Index: ports/chapter.xml =================================================================== --- ports/chapter.xml +++ ports/chapter.xml @@ -197,15 +197,11 @@ &a.ports; and the &a.ports-bugs;. - Before installing any application, check http://vuxml.freebsd.org/ - for security issues related to the application or install - ports-mgmt/portaudit. Once installed, type - portaudit -F -a to check all installed - applications for known vulnerabilities. When - pkg is being used the audit - functionality is built in. Execute pkg audit - -F to get a report on vulnerable packages. + Before installing any application, check + for security issues related to the application or type + pkg audit -F to check all installed + applications for known vulnerabilities. The remainder of this chapter explains how to use packages @@ -1116,16 +1112,13 @@ Collection as described in the previous section. Since the installation of any third-party software can introduce security vulnerabilities, it is recommended to first check - http://vuxml.freebsd.org/ + for known security issues related to the port. Alternately, - if ports-mgmt/portaudit is installed, run - portaudit -F before installing a new + run pkg audit -F before installing a new port. This command can be configured to automatically perform a security audit and an update of the vulnerability database during the daily security system check. For more - information, refer to the manual page for - portaudit and + information, refer to &man.pkg-audit.8; and &man.periodic.8;. Index: security/chapter.xml =================================================================== --- security/chapter.xml +++ security/chapter.xml @@ -78,7 +78,7 @@ - How to use portaudit to audit + How to use pkg to audit third party software packages installed from the Ports Collection. @@ -3091,7 +3091,7 @@ - + Monitoring Third Party Security Issues @@ -3102,7 +3102,7 @@ - portaudit + pkg In recent years, the security world has made many @@ -3117,49 +3117,38 @@ capability. There is a way to mitigate third party vulnerabilities and warn administrators of known security issues. A &os; add on utility known as - portaudit exists solely for this - purpose. + pkg includes options explicitly for + this purpose. - The - ports-mgmt/portaudit - port polls a database, which is updated and maintained by the - &os; Security Team and ports developers, for known security - issues. + pkg polls a database for security + issues. The database is updated and maintained by the &os; Security + Team and ports developers. - To install portaudit from the - Ports Collection: + Please refer to for + instructions on installing + pkg. - &prompt.root; cd /usr/ports/ports-mgmt/portaudit && make install clean + Installation provides &man.periodic.8; configuration files + for maintaining the pkg audit + database, and provides a programmatic method of keeping it + updated. This functionality is enabled if + daily_status_security_pkgaudit_enable + is set to YES in &man.periodic.conf.5;. + Ensure that daily security run emails, which are sent to + root's email account, + are being read. - During the installation, the configuration files for - &man.periodic.8; will be updated, permitting - portaudit output in the daily - security runs. Ensure that the daily security run emails, which - are sent to root's - email account, are being read. No other configuration is - required. + After installation, and to audit third party utilities as + part of the Ports Collection at any time, an administrator may + choose to update the database and view known vulnerabilities + of installed packages by invoking: - After installation, an administrator can update the - database and view known vulnerabilities in installed packages - by invoking the following command: + &prompt.root; pkg audit -F - &prompt.root; portaudit -Fda + pkg displays messages + any published vulnerabilities in installed packages: - - The database is automatically updated during the - &man.periodic.8; run. The above command is optional and can - be used to manually update the database now. - - - To audit the third party utilities installed as part of - the Ports Collection at anytime, an administrator can run the - following command: - - &prompt.root; portaudit -a - - portaudit will display messages - for any installed vulnerable packages: - Affected package: cups-base-1.1.22.0_1 Type of problem: cups-base -- HPGL buffer overflow vulnerability. Reference: <http://www.FreeBSD.org/ports/portaudit/40a3bca2-6809-11d9-a9e7-0001020eed82.html> @@ -3174,9 +3163,9 @@ versions affected, by &os; port version, along with other web sites which may contain security advisories. - portaudit is a powerful utility - and is extremely useful when coupled with the - portmaster port. + pkg is a powerful utility + and is extremely useful when coupled with + ports-mgmt/portmaster.