Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
glsa-check questions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Thu Jan 07, 2010 5:40 pm    Post subject: glsa-check questions Reply with quote

I have been using glsa-check for years. I run it after each 'emerge --sync', as part of a script:
Code:
glsa-check -tvn affected


I have two questions, the first more important than the second:

a) Is it necessary to first run 'glsa-check -t all' before the utility can tell which GLSAs the system is "affected" by?

Obviously I have been assuming that it's not, but it occurs to me that the man page's description of what the -t option does ("test if this system is affected by the GLSAs") doesn't make much sense unless 'glsa-check -t all' is necessary before 'glsa-check <option> affected' can be used. (If it's already known whether each GLSA affects the system, then why would it ever be necessary to run anything against the "all" list?)

The man page does not make it clear whether this is necessary or not. The gentoo security handbook page regarding glsa-check shows only examples of using 'glsa-check all' and never mentions "affected". There are references to a glsa-integration page, but it seems to be a dead link.
http://www.gentoo.org/proj/en/portage/glsa-integration.xml

b) What exactly is "glsa-injected" for (the -i command option and the file). Assuming I've understood the man page correctly, and that it simply removes GLSAs from consideration for being flagged as "affected", then "injected" really isn't very descriptive. Wouldn't "glsa-masked" or "glsa-ignored" be more descriptive"?
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
Genone
Retired Dev
Retired Dev


Joined: 14 Mar 2003
Posts: 9501
Location: beyond the rim

PostPosted: Thu Jan 07, 2010 6:20 pm    Post subject: Re: glsa-check questions Reply with quote

BoneKracker wrote:
a) Is it necessary to first run 'glsa-check -t all' before the utility can tell which GLSAs the system is "affected" by?

No.

Quote:
Obviously I have been assuming that it's not, but it occurs to me that the man page's description of what the -t option does ("test if this system is affected by the GLSAs") doesn't make much sense unless 'glsa-check -t all' is necessary before 'glsa-check <option> affected' can be used. (If it's already known whether each GLSA affects the system, then why would it ever be necessary to run anything against the "all" list?)


One reason is that 'all' existed before 'affected', so in the first versions of glsa-check you had to use either 'all' or 'new' (removed by now). 'affected' was added later as a convenience. Another reason is that glsa-check was also intended to be used by network administrators to get an overview about available advisories without having to run glsa-check on every system.

Quote:
b) What exactly is "glsa-injected" for (the -i command option and the file). Assuming I've understood the man page correctly, and that it simply removes GLSAs from consideration for being flagged as "affected", then "injected" really isn't very descriptive. Wouldn't "glsa-masked" or "glsa-ignored" be more descriptive"?


The name comes from the old emerge --inject option which marked packages as installed without actually installing them (the option was removed later as it caused various problems and because it was abused in a nasty way to get portage running on MacOS). The glsa-check option in the same way marks a GLSA as already applied, not prevent it from showing up.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Thu Jan 07, 2010 6:40 pm    Post subject: Reply with quote

Thank you.

Glad to know I have not been using it improperly all this time. :)

I figure that "injected" probably had something to do with manually installed packages (like /etc/portage/profile/package.provided), or GLSAs you couldn't apply for dependency reasons or what-not. I wasn't sure though, since the name didn't make sense to me. That clears it up.
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
Genone
Retired Dev
Retired Dev


Joined: 14 Mar 2003
Posts: 9501
Location: beyond the rim

PostPosted: Fri Jan 08, 2010 3:38 am    Post subject: Reply with quote

BoneKracker wrote:
I figure that "injected" probably had something to do with manually installed packages (like /etc/portage/profile/package.provided), or GLSAs you couldn't apply for dependency reasons or what-not.

