thebeastie.org Code Projects
Quick patch Source based patch update system for FreeBSD security updating This script facilitates security patch updating on FreeBSD. Can be used to create simple to run patch files like in the example below for easy updating but can do much more. It can be run in a number of other more powerful automated modes, such as being run in a nightly cron job to just check for any new new security advisories, PGP verify check the advisory then look for and act on security advisory releases that belong to your release branch, email a report to an admin and the patch commands needed to update the server. Can even be run in full automated patch mode where it will calculate the exact hours since the advisory was released in UTC / GMT time, email a report of what commands are about to be run and then in a predefined amount of hours later run the necessary security patch commands unattended doing full updates on the server automatically. Utilizing Perls regular expression power the magic of this script is based around extraction of data and patch commands from official FreeBSD security advisories, tested from 4.4 to 5.2 . The FreeBSD security advisories since release 4.4 have always been consistent enough in syntax that this script has worked more or less flawlessly since 4.4 release :) Note that since FreeBSD do not have an official advisory standard/spec this script must technically be classed as a 'hack' Minimum requirements, Perl, cvsup , wget (/usr/ports/ftp/wget) To install perl, cvsup and wget run this command which downloads and installs the package. pkg_add -r cvsup-without-gui.tbz ; pkg_add -r wget.tbz ; pkg_add -r perl.tbz Optionally gnugp, ability for your server to send emails (sendmail) and a internet connection, Not too hard eh? :) To use type "./quickpatch.pl updateadv" to update your FreeBSD security advisories db. "./quickpatch.pl patch" or "./quickpatch.pl patch > big_patch_file" to create the patch files "./quickpatch.pl cvsup" to update your FreeBSD source tree. "./quickpatch.pl cvsupports" to cvsup update your ports tree, default tag is current "./quickpatch.pl notify" Checks to see if any new advisories are ready for use and emails the patch commands to the configured email address. Also you can PGP check your advisories for maximum security by running "./quickpatch.pl pgpcheck". Note you will need to install gnupg and import the FreeBSD security officer public PGP key for checking mode to work. Download Quickpatch here. quickpatch.tar.gz Last updated: Fri Apr 2 22:56:36 2004 Source view quickpatch.html Change log Change log The idea is you follow a FreeBSD release plus security updates branch via CVSUP. Example for cvsup mode "./quickpatch.pl cvsup" A common cvsup config tag that you would normally see is: default release=cvs tag=RELENG_4_9 Once cvsup mode is completed run the quickpatch script in patch mode ./quickpatch.pl patch, it will create a small patcher script that you can quickly run with little fuss. This will allow you to easily update your FreeBSD box for security updates and other critical fixes. For example if you were running a fresh install of FreeBSD 4.9 running this script will be create a shell script called "/usr/src/FreeBSD-SA-03%3A19.bind" which contains the necessary patch commands for 4.9 release to patch a recent BIND vulnerability, the only thing left to do is to build and install the binaries by running the script "/usr/src/FreeBSD-SA-03%3A19.bind" which quickpatch has generated for you. #!/bin/sh ######################################################################################### ####### FreeBSD-SA-03%3A19.bind.asc ####### Stored in file /usr/src/FreeBSD-SA-03%3A19.bind ####### PGP check Good: FreeBSD-SA-03%3A19.bind.asc ####### Topic: bind8 negative cache poison attack ####### Date Corrected: 2003-11-27 00:56:06 ####### Hours past since corrected: 1908 ####### Patch Commands cd /usr/src # patch < /path/to/patch cd /usr/src/lib/libbind make obj && make depend && make cd /usr/src/lib/libisc make obj && make depend && make cd /usr/src/usr.sbin/named make obj && make depend && make && make install cd /usr/src/libexec/named-xfer make obj && make depend && make && make install The script can be used to run in full automated mode, while this mode is discouraged it is often better then the machine being left on the internet with no attention. For this mode to work put switch on run patch file mode $runpatchfile="1";* configure this scripts other settings like email address and patch commands for kernel and system recompiling, Using PGP is almost vital in this case set $pgpcheck="1"; then cd /usr/ports/security/gnupg ; make install ; fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc ; gpg --import public_key.asc To be notified by email for up coming server updates (notify mode) you must have sendmail running, secure sendmail example for /etc/rc.conf sendmail_enable="YES" sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission and at least have 'sendmail : localhost : allow' in /etc/hosts.allow Then put something like this in your crontab # Every night does a cvsup update on the source tree 15 1 * * * root /etc/scripts/quickpatch.pl cvsup > /var/log/quickpatch/cvsup.log 2>&1 # 3 nights a week does an advisory check and download for any newly released security advisories 5 3 * * 1,3,5 root /etc/scripts/quickpatch.pl updateadv > /var/log/quickpatch/update.log 2>&1 # Checks to see if any new advisories are ready for use and emails the patch commands to the configured email address (some unloving admin of the machine) 25 3 * * 1,3,5 root /etc/scripts/quickpatch.pl notify >> /var/log/quickpatch/notify.log 2>&1 # 24 hours later patch mode is run which will run the patch commands if no one has decided to interfere. 25 3 * * 2,4,6 root /etc/scripts/quickpatch.pl patch >> /var/log/quickpatch/patch.log 2>&1 The security limitations of this system in full automated mode are largely out of control of this script, the biggest danger of this system is one that all FreeBSD users suffer and that's how well can you trust the CVS server from where u get updates? Commands out of the FreeBSD security advisories combined PGP checking make them very secure, the only problem here is the possibility of the security officer who owns the FreeBSD security PGP key inserting a non-patch command in a official FreeBSD security advisory which is very unlikely. Comments Subject: Your Email (Optional):

thebeastie.org Code Projects

Quick patch

Source based patch update system for FreeBSD security updating

This script facilitates security patch updating on FreeBSD. Can be used to create simple to run patch files like in the example below for easy updating but can do much more.

