FreeBSD Applying Security Updates Using pkg/freebsd-update

ADVERTISEMENTS



FreeBSD Applying Security Updates

I am a new FreeBSD developer and user. I have root access to my VM running in AWS cloud. How do I update packages and apply security upgrades on FreeBSD? What is the procedure for applying security updates on FreeBSD?FreeBSD follows the concept of a base system and packages. One can apply security updates to the base system using freebsd-update command. You need to use the pkg command to upgrade FreeBSD packages. Let us see step-by-step instructions for implementing security updates polices for your FreeBSD server or desktop system.

The procedure is as follows:

First, login from an ordinary user to the root user using the sudo command or su command Capture a list of currently installed FreeBSD software, run: pkg list > file Apply all base OS security updates to your system, run: freebsd-update fetch install Install FreeBSD package security upgrades too, type: pkg update && pkg upgrade Reboot the FreeBSD machine to apply kernel updates, run: reboot<

Let us see all commands and examples in details.

Save software list

Login as the root user:

$ su -

OR

$ sudo -i

Note down the FreeBSD version and patch level, run:

# freebsd-version

Outputs:

12.0-RELEASE-p1

Type the following command to show information about installed packages and save in a file called /root/pre-pkg-update-YYYYMMDD format:

# pkg info > /root/pre-pkg-update-`date +%Y%m%d`

OR bash/sh user can type the following command:

# pkg info > /root/pre-pkg-update-`date +%Y%m%d`

Use the cat command or less command to view the file:

# ls -l /root/pre-pkg-update-*

# cat /root/pre-pkg-update-`date +%Y%m%d`

# less /root/pre-pkg-update-`date +%Y%m%d`



Fetch FreeBSD base OS updates from server

Simply run:

# freebsd-update fetch

Sample outputs:

src component not installed, skipped Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 12.0-RELEASE from update2.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. Preparing to download files... done. The following files will be updated as part of updating to 12.0-RELEASE-p1: /boot/kernel/aac.ko /boot/kernel/aacraid.ko /boot/kernel/aesni.ko /boot/kernel/alq.ko .... .. ...

Install downloaded updates on FreeBSD machine

Next you will apply all outstanding base OS security upgades to your system, run:

# freebsd-update install

Sample outputs:

Installing updates...done

How to see reports about vulnerable software packages

Execute the following command:

# pkg audit -F

See a list of vulnerable packages, run:

# pkg audit

Backup package database

You can dump the local package database to a file specified on the command-line:

# pkg backup -d pkg-db-`date +%Y%m%d`

Sample outputs:

Dumping database: Backing up: 100%

By default the package database stored in /var/db/pkg/ directory:

ls -l /var/db/pkg/pkg-db-*



One can use /var/db/pkg/pkg-db-* file in order to restore the local package database. Very useful in case of a database crash or loss, to restore your database from a previous backup using the following syntax:

# pkg backup -r pkg-db-20190912

Update all FreeBSD packages database

Type:

# pkg update

Apply all outstanding packages security upgades

Run:

# pkg upgrade



Simply run:

# reboot

OR

# shutdown -r now

After rebooting the machine verify FreeBSD version, run:

# freebsd-version

Sample outputs:

12.0-RELEASE-p10

Conclusion

This page explained how to upgade your production FreeBSD machine using various commands for applying security updates. See man pages here and here.

