Index: ports/chapter.xml =================================================================== --- ports/chapter.xml +++ ports/chapter.xml @@ -197,15 +197,11 @@ &a.ports; and the &a.ports-bugs;. - Before installing any application, check http://vuxml.freebsd.org/ - for security issues related to the application or install - ports-mgmt/portaudit. Once installed, type - portaudit -F -a to check all installed - applications for known vulnerabilities. When - pkg is being used the audit - functionality is built in. Execute pkg audit - -F to get a report on vulnerable packages. + Before installing any application, check + for security issues related to the application or type + pkg audit -F to check all installed + applications for known vulnerabilities. The remainder of this chapter explains how to use packages @@ -1116,16 +1112,13 @@ Collection as described in the previous section. Since the installation of any third-party software can introduce security vulnerabilities, it is recommended to first check - http://vuxml.freebsd.org/ + for known security issues related to the port. Alternately, - if ports-mgmt/portaudit is installed, run - portaudit -F before installing a new + run pkg audit -F before installing a new port. This command can be configured to automatically perform a security audit and an update of the vulnerability database during the daily security system check. For more - information, refer to the manual page for - portaudit and + information, refer to &man.pkg-audit.8; and &man.periodic.8;. Index: security/chapter.xml =================================================================== --- security/chapter.xml +++ security/chapter.xml @@ -78,7 +78,7 @@ - How to use portaudit to audit + How to use pkg to audit third party software packages installed from the Ports Collection. @@ -3091,7 +3091,7 @@ - + Monitoring Third Party Security Issues @@ -3102,7 +3102,7 @@ - portaudit + pkg In recent years, the security world has made many @@ -3117,47 +3117,40 @@ capability. There is a way to mitigate third party vulnerabilities and warn administrators of known security issues. A &os; add on utility known as - portaudit exists solely for this - purpose. + pkg includes options explicitly for + this purpose. The - ports-mgmt/portaudit + pkg port polls a database, which is updated and maintained by the &os; Security Team and ports developers, for known security issues. - To install portaudit from the - Ports Collection: + To install pkg please refer to . - &prompt.root; cd /usr/ports/ports-mgmt/portaudit && make install clean - During the installation, the configuration files for - &man.periodic.8; will be updated, permitting - portaudit output in the daily - security runs. Ensure that the daily security run emails, which - are sent to root's - email account, are being read. No other configuration is - required. + &man.periodic.8; will be installed. This functionality is + enabled if daily_status_security_pkgaudit_enable + is set to YES in &man.periodic.conf.5;. Ensure + that daily security run emails, which are sent to + root's email account, are + being read. - After installation, an administrator can update the - database and view known vulnerabilities in installed packages - by invoking the following command: + After installation, and to audit third party utilities as part + of the Ports Collection at anytime, an administrator can update the + database and view known vulnerabilities of installed packages + by invoking pkg: - &prompt.root; portaudit -Fda + &prompt.root; pkg audit -F The database is automatically updated during the &man.periodic.8; run. The above command is optional and can - be used to manually update the database now. + be used to manually update the database. - To audit the third party utilities installed as part of - the Ports Collection at anytime, an administrator can run the - following command: - - &prompt.root; portaudit -a - - portaudit will display messages + pkg will display messages for any installed vulnerable packages: Affected package: cups-base-1.1.22.0_1 @@ -3174,9 +3167,9 @@ versions affected, by &os; port version, along with other web sites which may contain security advisories. - portaudit is a powerful utility - and is extremely useful when coupled with the - portmaster port. + pkg is a powerful utility + and is extremely useful when coupled with + ports-mgmt/portmaster.