The main idea behind it was to not bother people with things they had fixed manually (e.g. by disabling a vulnerable feature) or knew were not relevant to them (e.g. a vulnerability that only exists if some USE flags were enabled).
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Fri Jan 08, 2010 6:59 am    Post subject: Reply with quote

Genone wrote:
BoneKracker wrote:
I figure that "injected" probably had something to do with manually installed packages (like /etc/portage/profile/package.provided), or GLSAs you couldn't apply for dependency reasons or what-not.

The main idea behind it was to not bother people with things they had fixed manually (e.g. by disabling a vulnerable feature) or knew were not relevant to them (e.g. a vulnerability that only exists if some USE flags were enabled).

Yes, it's a good feature. The name kind of threw me, since "injected" is before my time.
_________________
patrix_neo wrote:
The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it.
Back to top
View user's profile Send private message
Kasumi_Ninja
Veteran
Veteran


Joined: 18 Feb 2006
Posts: 1825
Location: The Netherlands

PostPosted: Sun Aug 29, 2010 6:21 pm    Post subject: Re: glsa-check questions Reply with quote

BoneKracker wrote:
I have been using glsa-check for years. I run it after each 'emerge --sync', as part of a script:
Code:
glsa-check -tvn affected


Could you share that script? Thanks!
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1611
Location: U.S.A.

PostPosted: Mon Aug 30, 2010 3:39 am    Post subject: Re: glsa-check questions Reply with quote

Kasumi_Ninja wrote:
BoneKracker wrote:
I have been using glsa-check for years. I run it after each 'emerge --sync', as part of a script:
Code:
glsa-check -tvn affected


Could you share that script? Thanks!


It's just a "daily administrative checks" script. It is very poorly written (one of the first scripts I ever wrote), and I haven't bothered to make any improvements to it in years. It's a daily cron job that does stuff and generates output that is a report (on my systems, this gets emailed to the administrator). Anybody who might use it would undoubtedly want to modify it heavily, but I suppose it might give you some ideas.
Code:

#! /bin/sh

# /etc/cron.daily/admin_daily

# Purpose: perform routine system security and stability tasks
# and provide the system administrator a concise report.

echo -e "\n\n\t\t\t\t===========================
\t\t\t\t# SysAdmin's Daily Report #
\t\t\t\t===========================\n"

echo 1. Access Control:
echo ==================
echo
echo Current Activity:
echo -----------------
/usr/bin/w
echo
echo Logins in the Past Day:
echo -----------------------
/usr/bin/lastlog -t 1
echo
echo Cumulative Login Failures:
echo --------------------------
/usr/bin/faillog -a
echo
echo Unlocked Accounts:
echo ------------------
/bin/egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}'

# this is the first conditional report element; more should be this way
if [ `/bin/grep -v ':x:' /etc/passwd | wc -l` -gt 0 ]; then
        echo
        echo Unshadowed Passwords:
        echo ---------------------
        /bin/grep -v ':x:' /etc/passwd
fi
echo -e '\n\n'

echo 2. Runlevel Service Status:
echo ===========================
/bin/rc-status -C | awk ' /st...ed/ { printf "%-15s %s\n", $1, $3 } '
echo
echo Network Time Daemon Peers:
echo --------------------------
/usr/bin/ntpq -p
echo -e '\n\n'

echo 3. Open Network Connections:
echo ============================
# /bin/netstat --inet -ap  <--- (this is broken, --inet tries to check sctp; will be fixed; equiv below)
/bin/netstat -tuUwap
echo -e '\n\n'

echo 4. Patch Status:
echo ================
echo -n Synchronizing Package Database...
/usr/bin/emerge --sync --quiet && echo " completed."
echo
echo Package Updates Available:
echo --------------------------
/usr/bin/emerge -upDN --columns --color n world
echo
echo Applicable Security Advisories:
echo -------------------------------
/usr/bin/glsa-check -tvn all
echo -e '\n\n'

echo 5. Resource Utilization:
echo ========================
echo
echo Memory:                               
echo -------
/usr/bin/free -m
echo
echo Storage:
echo --------
/bin/df -hT
echo
echo -e "\t\t\t\t==================================
\t\t\t\t# End of SysAdmin's Daily Report #
\t\t\t\t==================================\n\n"

