Re: Security notification script
On Mon, Sep 02, 2002 at 02:07:34PM +0200, Javier Fernández-Sanguino Peña wrote:
> On Mon, Aug 26, 2002 at 09:31:34PM +0100, Rob Bradford wrote:
> > I have written a python script that allows you to compares locally
> > installed packages with those on security.debian.org. Furthermore it
> > provides a description of the problem/DSA name if the package is
> > mentioned in the DSA RDF.
> >
> Notice that the RDF does not include *all* the DSAs, just the latest
> (10?). Thus, if there is a week with *many* security updates your script might
> miss vulnerable packages if not run daily.
That is a good point. Is it possible to get this kind of information from
elsewhere (yes it is possible to dig it out of the html-pages) in a
similar (easy) manner?
> > The script is intended to be run as a normal user in a crontab, and thus
> > produces no output if the system is completely upto date.
> >
> > You will need to install python2.2 and python2.2-xml prior to using the
> > script which can be found at
> > http://www.robster.org.uk/files/security-update-check.py
> >
>
> Why Python? If you plan this script to be included in Debian-standard (such
> as the cron task in checksecurity) python is out of the question.
> Could you write it in Perl?
Well I do not think it is suitable for standard (yet). It is a little bit
too non-mature for that. But I could rewrite his (I'm not the author) code
into perl if that is really needed.
But of course it should be better to write it in shell-code but that is
not that easy as to use xml interfaces within perl or python.
> > Any feedbacl/ideas would be much appreciated. I plan to make some minor
> > changes and package this up later this week :)
> >
>
> Well, it's already done. Check out Tiger:
> http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s-keep-up-to-date
> The problem with Tiger is that it has to be updated (both by the maintainer and the
> administrator) to work effectively until a create a 'tiger-signatures' package that
> can be updated regularly.
It is about the same problem as harden-*flaws.
> But probably a stand-alone script is a good idea, it would appreciate it better
> in another language. You cannot consider installing python in a production
> environment where it's not really need it. Tiger, for example, is completely
> shell-based (does not even need Perl).
Good point.
Regards,
// Ola
> Regards
>
> Javi
--
--------------------- Ola Lundqvist ---------------------------
/ opal@debian.org Björnkärrsgatan 5 A.11 \
| opal@lysator.liu.se 584 36 LINKÖPING |
| +46 (0)13-17 69 83 +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: