Vulnerable packages on FreeBSD: pkg audit

Auditing FreeBSD with pkg audit

FreeBSD is definitely another beast than Linux. In some areas, FreeBSD is really a powerful operating system. Package management is maybe not the first one you may think of. Typically FreeBSD users have two options when it comes to installing packages.

Ports collection

The ports tree allows the administration to build software they need, with the compilation flags he or she prefers. This makes the software optimized and typically the last versions are available. The downside is in the overhead of compiling software, especially with multiple systems involved.

Using binary packages

Like Linux systems, the concept of precompiled binaries is available to FreeBSD as well. These binaries are packaged together with configuration files, data files, and documentation. Easy to use, to update, and remove. The downside is less customization possibilities.

If you use the package manager ‘pkg’, you can use the same utility to perform a security scan.

pkg audit -F

The pkg audit command will show details about the vulnerability database (vulnxml) and finally any installed packages that are known to be vulnerable. Where available a CVE number is added, which is a unique identifier for software vulnerabilities, together with a link for more information.

The pkg audit command showing vulnerable packages on FreeBSD system

To only get the package names use the –quiet (or -q) option. Optionally use the -F if you want to refresh the vulnerability data again.

pkg audit -q

This option is great for automated solutions. We use this one in our auditing tool Lynis, to see what packages are vulnerable and count them.

Screenshot of FreeBSD pkg audit with vulnerable package name and version

Are you using other tools on FreeBSD to check for vulnerabilities? Share it in the comments!

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

Leave a Reply

Your email address will not be published. Required fields are marked *