With all of the activity surrounding the Heartbleed Bug, it was great to see so many people helping out to keep things secure. Of note was the actions of the FreeBSD team in getting out bug fixes.
I have three recommendations for you:
- Follow a release branch (as opposed to stable).
- Run freebsd-update in cron
- Subscribe to the freebsd-security-notifications list
I used to follow STABLE. Now I follow RELEASE. The ease-of upgrading via binary patches appeals to me.
Every one of my systems, or so I thought until today, has an entry like this in /etc/crontab:
# fetch updates 28 10 * * * root /usr/sbin/freebsd-update cron
This entry will run freebsd-update every day, checking in for any updates. If found, they will be downloaded and you can install them later. Each of my systems does this at a different time; there’s no need to slam the FreeBSd servers all at once.
More importantly, when an update is found, you will get emails such as this one:
To: root@tallboy.example.org Subject: tallboy.example.org security updates Message-Id: <20140409103546.B6A151C51BC3@tallboy.example.org> Date: Wed, 9 Apr 2014 10:35:46 +0000 (UTC) From: root@tallboy.example.org (Charlie Root) Looking up update.FreeBSD.org mirrors... 5 mirrors found. Fetching metadata signature for 9.2-RELEASE from update6.freebsd.org... done. Fetching metadata index... done. Fetching 2 metadata patches.. done. Applying metadata patches... done. Inspecting system... done. Preparing to download files... done. Fetching 48 patches.....10....20....30....40.... done. Applying patches... done. The following files will be updated as part of updating to 9.2-RELEASE-p4: /boot/kernel/kernel /boot/kernel/kernel.symbols /boot/kernel/nfsd.ko /boot/kernel/nfsd.ko.symbols /lib/libcrypto.so.6 /usr/bin/dc /usr/bin/kinit /usr/bin/ntpq /usr/bin/openssl /usr/bin/sftp /usr/bin/slogin /usr/bin/ssh /usr/bin/ssh-add /usr/bin/ssh-keygen /usr/include/openssl/bn.h /usr/lib/libcrypto.a /usr/lib/libcrypto_p.a /usr/lib/libfetch.a /usr/lib/libfetch.so.6 /usr/lib/libfetch_p.a /usr/lib/libgssapi_krb5.a /usr/lib/libgssapi_krb5.so.10 /usr/lib/libgssapi_krb5_p.a /usr/lib/libgssapi_ntlm.a /usr/lib/libgssapi_ntlm.so.10 /usr/lib/libgssapi_ntlm_p.a /usr/lib/libhdb.a /usr/lib/libhdb_p.a /usr/lib/libhx509.a /usr/lib/libhx509.so.10 /usr/lib/libhx509_p.a /usr/lib/libkrb5.a /usr/lib/libkrb5.so.10 /usr/lib/libkrb5_p.a /usr/lib/libmp.so.7 /usr/lib/libpam.a /usr/lib/libradius.a /usr/lib/libradius_p.a /usr/lib/libssh.a /usr/lib/libssh.so.5 /usr/lib/libssh_p.a /usr/lib/libssl.a /usr/lib/libssl.so.6 /usr/lib/libssl_p.a /usr/libexec/kdc /usr/libexec/sendmail/sendmail /usr/sbin/ktutil /usr/sbin/ntpd /usr/sbin/sshd
That is my prompt to ssh into each server, run freebsd-update install, and if appropriate, reboot.
This morning, I realized I had received a security update email from all servers, but one. I’ve since added that crontab entry, and manually run freebsd-update on that server.