It can be run in a number of other more powerful automated modes, such as being run in a nightly cron job to just check for any new new security advisories, PGP verify check the advisory then look for and act on security advisory releases that belong to your release branch, email a report to an admin and the patch commands needed to update the server.
Can even be run in full automated patch mode where it will calculate the exact hours since the advisory was released in UTC / GMT time, email a report of what commands are about to be run and then in a predefined amount of hours later run the necessary security patch commands unattended doing full updates on the server automatically.

Utilizing Perls regular expression power the magic of this script is based around extraction of data and patch commands from official FreeBSD security advisories, tested from 4.4 to 5.2 . The FreeBSD security advisories since release 4.4 have always been consistent enough in syntax that this script has worked more or less flawlessly since 4.4 release :)
Note that since FreeBSD do not have an official advisory standard/spec this script must technically be classed as a 'hack'

Minimum requirements, Perl, cvsup , wget (/usr/ports/ftp/wget)
To install perl, cvsup and wget run this command which downloads and installs the package.
pkg_add -r cvsup-without-gui.tbz ; pkg_add -r wget.tbz ; pkg_add -r perl.tbz
Optionally gnugp, ability for your server to send emails (sendmail) and a internet connection, Not too hard eh? :)
To use type "./quickpatch.pl updateadv" to update your FreeBSD security advisories db.
"./quickpatch.pl patch" or "./quickpatch.pl patch > big_patch_file" to create the patch files
"./quickpatch.pl cvsup" to update your FreeBSD source tree.
"./quickpatch.pl cvsupports" to cvsup update your ports tree, default tag is current
"./quickpatch.pl notify" Checks to see if any new advisories are ready for use and emails the patch commands to the configured email address.
Also you can PGP check your advisories for maximum security by running
"./quickpatch.pl pgpcheck".
Note you will need to install gnupg and import the FreeBSD security officer public PGP key for checking mode to work.

Download Quickpatch here. quickpatch.tar.gz Last updated: Fri Apr 2 22:56:36 2004
Source view quickpatch.html
Change log Change log

The idea is you follow a FreeBSD release plus security updates branch via CVSUP. Example for cvsup mode "./quickpatch.pl cvsup"
A common cvsup config tag that you would normally see is: *default release=cvs tag=RELENG_4_9
Once cvsup mode is completed run the quickpatch script in patch mode ./quickpatch.pl patch, it will create a small patcher script that you can quickly run with little fuss. This will allow you to easily update your FreeBSD box for security updates and other critical fixes.

For example if you were running a fresh install of FreeBSD 4.9 running this script will be create a shell script called "/usr/src/FreeBSD-SA-03%3A19.bind" which contains the necessary patch commands for 4.9 release to patch a recent BIND vulnerability, the only thing left to do is to build and install the binaries by running the script "/usr/src/FreeBSD-SA-03%3A19.bind" which quickpatch has generated for you.

#!/bin/sh
#########################################################################################
####### FreeBSD-SA-03%3A19.bind.asc
####### Stored in file /usr/src/FreeBSD-SA-03%3A19.bind
####### PGP check Good: FreeBSD-SA-03%3A19.bind.asc
####### Topic: bind8 negative cache poison attack
####### Date Corrected: 2003-11-27 00:56:06
####### Hours past since corrected: 1908
####### Patch Commands
cd /usr/src
# patch < /path/to/patch
cd /usr/src/lib/libbind
make obj && make depend && make
cd /usr/src/lib/libisc
make obj && make depend && make
cd /usr/src/usr.sbin/named
make obj && make depend && make && make install
cd /usr/src/libexec/named-xfer
make obj && make depend && make && make install

The script can be used to run in full automated mode, while this mode is discouraged it is often better then the machine being left on the internet with no attention.
For this mode to work put switch on run patch file mode $runpatchfile="1"; configure this scripts other settings like email address and patch commands for kernel and system recompiling, Using PGP is almost vital in this case set $pgpcheck="1"; then cd /usr/ports/security/gnupg ; make install ; fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc ; gpg --import public_key.asc

To be notified by email for up coming server updates (notify mode) you must have sendmail running, secure sendmail example for /etc/rc.conf
sendmail_enable="YES"
sendmail_submit_enable="YES"
# Start a localhost-only MTA for mail submission

and at least have 'sendmail : localhost : allow' in /etc/hosts.allow

Then put something like this in your crontab
# Every night does a cvsup update on the source tree
15      1       *       *       *       root      /etc/scripts/quickpatch.pl cvsup > /var/log/quickpatch/cvsup.log 2>&1

# 3 nights a week does an advisory check and download for any newly released security advisories
5       3      *      *     1,3,5       root     /etc/scripts/quickpatch.pl updateadv > /var/log/quickpatch/update.log 2>&1

# Checks to see if any new advisories are ready for use and emails the patch commands to the configured email address (some unloving admin of the machine)
25     3      *      *      1,3,5      root      /etc/scripts/quickpatch.pl notify >> /var/log/quickpatch/notify.log 2>&1

# 24 hours later patch mode is run which will run the patch commands if no one has decided to interfere.
25     3      *      *      2,4,6      root      /etc/scripts/quickpatch.pl patch >> /var/log/quickpatch/patch.log 2>&1

The security limitations of this system in full automated mode are largely out of control of this script, the biggest danger of this system is one that all FreeBSD users suffer and that's how well can you trust the CVS server from where u get updates?
Commands out of the FreeBSD security advisories combined PGP checking make them very secure, the only problem here is the possibility of the security officer who owns the FreeBSD security PGP key inserting a non-patch command in a official FreeBSD security advisory which is very unlikely.

Comments