Open Source

How FreeBSD makes vulnerability auditing easy: portaudit

Find out how FreeBSD's portaudit tool goes a long way toward helping you maintain a secure system, simply and easily.

There are a number of things I like about FreeBSD, more than any Linux distribution I've ever used. Some of those are advantages shared by no Linux distribution I've used, and some are advantages shared by a few Linux distributions but not others -- but no Linux distribution shares all of these advantages (even discounting things no Linux distribution has, like a BSD-licensed kernel).

One of the higher-level FreeBSD tools I rather like is portaudit:

$ portaudit -a 0 problem(s) in your installed packages found.

The key isn't so much that no vulnerabilities were discovered on my system; rather, it's how simply, easily, and quickly I found out that I'm not currently at risk.

The canonical example from the FreeBSD Handbook of what happens when you get a security vulnerability looks like this:

$ portaudit -a Affected package: apache-1.3.29_1 Type of problem: Apache 1.3 IP address access control failure on some 64-bit platforms. Reference: <http://people.freebsd.org/~eik/portaudit/09d418db-70fd-11d8-873f-0020ed76ef5a.html> Affected package: mpg123-esound-0.59r_12 Type of problem: mpg123 vulnerabilities. Reference: <http://people.freebsd.org/~eik/portaudit/9fccad5a-7096-11d8-873f-0020ed76ef5a.html> 2 problem(s) in your installed packages found.

The importance of vulnerability tracking

Determining the security vulnerability status of software on your system, as part of your risk assessment and security maintenance strategy, is only one of many requirements of maintaining a secure system -- but it's a very important requirement. You simply can't reliably fix or work around specific security problems on your systems if you don't know they exist. This is part of the reason that I wrote "How should we handle security notifications? " It's also the main reason why making the process of checking the security vulnerability status of software on your system incredibly easy (as it is with portaudit on FreeBSD systems) is very, very important.

One of the benefits of a tool like FreeBSD's portaudit is the fact that it reports all known vulnerabilities, without necessarily being part of the software updating process itself:

  1. It doesn't leave out anything that hasn't been patched yet. This can be important in cases where you are at risk, and need to employ some kind of work-around to protect yourself until a patch exists.
  2. It allows you to make decisions for yourself about the importance of vulnerabilities, which can fit into a larger risk assessment plan to balance capabilities against security needs.
  3. It lets you know when a vulnerability exists in a piece of software that you've intentionally maintained at an older version for compatibility or testing purposes, so that you can make a reasoned decision about what needs updating.

With a comprehensive software management system such as the FreeBSD ports system, this also means that even for third-party software you generally don't have to search the Web and go through individual software distributors to find vulnerabilities that may affect your system. Known vulnerabilities are brought to you, like front-door delivery service.

Using portaudit

As I pointed out in another article, "Interface design is security design," making good security practice easy is a key factor in creating a secure computing environment. I'd have to say that, in terms of making security vulnerability auditing easy, FreeBSD definitely succeeds with portaudit.

After updating the local copy of the ports tree (I use the portsnap tool on my FreeBSD systems):

# portsnap fetch update

. . . update the portaudit database:

# portaudit -Fd

The -F actually updates the database, and the -d option prints out the creation date of the database. Once that is done, your system is ready to be checked for vulnerabilities:

# portaudit -a

With that, you get a listing of all known vulnerabilities on your system.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

10 comments
Alessandro Dellavedova
Alessandro Dellavedova

We also use jailaudit, that basically invokes portaudit for each jail you have on your FreeBSD server and generates a very detailed report of the vulnerabilities found. Very handy if you have to manage tens of jails (like I do).

seanferd
seanferd

Since I'm looking at making a BSD my OS for everyday use. Actually, you can consider it one more reason why I will likely choose BSD. (I also like jails.) I know of no tool similar to portaudit for other operating systems, save the Secunia tool I've recently seen, checking for updates, and reading vulnerability/bug alerts and security blogs/articles.

apotheon
apotheon

Both [b]portaudit[/b] and [b]portsnap[/b] are available in the FreeBSD ports system. What tools do you use on your operating system of choice to perform the tasks for which [b]portaudit[/b] was designed?

apotheon
apotheon

I'd basically forgotten jailaudit existed, because I don't work with jailed subsystems much. I'm glad you mentioned it in the discussion.

apotheon
apotheon

The value of a tool like portaudit or Secunia PSI is limited by a number of factors. Probably chief among them are: 1. the openness of vulnerability reporting for the covered software -- Without open vulnerability reporting practices, you can never be sure you're getting up-to-date and comprehensive notice of vulnerabilities on your system. What good is vulnerability reporting that's several months behind because a vendor has managed to strong-arm security researchers into keeping its dirty secrets? 2. the breadth and depth of software coverage -- How much software you might use is covered by the auditing tool is of great importance. You don't want to find that almost nothing you're running on a mission critical server is actually subject to audits by the tool. Even more importantly, you must be sure that when it covers a given piece of software, it gives you accurate information about the version of software you have installed. 3. integration with the rest of your security management system -- If it can tell you that a piece of software on which you depend is subject to a critical vulnerability, but you never get that information, don't have access to any work-arounds, and never get a patch anyway, you're barely any better off than if you never knew about the risk. In my estimation, portaudit wins over PSI on all three counts. 1. The vast majority of software covered by portaudit is open source software whose projects necessarily tend toward open vulnerability handling policies. 2. Because portaudit is part of the FreeBSD ports system, it covers thousands of pieces of software, and because of the software management process for which it was designed it gives you coverage across many versions of each piece of software it supports. 3. Again, thanks to the integration of portaudit with the FreeBSD ports system, it is tied in with a bunch of other tools related to maintaining software security on your system, and the simplicity and flexibility of its user interface lends itself to automation by other tools.

seanferd
seanferd

I didn't think there was anything as comprehensive as portaudit for any other OS. I've never heard of anything like it.

apotheon
apotheon

The portaudit tool uses vuxml, the "vulnerability exposure markup language", to good effect. There's another FreeBSD tool that uses vuxml, called vxquery, but I don't have as much experience with it as I have with portaudit. Both FreeBSD and OpenBSD provide vuxml-based RSS feeds so you can track vulnerabilities that appear in those systems. Do a Google search for vuxml and you should be able to find your way to the site for it -- which includes pages for the vulnerability listings for both FreeBSD and OpenBSD, as well as links to the RSS feeds. As far as I'm aware, though, OpenBSD doesn't provide a simple command line counterpart to portaudit. NetBSD offers a tool that's similar in purpose to portaudit, called audit-packages. I don't know if it's quite as good as portaudit, because I haven't given it a fair test. It may even be better, though at the moment I'm having a hard time imagining how that might be the case. I have yet to find anything that even begins to compare with portaudit for OSes other than BSD Unix systems, though -- including any Linux distribution.

Jaqui
Jaqui

another tool quite like it.

Editor's Picks