View previous topic :: View next topic |
Author |
Message |
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Thu Jan 07, 2010 5:40 pm Post subject: glsa-check questions |
|
|
I have been using glsa-check for years. I run it after each 'emerge --sync', as part of a script:
Code: | glsa-check -tvn affected |
I have two questions, the first more important than the second:
a) Is it necessary to first run 'glsa-check -t all' before the utility can tell which GLSAs the system is "affected" by?
Obviously I have been assuming that it's not, but it occurs to me that the man page's description of what the -t option does ("test if this system is affected by the GLSAs") doesn't make much sense unless 'glsa-check -t all' is necessary before 'glsa-check <option> affected' can be used. (If it's already known whether each GLSA affects the system, then why would it ever be necessary to run anything against the "all" list?)
The man page does not make it clear whether this is necessary or not. The gentoo security handbook page regarding glsa-check shows only examples of using 'glsa-check all' and never mentions "affected". There are references to a glsa-integration page, but it seems to be a dead link.
http://www.gentoo.org/proj/en/portage/glsa-integration.xml
b) What exactly is "glsa-injected" for (the -i command option and the file). Assuming I've understood the man page correctly, and that it simply removes GLSAs from consideration for being flagged as "affected", then "injected" really isn't very descriptive. Wouldn't "glsa-masked" or "glsa-ignored" be more descriptive"? _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9507 Location: beyond the rim
|
Posted: Thu Jan 07, 2010 6:20 pm Post subject: Re: glsa-check questions |
|
|
BoneKracker wrote: | a) Is it necessary to first run 'glsa-check -t all' before the utility can tell which GLSAs the system is "affected" by? |
No.
Quote: | Obviously I have been assuming that it's not, but it occurs to me that the man page's description of what the -t option does ("test if this system is affected by the GLSAs") doesn't make much sense unless 'glsa-check -t all' is necessary before 'glsa-check <option> affected' can be used. (If it's already known whether each GLSA affects the system, then why would it ever be necessary to run anything against the "all" list?) |
One reason is that 'all' existed before 'affected', so in the first versions of glsa-check you had to use either 'all' or 'new' (removed by now). 'affected' was added later as a convenience. Another reason is that glsa-check was also intended to be used by network administrators to get an overview about available advisories without having to run glsa-check on every system.
Quote: | b) What exactly is "glsa-injected" for (the -i command option and the file). Assuming I've understood the man page correctly, and that it simply removes GLSAs from consideration for being flagged as "affected", then "injected" really isn't very descriptive. Wouldn't "glsa-masked" or "glsa-ignored" be more descriptive"? |
The name comes from the old emerge --inject option which marked packages as installed without actually installing them (the option was removed later as it caused various problems and because it was abused in a nasty way to get portage running on MacOS). The glsa-check option in the same way marks a GLSA as already applied, not prevent it from showing up. |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Thu Jan 07, 2010 6:40 pm Post subject: |
|
|
Thank you.
Glad to know I have not been using it improperly all this time.
I figure that "injected" probably had something to do with manually installed packages (like /etc/portage/profile/package.provided), or GLSAs you couldn't apply for dependency reasons or what-not. I wasn't sure though, since the name didn't make sense to me. That clears it up. _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9507 Location: beyond the rim
|
Posted: Fri Jan 08, 2010 3:38 am Post subject: |
|
|
BoneKracker wrote: | I figure that "injected" probably had something to do with manually installed packages (like /etc/portage/profile/package.provided), or GLSAs you couldn't apply for dependency reasons or what-not. |
The main idea behind it was to not bother people with things they had fixed manually (e.g. by disabling a vulnerable feature) or knew were not relevant to them (e.g. a vulnerability that only exists if some USE flags were enabled). |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Fri Jan 08, 2010 6:59 am Post subject: |
|
|
Genone wrote: | BoneKracker wrote: | I figure that "injected" probably had something to do with manually installed packages (like /etc/portage/profile/package.provided), or GLSAs you couldn't apply for dependency reasons or what-not. |
The main idea behind it was to not bother people with things they had fixed manually (e.g. by disabling a vulnerable feature) or knew were not relevant to them (e.g. a vulnerability that only exists if some USE flags were enabled). |
Yes, it's a good feature. The name kind of threw me, since "injected" is before my time. _________________
patrix_neo wrote: | The human thought: I cannot win.
The ratbrain in me : I can only go forward and that's it. |
|
|
Back to top |
|
|
Kasumi_Ninja Veteran
Joined: 18 Feb 2006 Posts: 1825 Location: The Netherlands
|
Posted: Sun Aug 29, 2010 6:21 pm Post subject: Re: glsa-check questions |
|
|
BoneKracker wrote: | I have been using glsa-check for years. I run it after each 'emerge --sync', as part of a script:
Code: | glsa-check -tvn affected |
|
Could you share that script? Thanks! _________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered |
|
Back to top |
|
|
Bones McCracker Veteran
Joined: 14 Mar 2006 Posts: 1611 Location: U.S.A.
|
Posted: Mon Aug 30, 2010 3:39 am Post subject: Re: glsa-check questions |
|
|
Kasumi_Ninja wrote: | BoneKracker wrote: | I have been using glsa-check for years. I run it after each 'emerge --sync', as part of a script:
Code: | glsa-check -tvn affected |
|
Could you share that script? Thanks! |
It's just a "daily administrative checks" script. It is very poorly written (one of the first scripts I ever wrote), and I haven't bothered to make any improvements to it in years. It's a daily cron job that does stuff and generates output that is a report (on my systems, this gets emailed to the administrator). Anybody who might use it would undoubtedly want to modify it heavily, but I suppose it might give you some ideas.
Code: |
#! /bin/sh
# /etc/cron.daily/admin_daily
# Purpose: perform routine system security and stability tasks
# and provide the system administrator a concise report.
echo -e "\n\n\t\t\t\t===========================
\t\t\t\t# SysAdmin's Daily Report #
\t\t\t\t===========================\n"
echo 1. Access Control:
echo ==================
echo
echo Current Activity:
echo -----------------
/usr/bin/w
echo
echo Logins in the Past Day:
echo -----------------------
/usr/bin/lastlog -t 1
echo
echo Cumulative Login Failures:
echo --------------------------
/usr/bin/faillog -a
echo
echo Unlocked Accounts:
echo ------------------
/bin/egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}'
# this is the first conditional report element; more should be this way
if [ `/bin/grep -v ':x:' /etc/passwd | wc -l` -gt 0 ]; then
echo
echo Unshadowed Passwords:
echo ---------------------
/bin/grep -v ':x:' /etc/passwd
fi
echo -e '\n\n'
echo 2. Runlevel Service Status:
echo ===========================
/bin/rc-status -C | awk ' /st...ed/ { printf "%-15s %s\n", $1, $3 } '
echo
echo Network Time Daemon Peers:
echo --------------------------
/usr/bin/ntpq -p
echo -e '\n\n'
echo 3. Open Network Connections:
echo ============================
# /bin/netstat --inet -ap <--- (this is broken, --inet tries to check sctp; will be fixed; equiv below)
/bin/netstat -tuUwap
echo -e '\n\n'
echo 4. Patch Status:
echo ================
echo -n Synchronizing Package Database...
/usr/bin/emerge --sync --quiet && echo " completed."
echo
echo Package Updates Available:
echo --------------------------
/usr/bin/emerge -upDN --columns --color n world
echo
echo Applicable Security Advisories:
echo -------------------------------
/usr/bin/glsa-check -tvn all
echo -e '\n\n'
echo 5. Resource Utilization:
echo ========================
echo
echo Memory:
echo -------
/usr/bin/free -m
echo
echo Storage:
echo --------
/bin/df -hT
echo
echo -e "\t\t\t\t==================================
\t\t\t\t# End of SysAdmin's Daily Report #
\t\t\t\t==================================\n\n"
/usr/bin/logger -p cron.notice "$0 complete."
exit 0 |
|
|
Back to top |
|
|
Kasumi_Ninja Veteran
Joined: 18 Feb 2006 Posts: 1825 Location: The Netherlands
|
Posted: Mon Aug 30, 2010 7:21 am Post subject: |
|
|
Thanks! I'm using logwatch now. It would be nice to run my own script though. _________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered |
|
Back to top |
|
|
DancesWithWords Guru
Joined: 29 Jun 2002 Posts: 347 Location: ottawa, canada
|
Posted: Wed Feb 17, 2016 5:48 pm Post subject: Re: glsa-check questions |
|
|
Bones McCracker wrote: | Kasumi_Ninja wrote: | BoneKracker wrote: | I have been using glsa-check for years. I run it after each 'emerge --sync', as part of a script:
Code: | glsa-check -tvn affected |
|
Could you share that script? Thanks! |
It's just a "daily administrative checks" script. It is very poorly written (one of the first scripts I ever wrote), and I haven't bothered to make any improvements to it in years. It's a daily cron job that does stuff and generates output that is a report (on my systems, this gets emailed to the administrator). Anybody who might use it would undoubtedly want to modify it heavily, but I suppose it might give you some ideas.
Code: |
#! /bin/sh
# /etc/cron.daily/admin_daily
# Purpose: perform routine system security and stability tasks
# and provide the system administrator a concise report.
echo -e "\n\n\t\t\t\t===========================
\t\t\t\t# SysAdmin's Daily Report #
\t\t\t\t===========================\n"
echo 1. Access Control:
echo ==================
echo
echo Current Activity:
echo -----------------
/usr/bin/w
echo
echo Logins in the Past Day:
echo -----------------------
/usr/bin/lastlog -t 1
echo
echo Cumulative Login Failures:
echo --------------------------
/usr/bin/faillog -a
echo
echo Unlocked Accounts:
echo ------------------
/bin/egrep -v '.*:\*|:\!' /etc/shadow | awk -F: '{print $1}'
# this is the first conditional report element; more should be this way
if [ `/bin/grep -v ':x:' /etc/passwd | wc -l` -gt 0 ]; then
echo
echo Unshadowed Passwords:
echo ---------------------
/bin/grep -v ':x:' /etc/passwd
fi
echo -e '\n\n'
echo 2. Runlevel Service Status:
echo ===========================
/bin/rc-status -C | awk ' /st...ed/ { printf "%-15s %s\n", $1, $3 } '
echo
echo Network Time Daemon Peers:
echo --------------------------
/usr/bin/ntpq -p
echo -e '\n\n'
echo 3. Open Network Connections:
echo ============================
# /bin/netstat --inet -ap <--- (this is broken, --inet tries to check sctp; will be fixed; equiv below)
/bin/netstat -tuUwap
echo -e '\n\n'
echo 4. Patch Status:
echo ================
echo -n Synchronizing Package Database...
/usr/bin/emerge --sync --quiet && echo " completed."
echo
echo Package Updates Available:
echo --------------------------
/usr/bin/emerge -upDN --columns --color n world
echo
echo Applicable Security Advisories:
echo -------------------------------
/usr/bin/glsa-check -tvn all
echo -e '\n\n'
echo 5. Resource Utilization:
echo ========================
echo
echo Memory:
echo -------
/usr/bin/free -m
echo
echo Storage:
echo --------
/bin/df -hT
echo
echo -e "\t\t\t\t==================================
\t\t\t\t# End of SysAdmin's Daily Report #
\t\t\t\t==================================\n\n"
/usr/bin/logger -p cron.notice "$0 complete."
exit 0 |
|
Have you made any modifications to this script? If so could you post the new script or pm my the script.
=====
DWW |
|
Back to top |
|
|
|