From 9823758e81e8dee06d860cde206e4113a4ed467a Mon Sep 17 00:00:00 2001
From: sevan <sevan>
Date: Sat, 7 Jan 2017 03:28:38 +0000
Subject: Use the path pkg_admin is installed in when bootstrapped from pkgsrc,
 not natively on NetBSD. Add a cron job to run the audit in the example.
 Direct NetBSD users to the fetch_pkg_vulnerabilities &
 check_pkg_vulnerabilities instead.

---
 doc/guide/files/using.xml | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

(limited to 'doc/guide')

diff --git a/doc/guide/files/using.xml b/doc/guide/files/using.xml
index e4eb79172db..181afdf758d 100644
--- a/doc/guide/files/using.xml
+++ b/doc/guide/files/using.xml
@@ -1,4 +1,4 @@
-<!-- $NetBSD: using.xml,v 1.41 2017/01/07 02:25:24 sevan Exp $ -->
+<!-- $NetBSD: using.xml,v 1.42 2017/01/07 03:28:38 sevan Exp $ -->
 
 <chapter id="using"> <?dbhtml filename="using.html"?>
 <title>Using pkgsrc</title>
@@ -174,17 +174,26 @@ and you can still use binary packages from someone else.</para>
       to the root users &man.crontab.5; entry.  For example the entry
       <screen>
 # download vulnerabilities file
-0 3 * * * /usr/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1
+0 3 * * * /usr/pkg/sbin/pkg_admin fetch-pkg-vulnerabilities >/dev/null 2>&1
+# audit the installed packages and email results to root
+9 3 * * * /usr/pkg/sbin/pkg_admin auit |mail -s "Installed package audit result" root >/dev/null 2>&1
       </screen>
-      will update the vulnerability list every day at 3AM. You may wish to do
-      this more often than once a day.
+      will update the vulnerability list every day at 3AM, followed by an audit
+      at 3:09AM. The result of the audit are then emailed to root.
 
-      In addition, you may wish to run the package audit from the daily
-      security script.  This may be accomplished by adding the following
-      line to <filename>/etc/security.local</filename>:
+      On NetBSD this may be accomplished instead by adding the following
+      line to <filename>/etc/daily.conf</filename>:
       <screen>
-/usr/sbin/pkg_admin audit
+fetch_pkg_vulnerabilities=YES
       </screen>
+      to fetch the vulnerability list from the daily security script. The system
+      is set to audit the packages by default but can be set explicitly, if
+      desired (not required), by adding the follwing line to
+<filename>/etc/security.conf</filename>:
+      <screen>
+check_pkg_vulnerabilities=YES
+      </screen>
+      see &man.daily.conf.5; and &man.security.conf.5; for more details.
     </para>
   </sect2>
 
-- 
cgit v1.2.3