Security patching of ports without the ports tree

D

davo

Hi folks,

I've got some machines in a DMZ and I really don't want to install the whole ports tree so I can do security patching.

Maybe I've got something wrong but the process I use is:
Run portaudit from cron and monitor the daily security output
When necessary (patching is required) log onto the server and do:
Code: 
portsnap update
portupgrade -a

This works fine but it means that I have to keep the whole ports tree on the server and I'm not keen on that.

If I had some more servers to worry about (like say 4 or 5) I'd set up a patch distribution server and do this in a centralised way (I'm sure this is possible) but just for a couple of machines, I can't justify it.

Is there a way to limit the ports tree to only the installed ports so that I can do the patching but don't have to have the whole tree on the server?

ciao
dave
 
davo said:
If I had some more servers to worry about (like say 4 or 5) I'd set up a patch distribution server and do this in a centralised way (I'm sure this is possible) but just for a couple of machines, I can't justify it.

Is there a way to limit the ports tree to only the installed ports so that I can do the patching but don't have to have the whole tree on the server?
Click to expand...

Probably - depending on the packages you need, but it's going to be a headache and will require lots of trial and error on your part.

FWIW, I have a patch distribution server (i.e. tinderbox) that I use for only three FreeBSD jails. Well worth the trouble. :)
 
Thanks for that.

I'll have a think about building a server to do the patching as to maintain security on a standalone machine it seems you need to install /usr/ports (the whole lot), /usr/src/sys (lsof needs it for instance) and a complete build environment. This makes me a bit uncomfortable to be honest.

I've noticed that the pkg_add tool retrieves the binary packages from a directory called "Latest". Is this possibly a precursor to patch procedure like:
Code: 
pkg_delete somepackage
pkg_add somepackage?

or even
Code: 
pkg_upgrade somepackage
..

For your patch distribution server, do you build packages to distribute to the production servers or do you mount the ports tree on the production servers?

ciao
dave
 
davo said:
For your patch distribution server, do you build packages to distribute to the production servers or do you mount the ports tree on the production servers?
Click to expand...

If I weren't so %#$& lazy, I would get around to sharing a directory containing the packages for the production hosts. Given enough of a nudge (e.g. about a dozen FreeBSD hosts to manage) I would probably become motivated quickly.

I currently just copy updated packages and their (sometimes considerable) dependencies to each jailed host, and do the pkg_delete / pkg_add dance. It's not such an ordeal once you get comfortable with the steps, and learn to stomach the philosophy of only upgrading to patch security holes (or when a new feature is absolutely required).
 
anomie said:
I currently just copy updated packages and their (sometimes considerable) dependencies to each jailed host, and do the pkg_delete / pkg_add dance.
Click to expand...
No real need to copy anything.

# mount -t nullfs /usr/ports /jail/j1/usr/ports
# mount -t nullfs /usr/ports /jail/j2/usr/ports
 
Right, for jails, nullfs mounts are a more elegant approach. (I just need to take a few minutes to experiment.)
 
You must log in or register to reply here.
Back
Top