Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Freeware Forum > Linux

Reply
 
Thread Tools Display Modes
Old 24. Aug 2013, 03:14 AM   #1 (permalink)
Editor [Android]
 
Cthulhux's Avatar
 
Join Date: Aug 2013
Posts: 271
Default Work in progress: FreeBSD updater cronjob

As someone who maintains a FreeBSD server for some random playing around I need to make updates every now and then, the portaudit tool lists security holes almost every day. (This might sound dangerous but local privilege exploits are quite common; the real awful ones are remote holes which are rather rare on the BSDs.) Good thing they are patched quite instantly.

So I have set up a cronjob, loosely based on another FreeBSD user's script which can be found on the internet but does not work with cron (and has some conflicts with my personal setup), which is executed (as root) every third day. It grabs the newest version of the port directory, tests if some ports (or the system itself) need(s) updates, rebuilds them if they do and (optionally) sends an e-mail to you, reporting what it has done. (As cron already does that by default, you won't really have to though.) When it's done, it checks if the port update also gave you a new UPDATING file. The UPDATING file usually contains useful information about if some of the updates destroy some other ports or something. If it has been changed, you're sent another e-mail with that file.

Required ports (except a set up ports directory which is required anyway):
  • freebsd-update
  • portsnap
  • portmaster
  • portaudit
  • postfix or any other mail agent; optional, only required if you want to use the mail functionality

The cron job script:

Code:
#!/bin/sh

LOG_FILE="/var/log/freebsd-update.log"
MAIL_ADDR="your@ema.il"

rm ${LOG_FILE}

echo "Starting updates: `date`" | tee -a ${LOG_FILE}
echo "***"
echo "*** Checking for FreeBSD patches..."
/usr/sbin/freebsd-update cron | tee -a ${LOG_FILE}
/usr/sbin/freebsd-update install | tee -a ${LOG_FILE}

echo "***"
echo "*** Updating ports tree..."
/usr/sbin/portsnap cron update | tee -a ${LOG_FILE}

echo "***"
echo "*** Looking for ports to update..."
/usr/local/sbin/portmaster -adH --no-confirm --delete-build-only | tee -a ${LOG_FILE}

echo "***"
echo "*** Checking installed ports for known security problems..."
/usr/local/sbin/portaudit -Fva | tee -a ${LOG_FILE}
echo "Finished updates: `date`" | tee -a ${LOG_FILE}

# the mail is usually sent by the cronjob anyway... else uncomment this line:
# mail -s 'Server update' ${MAIL_ADDR} < ${LOG_FILE}

# do we have a new UPDATING? i might want to read it :-)

if ( test ! -e /usr/ports/UPDATING.md5 ) ; then
  md5 -q /usr/ports/UPDATING > /usr/ports/UPDATING.md5
else
  currentmd5=$(cat /usr/ports/UPDATING.md5)
  newmd5=$(md5 -q /usr/ports/UPDATING)
  if [ $currentmd5 != $newmd5 ] ; then
    mail -s 'New UPDATING file!' ${MAIL_ADDR} < /usr/ports/UPDATING
  fi
fi
(The paths before the binary files are needed because cron does not know my $PATH. A bit annoying though.)

Maybe someone of you wants to use this.
__________________
Hi. I'm new here.

Last edited by Cthulhux; 24. Aug 2013 at 03:22 AM.
Cthulhux is offline   Reply With Quote
Old 24. Aug 2013, 05:03 PM   #2 (permalink)
Editor [Android]
 
Cthulhux's Avatar
 
Join Date: Aug 2013
Posts: 271
Default

There is no "edit" button in the initial posting anymore. Why?
__________________
Hi. I'm new here.
Cthulhux is offline   Reply With Quote
Old 25. Aug 2013, 03:31 AM   #3 (permalink)
J_L
Co-Author, Best Free Security List
 
J_L's Avatar
 
Join Date: Dec 2008
Posts: 2,003
Default

It's gone after a short period of time (at most an hour I think). It's unfortunate, but that's the way this forum works.
__________________
http://www.t7j7l.blogspot.com/
J_L is offline   Reply With Quote
Old 25. Aug 2013, 07:12 AM   #4 (permalink)
Super Moderator
 
Anupam's Avatar
 
Join Date: Jul 2008
Location: India
Posts: 15,316
Default

Yes, unfortunately, that's how the forum works, and that's how it will continue. We cannot allow indefinite editing of posts... that's not secure, and not practical too. We have had instances in the past, where people posted something, and later on edited their post to completely change that thing. Also, editing of posts after a certain period of time, and that too for old posts is not practical, because, the other members won't be aware of the change, as no notification, or email is sent out, because of the edit.

Therefore, editing is allowed only up to a certain period of time. The time is sufficient enough to review the post, and correct any mistakes. If there are additions after that, better post a new post. That's how it will work.

If there are any changes to be made to the original post, please PM the moderators with the desired changes to be incorporated. If those changes can be posted as a new post, it's better to post as a new post.
__________________
Anupam
Anupam is offline   Reply With Quote
Old 31. Aug 2013, 03:13 AM   #5 (permalink)
Editor [Android]
 
Cthulhux's Avatar
 
Join Date: Aug 2013
Posts: 271
Default

The only change I made yet is adding the absolute path to all calls of "md5". (Type whereis md5 to get that one.)

("Security", oh well.)
__________________
Hi. I'm new here.
Cthulhux is offline   Reply With Quote
Old 31. Aug 2013, 10:34 AM   #6 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,249
Default

Quote:
Originally Posted by Cthulhux View Post

("Security", oh well.)
Mainly involves the prevention of spam links being edited into what was originally a "clean" post.
__________________
Buy a Hoover and prove technology sucks.
MidnightCowboy is offline   Reply With Quote
Old 31. Aug 2013, 04:00 PM   #7 (permalink)
Editor [Android]
 
Cthulhux's Avatar
 
Join Date: Aug 2013
Posts: 271
Default

Websites can turn into spam links later. What then?
__________________
Hi. I'm new here.
Cthulhux is offline   Reply With Quote
Old 01. Sep 2013, 12:33 AM   #8 (permalink)
J_L
Co-Author, Best Free Security List
 
J_L's Avatar
 
Join Date: Dec 2008
Posts: 2,003
Default

Report post to moderator. There's a hazard symbol right below the avatar.
__________________
http://www.t7j7l.blogspot.com/
J_L is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 11:58 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.