/usr/bin/logger -p cron.notice "$0 complete."

exit 0
Back to top
View user's profile Send private message
Kasumi_Ninja
Veteran
Veteran


Joined: 18 Feb 2006
Posts: 1825
Location: The Netherlands

PostPosted: Mon Aug 30, 2010 7:21 am    Post subject: Reply with quote

Thanks! I'm using logwatch now. It would be nice to run my own script though.
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
Back to top
View user's profile Send private message
DancesWithWords
Guru
Guru


Joined: 29 Jun 2002
Posts: 347
Location: ottawa, canada

PostPosted: Wed Feb 17, 2016 5:48 pm    Post subject: Re: glsa-check questions Reply with quote

Bones McCracker wrote:
Kasumi_Ninja wrote:
BoneKracker wrote:
I have been using glsa-check for years. I run it after each 'emerge --sync', as part of a script:
Code:
glsa-check -tvn affected


Could you share that script? Thanks!


It's just a "daily administrative checks" script. It is very poorly written (one of the first scripts I ever wrote), and I haven't bothered to make any improvements to it in years. It's a daily cron job that does stuff and generates output that is a report (on my systems, this gets emailed to the administrator). Anybody who might use it would undoubtedly want to modify it heavily, but I suppose it might give you some ideas.
Code:

#! /bin/sh

# /etc/cron.daily/admin_daily

# Purpose: perform routine system security and stability tasks
# and provide the system administrator a concise report.

echo -e "\n\n\t\t\t\t===========================
\t\t\t\t# SysAdmin's Daily Report #
\t\t\t\t===========================\n"

echo 1. Access Control:
echo ==================
echo
echo Current Activity:
echo -----------------
/usr/bin/w
echo
echo Logins in the Past Day:
echo -----------------------
/usr/bin/lastlog -t 1
echo
echo Cumulative Login Failures:
echo --------------------------
/usr/bin/faillog -a
echo
echo Unlocked Accounts:
echo ------------------
/bin/egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}'

# this is the first conditional report element; more should be this way
if [ `/bin/grep -v ':x:' /etc/passwd | wc -l` -gt 0 ]; then
        echo
        echo Unshadowed Passwords:
        echo ---------------------
        /bin/grep -v ':x:' /etc/passwd
fi
echo -e '\n\n'

echo 2. Runlevel Service Status:
echo ===========================
/bin/rc-status -C | awk ' /st...ed/ { printf "%-15s %s\n", $1, $3 } '
echo
echo Network Time Daemon Peers:
echo --------------------------
/usr/bin/ntpq -p
echo -e '\n\n'

echo 3. Open Network Connections:
echo ============================
# /bin/netstat --inet -ap  <--- (this is broken, --inet tries to check sctp; will be fixed; equiv below)
/bin/netstat -tuUwap
echo -e '\n\n'

echo 4. Patch Status:
echo ================
echo -n Synchronizing Package Database...
/usr/bin/emerge --sync --quiet && echo " completed."
echo
echo Package Updates Available:
echo --------------------------
/usr/bin/emerge -upDN --columns --color n world
echo
echo Applicable Security Advisories:
echo -------------------------------
/usr/bin/glsa-check -tvn all
echo -e '\n\n'

echo 5. Resource Utilization:
echo ========================
echo
echo Memory:                               
echo -------
/usr/bin/free -m
echo
echo Storage:
echo --------
/bin/df -hT
echo
echo -e "\t\t\t\t==================================
\t\t\t\t# End of SysAdmin's Daily Report #
\t\t\t\t==================================\n\n"

/usr/bin/logger -p cron.notice "$0 complete."

exit 0


Have you made any modifications to this script? If so could you post the new script or pm my the script.

=====
DWW
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum