View previous topic :: View next topic |
Author |
Message |
itoito n00b
Joined: 08 Aug 2002 Posts: 32
|
Posted: Sat Nov 16, 2002 12:38 am Post subject: Gentoo-stats like service for security warnings |
|
|
First of all I always keep my systems fully updated, but I had an idea to increase the overall security of the gentoo users:
1. How about a non-anonymous (it's non-anonymous because it has to have your email address) gentoo-stats like server that keeps track of all the installed packages and their versions on your server in a database. As soon as there is an exploitable bug for a package it will scan it's database and send an email to everyone currently working with this package.
2. Maybe it could be done by extending the gentoo-stats clientsoftware and the server a little, there already is a profile in the database, the only thing is the server would have to send you the list of security warnings if there are some and then the client would have to send you a report and takes your email address from a .conf file.
some reasons:
- not everyone updates enough
- some people get lost of track of their servers
- not everyone checks for exploits and thus will not give priority to upgrading a package with secuity bugs.
- perhaps you have upgraded an exploitable package, but some other package still depends on the older version, so the system could still be vulnerable.
- users with an exploitable gentoo machine give the distribution a bad name.
it's about the concept, so ofcourse the implementation could be different.
What do you think? |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Sat Nov 16, 2002 5:22 pm Post subject: Re: Gentoo-stats like service for security warnings |
|
|
Moved from Networking & Security as this isn't a support question.
itoito wrote: | 1. How about a non-anonymous (it's non-anonymous because it has to have your email address) ... will scan it's database and send an email to everyone currently working with this package. | I think too many wouldn't want to have their information stored on someone else's server. Also, I think it should be up to individuals to track security (as opposed to someone else's server doing it).
Quote: | - not everyone updates enough
- some people get lost of track of their servers
- not everyone checks for exploits and thus will not give priority to upgrading a package with secuity bugs. | There is a mailing list that mentions security issues. They should subscribe to it, and update accordingly.
Quote: | - perhaps you have upgraded an exploitable package, but some other package still depends on the older version, so the system could still be vulnerable. | I could be mistaken, but I think this would be addressed in the security announcements.
Quote: | - users with an exploitable gentoo machine give the distribution a bad name. | The user would still be required to do the updates, so not much is gained. Subscribing to the mailing list would have a similar effect.
You might be interested in "emerge security" ??????. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
psharp Tux's lil' helper
Joined: 16 Sep 2002 Posts: 76 Location: London, UK
|
Posted: Sun Nov 17, 2002 6:01 pm Post subject: |
|
|
I currently use the following to scan my local gentoo-announce archive for packages GLSAs and passes them to emerge. Only updates then if they are installed.
Code: |
#!/bin/bash
#Securitymerge 0.01
emerge -n $1 `egrep 'GLSA' ~/Mail/gentoo-announce|sed s/.*GLSA:\ //|cut -d" " -f 1|xargs -iPKG qpkg -I -nc PKG`
|
Usage: root@ps02P # securitymerge -p
Code: |
Calculating Dependancies ...done
[ebuild U ] x11-base/xfree-4.2.1
etc.
|
I know this is pretty raw, but it was slapped together as a catchup for several weeks away.
My view is that the orignal idea could probably be done using existing information:
1) grab the gentoo-announce archive
2) search for GLSA
3) check against qpkg -I
4) emerge packages
There are several problems with this, the main one I see is that it simply updates to the latest package, you may already be running a newer version than the bug report is against. I guess this could be taken into account, perhaps by comparing date installed against the GLSA date.
Anyway if anyone is a scripting guru and fancies doing something please do, in the meantime I will continue hacking away but I only started learning scripting in unix last week
Do I get the feeling that this would be easy in Perl, maybe that's what I should learn..... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|