editing of posts... that's not secure, and not practical too. We have had instances in the past, where people posted something, and later on edited their post to completely change that thing. Also, editing of posts after a certain period of time, and that too for old posts is not practical, because, the other members won't be aware of the change, as no notification, or email is sent out, because of the edit.

Therefore, editing is allowed only up to a certain period of time. The time is sufficient enough to review the post, and correct any mistakes. If there are additions after that, better post a new post. That's how it will work.

If there are any changes to be made to the original post, please PM the moderators with the desired changes to be incorporated. If those changes can be posted as a new post, it's better to post as a new post.

Cthulhux 31. Aug 2013 03:13 AM

The only change I made yet is adding the absolute path to all calls of "md5". (Type whereis md5 to get that one.) :cool:

("Security", oh well.)

MidnightCowboy 31. Aug 2013 10:34 AM

Quote:

Originally Posted by Cthulhux (Post 91846)

("Security", oh well.)

Mainly involves the prevention of spam links being edited into what was originally a "clean" post.

Cthulhux 31. Aug 2013 04:00 PM

Websites can turn into spam links later. What then?

J_L 01. Sep 2013 12:33 AM

Report post to moderator. There's a hazard symbol right below the avatar.


All times are GMT +1. The time now is 01:30 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.