From owner-freebsd-stable@FreeBSD.ORG Sat Jun 12 09:03:05 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 374FC16A4CE for ; Sat, 12 Jun 2004 09:03:05 +0000 (GMT) Received: from main.gmane.org (main.gmane.org [80.91.224.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 553CD43D31 for ; Sat, 12 Jun 2004 09:03:04 +0000 (GMT) (envelope-from freebsd-stable@m.gmane.org) Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 1BZ4Op-0000Jv-00 for ; Sat, 12 Jun 2004 11:02:03 +0200 Received: from ns-ilmail3.ns-systems.com ([62.90.139.134]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 12 Jun 2004 11:02:03 +0200 Received: from haim by ns-ilmail3.ns-systems.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 12 Jun 2004 11:02:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-stable@freebsd.org From: Haim Ashkenazi Date: Sat, 12 Jun 2004 12:02:00 +0300 Lines: 43 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: ns-ilmail3.ns-systems.com User-Agent: Pan/0.14.2.91 (As She Crawled Across the Table (Debian GNU/Linux)) Sender: news Subject: keeping my freebsd secure... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 09:03:05 -0000 Hi I just installed FreeBSD 4.10 (my first one) and I fail to see the "big picture" about keeping my system up-to-date with security fixes. I read some relevant sections in the handbook, mailing list entries etc... and here's what I understand: 1. I need to follow the security advisories to see if there are vulnerabilities in the base system (I didn't find any regarding 4.10, am I right?) 2. I installed portaudit to tell me if there are vulnerabilities in the ports. 3. there are some tools (don't remember their names) that automatically downloads and installs upgrades. these are all bits and pieces I got here and there, but I'm looking for a document that describes all the aspects of keeping my system up-to-date with security. here are some of the things I don't fully understand: how do I update my ports without breaking anything and without downtime for important services (apache, mysql, etc...)? the one port I installed from pre-compiled binary (screen) took 99% cpu, and I had to compile it so it'll work ok. so how do I upgrade any of the above daemons without having to uninstall -> compile -> reinstall (which takes a long time). also, if the PNG library having vulnerabilities (as it is now on my system) and I update the ports and compile it, do I have to update all the ports or only this one (will php break if I won't upgrade it)? basically I'm looking for some kind of mechanism that acts more or less like my debian system (please don't start a flame war here, it's just the system I'm using now...) and that includes notifications of security updates, very minimal downtime (a second or two) and most important I'm always sure that my configurations are valid (in debian it's achieved by never upgrading the version of the package, only patching for security fixes). I'll appreciate any input on this, because I have to setup the system as production server in 2 days... thanx -- Haim