Apr 092014
 

With all of the activity surrounding the Heartbleed Bug, it was great to see so many people helping out to keep things secure. Of note was the actions of the FreeBSD team in getting out bug fixes.

I have three recommendations for you:

I used to follow STABLE. Now I follow RELEASE. The ease-of upgrading via binary patches appeals to me.

Every one of my systems, or so I thought until today, has an entry like this in /etc/crontab:

# fetch updates
28 10 * * * root /usr/sbin/freebsd-update cron

This entry will run freebsd-update every day, checking in for any updates. If found, they will be downloaded and you can install them later. Each of my systems does this at a different time; there’s no need to slam the FreeBSd servers all at once.

More importantly, when an update is found, you will get emails such as this one:

To: root@tallboy.example.org
Subject: tallboy.example.org security updates
Message-Id: <20140409103546.B6A151C51BC3@tallboy.example.org>
Date: Wed,  9 Apr 2014 10:35:46 +0000 (UTC)
From: root@tallboy.example.org (Charlie Root)

Looking up update.FreeBSD.org mirrors... 5 mirrors found.
Fetching metadata signature for 9.2-RELEASE from update6.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 48 patches.....10....20....30....40.... done.
Applying patches... done.

The following files will be updated as part of updating to 9.2-RELEASE-p4:
/boot/kernel/kernel
/boot/kernel/kernel.symbols
/boot/kernel/nfsd.ko
/boot/kernel/nfsd.ko.symbols
/lib/libcrypto.so.6
/usr/bin/dc
/usr/bin/kinit
/usr/bin/ntpq
/usr/bin/openssl
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-keygen
/usr/include/openssl/bn.h
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libfetch.a
/usr/lib/libfetch.so.6
/usr/lib/libfetch_p.a
/usr/lib/libgssapi_krb5.a
/usr/lib/libgssapi_krb5.so.10
/usr/lib/libgssapi_krb5_p.a
/usr/lib/libgssapi_ntlm.a
/usr/lib/libgssapi_ntlm.so.10
/usr/lib/libgssapi_ntlm_p.a
/usr/lib/libhdb.a
/usr/lib/libhdb_p.a
/usr/lib/libhx509.a
/usr/lib/libhx509.so.10
/usr/lib/libhx509_p.a
/usr/lib/libkrb5.a
/usr/lib/libkrb5.so.10
/usr/lib/libkrb5_p.a
/usr/lib/libmp.so.7
/usr/lib/libpam.a
/usr/lib/libradius.a
/usr/lib/libradius_p.a
/usr/lib/libssh.a
/usr/lib/libssh.so.5
/usr/lib/libssh_p.a
/usr/lib/libssl.a
/usr/lib/libssl.so.6
/usr/lib/libssl_p.a
/usr/libexec/kdc
/usr/libexec/sendmail/sendmail
/usr/sbin/ktutil
/usr/sbin/ntpd
/usr/sbin/sshd

That is my prompt to ssh into each server, run freebsd-update install, and if appropriate, reboot.

This morning, I realized I had received a security update email from all servers, but one. I’ve since added that crontab entry, and manually run freebsd-update on that server.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive