Keeping FreeBSD Up-to-Date - Part 1
This is the first article in a multi-part series on keeping FreeBSD up-to-date.
Part 1: Keeping the OS Up-to-Date
Some of you may know that I have been using FreeBSD for a while now and have loved every minute of it. Some things work easily out of the box, some things require quite a bit of “tweaking” to get them to work, and then in some cases, some things just don’t work. Most of my frustrations (very few and far between) with FreeBSD are related to available software for the OS, although I recently ran in to a problem with my Video iPod in FreeBSD 6.0-SECURITY. But, with over 14,000 ports available in the FreeBSD ports tree, and a constant development of the OS itself, you’re very likely to find the application or functionality you seek.
In this post, I will attempt to explain how I keep my 6.0-RELEASE system up-to-date by applying security related patches. The steps provided below are for a FreeBSD system with an unmodified kernel (GENERIC) and base system, meaning you haven’t upgraded your system to -STABLE or -CURRENT using cvsup and recompiled from the system sources. So, with that being said, this tutorial is based around the latest FreeBSD release, 6.0 (6.1 is quickly approaching with the most recent release of 6.1 being BETA 4).
This tutorial assumes you are fairly familiar with the FreeBSD ports tree. You at least need to know that the ports tree is installed in /usr/ports by default and that all port sources will be located within that directory.
The first thing I do with a fresh OS install is install freebsd-update. freebsd-update allows you to easily keep your system up-to-date by allowing you to install security related patches to your system in the form of binary updates, meaning you won’t have to update your system sources and recompile everything every time a security vulnerability is identified and patched. You can install the tool by running:
# pkg_add -r freebsd-update
or by compiling it from source by running:
# cd /usr/ports/security/freebsd-update && make install clean
Once the installation is complete, run the following command to create a directory for freebsd-update in /usr/local/:
# mkdir /usr/local/freebsd-update
Next, copy the sample configuration file to /usr/local/etc/freebsd-update.conf by running:
# cd /usr/local/etc/ && cp freebsd-update.conf.sample freebsd-update.conf
Now that freebsd-update is installed, you can fetch all security related updates for your system by running:
# freebsd-update fetch
This will examine your system and download any updated components, including the kernel, but will not install them. To install the updates after downloading (fetching) them, run the following command:
# freebsd-update install
Once the installation is complete, reboot your machine and run the freebsd-update fetch command again to make sure there are no further updates for your system. If there are, rerun the freebsd-update install command and reboot, repeating until no further updates are required. Most of the time, after the first iteration of the commands, no further updates will be available. Run this set of commands as often as you would like to check for any security related updates for your system.
And that, ladies and gentleman, is the easiest way to apply security related updates to the FreeBSD operating system. As I stated above, this will not work for machines with custom kernels, but for most boxes, that do not require a lot of customization, this will keep your box up-to-date without having to compile any of the updates from source. When you begin running this tool to update your system, you will be tracking the FreeBSD-SECURITY branch, meaning a release system with any security related patches applied that have come out since the installed release. For more information on the freebsd-update tool, please visit the developer’s web site.
Also, a huge thank you goes out to Richard Bejtlich of TaoSecurity for his writings on this subject as well as taking the time to explain some of this to me at Black Hat Federal 2006 earlier this year.
The next article in this series will explain how to keep your FreeBSD ports tree up-to-date, how to determine what installed ports need to be upgraded, how to upgrade installed ports, and how to check your installed ports for security vulnerabilities.