Re: Staying up to date with security patches

Fri, 02 Jul 2010 14:01:33 -0700 

On Fri, Jul 02, 2010 at 04:03:01PM -0400, Bill Moran thus spake:

In response to Ed Flecko <edfle...@gmail.com>:


Hi folks,
I've carefully read many different sources about keeping FreeBSD up to
date, and I'm not quite "crystal-clear".

I'm building a server with 8.0, and because it's a server, it will
have very little software installed on it (probably Apache, maybe
BIND, etc.), and my primary concern is that it's stable and secure
from a "patching perspective" (I'll work on "hardening" the OS later).

Since I will be doing a custom kernel at some point, I won't use
freebsd-update, I'm using cvsup instead.


You can build your own update server based off of your custom kernel. I've
been running one for awhile now, and it works great.

As long as your ISO contains your kernel, it will work.

http://www.freebsdgr.org/all/en_US.ISO8859-1/articles/freebsd-update-server/



If I understand the docs correctly, I want my "supfile" (in my case,
I'm simply modifying "stable-supfile") file to have an entry like:
*default release=cvs tag=RELENG_8_0

1.) The _0 will keep me up to date with the security patches, which is
what I'm after, right?


Yes


2.) How often "should" one synchronize your server (PC, etc.)? You
don't need to do it daily with cron, do you? I've subscribed to the
FreeBSD security update list, so that's probably the only time one
really needs to synchronize, rebuild, etc., isn't it?


You only need to sync and rebuild when a security problem is announced
via that mailing list.


3.) What's the smartest way to keep your installed applications
updated (i.e., Apache, BIND, etc.)?


Install ports-mgmt/portaudit and run it daily (I believe it installs
so that it will email you daily results as part of periodic) and when
it tells you that one of your installed ports is out of date, take
care of it.

There's no "schedule".  Because, despite what MS would have PHB's believe,
security problems are not found on any schedule, they're found whenever
they're found.

Thus, your best approach is to monitor and be proactive.

--
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"



-jgh
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to