Skip to content
daniel@cosenza:~/blog
FreeBSDHow-To July 8, 2026 2 min read

How to Set Up Automated Security Audits on FreeBSD

A complete walkthrough configuring periodic(8), pkg-audit, and freebsd-update to catch known vulnerabilities and pending patches automatically, with results delivered by email.

FreeBSD ships with the tooling to check for known vulnerabilities in both the base system and installed packages automatically — this walks through wiring it all into a routine, unattended check.

Step 1: check the base system against known vulnerabilities

freebsd-update fetch

This compares your installed base system against the published security advisories, without applying anything yet.

Step 2: check installed packages against the pkg vulnerability database

pkg audit -F

-F fetches the current vulnerability database first — this checks every installed package against known CVEs, printing anything affected directly.

Step 3: enable the periodic(8) daily security scripts

# /etc/periodic.conf
daily_status_security_enable="YES"
daily_status_security_pkgaudit_enable="YES"

periodic(8) is FreeBSD’s built-in scheduled-maintenance framework — these settings tell its daily run to include a security summary and a pkg-audit pass automatically.

Step 4: make sure periodic’s output actually reaches you

sysrc periodic-daily-security_output="root"
mailer_check_pending

By default periodic mails its reports to root — confirm root’s mail is actually forwarded somewhere you’ll see it (via /etc/aliases), or these reports will accumulate unread in a local mailbox nobody checks.

Step 5: fetch and apply base system security patches

freebsd-update fetch
freebsd-update install

Reviewing what a patch actually changes (freebsd-update fetch alone, before install) is worth doing before applying it unattended on a production system.

Step 6: automate pkg updates for installed packages

pkg update
pkg upgrade

Consider scripting this via cron for regular, low-risk packages, while treating base-system updates and anything touching critical services with more manual review.

Step 7: check for a specific package’s advisory details

pkg audit <package-name>

When pkg audit -F flags something, this shows the specific CVE and description — useful for judging whether a flagged issue is actually exploitable in your specific configuration before deciding how urgently to patch it.

Step 8: review the full daily security report

cat /var/log/security/security.$(date +%Y%m%d)*

Manually reviewing at least the summary periodically — not just trusting that automated checks alone are sufficient — catches things the automated tools don’t flag, like unexpected new listening ports or changed file permissions.

Why automating the checking but not always the patching is the sensible default

Automatically fetching and reporting vulnerabilities costs nothing and catches problems fast; automatically applying every patch unattended on a production system trades that speed for the risk of an untested update breaking something at 3am with nobody watching. Automating detection while keeping a human in the loop for base-system patch application is a reasonable middle ground for most production FreeBSD deployments.