How to Set Up Automated Security Audits on FreeBSD
A complete walkthrough configuring periodic(8), pkg-audit, and freebsd-update to catch known vulnerabilities and pending patches automatically, with results delivered by email.
FreeBSD ships with the tooling to check for known vulnerabilities in both the base system and installed packages automatically — this walks through wiring it all into a routine, unattended check.
Step 1: check the base system against known vulnerabilities
freebsd-update fetch
This compares your installed base system against the published security advisories, without applying anything yet.
Step 2: check installed packages against the pkg vulnerability database
pkg audit -F
-F fetches the current vulnerability database first — this checks every installed package against known CVEs, printing anything affected directly.
Step 3: enable the periodic(8) daily security scripts
# /etc/periodic.conf
daily_status_security_enable="YES"
daily_status_security_pkgaudit_enable="YES"
periodic(8) is FreeBSD’s built-in scheduled-maintenance framework — these settings tell its daily run to include a security summary and a pkg-audit pass automatically.
Step 4: make sure periodic’s output actually reaches you
sysrc periodic-daily-security_output="root"
mailer_check_pending
By default periodic mails its reports to root — confirm root’s mail is actually forwarded somewhere you’ll see it (via /etc/aliases), or these reports will accumulate unread in a local mailbox nobody checks.
Step 5: fetch and apply base system security patches
freebsd-update fetch
freebsd-update install
Reviewing what a patch actually changes (freebsd-update fetch alone, before install) is worth doing before applying it unattended on a production system.
Step 6: automate pkg updates for installed packages
pkg update
pkg upgrade
Consider scripting this via cron for regular, low-risk packages, while treating base-system updates and anything touching critical services with more manual review.
Step 7: check for a specific package’s advisory details
pkg audit <package-name>
When pkg audit -F flags something, this shows the specific CVE and description — useful for judging whether a flagged issue is actually exploitable in your specific configuration before deciding how urgently to patch it.
Step 8: review the full daily security report
cat /var/log/security/security.$(date +%Y%m%d)*
Manually reviewing at least the summary periodically — not just trusting that automated checks alone are sufficient — catches things the automated tools don’t flag, like unexpected new listening ports or changed file permissions.
Why automating the checking but not always the patching is the sensible default
Automatically fetching and reporting vulnerabilities costs nothing and catches problems fast; automatically applying every patch unattended on a production system trades that speed for the risk of an untested update breaking something at 3am with nobody watching. Automating detection while keeping a human in the loop for base-system patch application is a reasonable middle ground for most production FreeBSD deployments.