35 lines
1.6 KiB
Text
35 lines
1.6 KiB
Text
===========================================================================
|
|
$NetBSD: MESSAGE,v 1.7 2017/01/09 07:01:33 sevan Exp $
|
|
|
|
You may wish to have the vulnerabilities file downloaded daily so that it
|
|
remains current. This may be done by adding an appropriate entry to the root
|
|
users crontab(5) entry. For example the entry
|
|
|
|
# Download vulnerabilities file
|
|
0 3 * * * ${PREFIX}/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1
|
|
# Audit the installed packages and email results to root
|
|
9 3 * * * ${PREFIX}/sbin/pkg_admin audit |mail -s "Installed package audit result" \
|
|
root >/dev/null 2>&1
|
|
|
|
will update the vulnerability list every day at 3AM, followed by an audit at
|
|
3:09AM. The result of the audit are then emailed to root. On NetBSD this may be
|
|
accomplished instead by adding the following line to /etc/daily.conf:
|
|
|
|
fetch_pkg_vulnerabilities=YES
|
|
|
|
to fetch the vulnerability list from the daily security script. The system is
|
|
set to audit the packages by default but can be set explicitly, if desired (not
|
|
required), by adding the follwing line to /etc/security.conf:
|
|
|
|
check_pkg_vulnerabilities=YES
|
|
|
|
Both pkg_admin subcommands can be run as as an unprivileged user,
|
|
as long as the user chosen has permission to read the pkgdb and to write
|
|
the pkg-vulnerabilities to ${PKGVULNDIR}.
|
|
|
|
The behavior of pkg_admin and pkg_add can be customised with
|
|
pkg_install.conf. Please see pkg_install.conf(5) for details.
|
|
|
|
If you want to use GPG signature verification you will need to install
|
|
GnuPG and set the path for GPG appropriately in your pkg_install.conf.
|
|
===========================================================================
|