From owner-freebsd-questions@FreeBSD.ORG Fri Jul 2 20:03:03 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE1DD106566B for ; Fri, 2 Jul 2010 20:03:03 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id 80FFC8FC16 for ; Fri, 2 Jul 2010 20:03:03 +0000 (UTC) Received: from localhost (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTPSA id 5F717F7427; Fri, 2 Jul 2010 16:03:02 -0400 (EDT) Date: Fri, 2 Jul 2010 16:03:01 -0400 From: Bill Moran To: Ed Flecko Message-Id: <20100702160301.81621ead.wmoran@potentialtech.com> In-Reply-To: References: Organization: Bill Moran X-Mailer: Sylpheed 3.0.2 (GTK+ 2.18.7; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Staying up to date with security patches X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jul 2010 20:03:03 -0000 In response to Ed Flecko : > Hi folks, > I've carefully read many different sources about keeping FreeBSD up to > date, and I'm not quite "crystal-clear". > > I'm building a server with 8.0, and because it's a server, it will > have very little software installed on it (probably Apache, maybe > BIND, etc.), and my primary concern is that it's stable and secure > from a "patching perspective" (I'll work on "hardening" the OS later). > > Since I will be doing a custom kernel at some point, I won't use > freebsd-update, I'm using cvsup instead. > > If I understand the docs correctly, I want my "supfile" (in my case, > I'm simply modifying "stable-supfile") file to have an entry like: > *default release=cvs tag=RELENG_8_0 > > 1.) The _0 will keep me up to date with the security patches, which is > what I'm after, right? Yes > 2.) How often "should" one synchronize your server (PC, etc.)? You > don't need to do it daily with cron, do you? I've subscribed to the > FreeBSD security update list, so that's probably the only time one > really needs to synchronize, rebuild, etc., isn't it? You only need to sync and rebuild when a security problem is announced via that mailing list. > 3.) What's the smartest way to keep your installed applications > updated (i.e., Apache, BIND, etc.)? Install ports-mgmt/portaudit and run it daily (I believe it installs so that it will email you daily results as part of periodic) and when it tells you that one of your installed ports is out of date, take care of it. There's no "schedule". Because, despite what MS would have PHB's believe, security problems are not found on any schedule, they're found whenever they're found. Thus, your best approach is to monitor and be proactive. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/