There are quite a few applications available to assist you in keeping your system up-to-date. My script uses several third-party components. Here, I'll quickly add the necessary packages; you can "grep" through "pkg_info" to see if any of these are already installed on your system:
# pkg_add -r cvsup-without-gui
# pkg_add -r fastest_cvsup
# pkg_add -r portupgrade
# pkg_add -r freebsd-update
# pkg_add -r docproj-nojadetex
To use "cvsup", you'll need a
cvsup file. Mine will keep src, ports, and docs up-to-date as a FreeBSD 5.3 system:
# more /root/cvs-supfile
*default host=cvsup.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_5_3
*default release=cvs delete use-rel-suffix compress
src-all
ports-all tag=.
doc-all tag=.
If this is your first "cvsup", don't forget to make a directory for it to use:
# mkdir /usr/local/etc/cvsup
While these configurations can keep things up-to-date, I also wanted to script a daily check for operating system security patches using "freebsd-update" as mentioned in Richard Bejtlich's November 25th blog.
This program won't work until you rename this program's configuration file:
# mv /usr/local/etc/freebsd-update.conf.sample \
/usr/local/etc/freebsd-update.conf
Hack #89 in BSD Hacks explains that the cvsup'd doc changes are in SGML and how to use "docproj-nojadetex" to convert them to HTML. Now, if you decide to use a "refuse" file with "cvsup", the command will abort with an error once it encounters the missing doc files for the languages you don't "cvsup".
You can edit "/usr/doc/Makefile" to remove the languages you don't "cvsup". For example, mine now looks like this:
Dru Lavigne
is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
oreillynet.com Copyright © 2006 O'Reilly Media, Inc.
# $FreeBSD: doc/Makefile,v 1.34 2004/09/27 00:26:48 josef Exp $
#
# The user can override the default list of languages to build and install
# with the DOC_LANG variable.
#
.if defined(DOC_LANG) && !empty(DOC_LANG)
SUBDIR = ${DOC_LANG}
.else
SUBDIR = en_US.ISO8859-1
.endif
Unfortunately, "cvsup" will overwrite your changes to this file. One work-around is to remember to do this before you run cvsup:
# cp /usr/doc/Makefile /usr/doc/Makefile.orig
The other work-around is to not use a "refuse" file at all.
Finally, make a script to tie everything together:
# more /root/cvsup
#!/bin/sh
#use fastest_cvsup to find fastest geographically
#close mirror; I'll check Canada and the US
if SERVER=`fastest_cvsup -q -c ca,us`
then
echo "Running cvsup"
cvsup -L2 -h $SERVER /root/cvs-supfile
else
echo "There's a problem" 1>&2
exit 1
fi
#-U (which takes a long time to execute) isn't needed
#with the fetchindex command
echo "Updating ports index"
cd /usr/ports
make fetchindex
portsdb -u
#send copious output to the bit bucket
echo "Updating docs"
cd /usr/doc
cp Makefile.orig Makefile
make install > /dev/null
echo "Looking for security patches"
freebsd-update fetch
echo "The following ports need upgrading"
portversion -l "<"
echo "Finished at `/bin/date`."
exit
Make your script executable and give it a go, watching for any error messages.
I like to run this script manually (while drinking my morning coffee) so I can watch its output. This gives me an idea of which src, ports, and docs have changed. If there's new source, there's probably a new security vulnerability. And I certainly want to know if there's any new docs so I can check them out.
I also want to look at the output of freebsd-update; if there's a security vulnerability in the operating system, I want to know about it.
This script will NOT upgrade your ports; instead, it will tell you which ports need upgrading. I like to manually run "portupgrade -arR", once I've determined that I do indeed want to upgrade all of my ports.
I also considered including "/usr/ports/security/portaudit" in the script, but decided it added too much additional output. Instead, I enabled it as a periodic script so the results are emailed to root. Once the package is installed, see "man portaudit" for details.