SoCruel.NU

The domain that loves BSD

Home About Me Archive Contact

Check FreeBSD packages for vulnerabilities

One of the main important tasks of a FreeBSD system administrator is keeping the applications running on it up to date. SoCruel.NU uses Nagios to monitor its FreeBSD systems (see also the How to manage a FreeBSD infrastructure blog post).

Nagios has a very good FreeBSD plugin to keep me up to date on the vulnerabilities and update status of my FreeBSD systems and its packages.

Requirements

The following requirements have to be in place to be able to implement what is described in this post:

  • an up to date FreeBSD version 10.x or 11
  • have Nagios installed and configured
  • a connection to the internet with access to a public caching name server or
  • a connection to a local caching name server which has access to a public root or caching name server
  • a connection to the internet with HTTP and HTTPS ports open to the internet
  • basic knowledge of setting up Nagios

Check the ports and packages

A Nagios “check ports” plugin exists in ports: nagios-check_ports. This plugin checks the ports tree for updates or installed packages with known vulnerabilities.

At SoCruel.NU this plugin is used to check all packages running on its monitored FreeBSD systems.

To use this plugin we have to configure NRPE first. To do this add the following line to your /usr/local/etc/nrpe.cfg file:

command[check_ports]=/usr/local/libexec/nagios/check_ports -a

Please make also sure that you have installed the nagios-check_ports port on the monitored system. SoCruel.NU uses SaltStack for this. But this is out of the scope of this blog post.

Next is to let Nagios know that we want to this. We do this by defining a command like

# 'check_ports' command definition
define command{
        command_name    check_ports
        command_line    $USER1$/check_nrpe2 -H $HOSTADDRESS$ -u -c check_ports
        }

in your Nagios commands.cfg file.

The last step is to use this in your monitored server Nagios configuration file (I have a configuration file per monitored item):

define service{
        use                             generic-service
        host_name                       YOUR SERVER NAME HERE
        service_description             OTHER: FREEBSD PKG
        max_check_attempts              3
        normal_check_interval           60
        retry_check_interval            15
        contact_groups                  freebsd-admins
        check_command                   check_ports
        }

Resources

Some (other) resources about this subject:

Updated: August 17, 2018