[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: script for security update notification

On Fri, May 24, 2002 at 09:41:46AM -0400, Nathan Valentine wrote:
> I'm thinking of writing a script but I am hoping that someone else has
> beaten me to the punch. Perhaps someone has seen something that will do
> this:
> 1) Check the Debian security announcement list.
> 2) Compare new announcements to the local package database.
> 3) If vulnerable packages installed, send an 'I need updated' email to
> an address defined by the SysAdmin.
	Nice thing. Already done, though (see below)

> Anyone ever seen such a beast? I've searched the archives of this list
> and not found any reference to anything along these lines. 

	Simple one: Tiger does this (Debian's of course, it has been
patched/fixed to do this sort of stuff)

	Ok. Now hold yourself for a *long* explanation.

	Even if it's just slightly documented in the README.Debian file
(and in the manpage too) the Tiger in Debian has been enhanced to provide
quite more functionality that the Tiger provided by TAMU (or even TARA, a
tiger version distributed by ARSC).
	One of this enhancements is the 'deb_checkadvisories' script. This
script takes a list of DSA's and checks against the installed package base
to see if any of your packages is vulnerable according to the DSA. This is
a little different approach to the one taken on the more general approach
taken by Tiger implemented by the 'check_signatures' script which checks
MD5sums of known vulnerable programs.

	Since currently we do not ship this info (i.e. Md5sums of known
vulnerable versions) I tried the DSA approach which works fine. However,
the DSA approach and the Md5sum approach have problems: the signatures
have to be updated regularly.
	I do this when making new versions of the Tiger package but I do
not make a new version every time a DSA is shipped. A nice addition, which
I have not gotten a time to add is to do this proactively, that is,
download the DSAs from the web, make the list and then check. The DSAs are
currently updated from my local CVS update of the WML sources used to
built security.debian.org (the webserver, that is).

	If anyone wants to contribute a program to parse the published
DSAs, either received through e-mail or available in security.debian.org
and generate the file used by 'deb_checkadvisories' to confirm
vulnerabilities that would be quite nice (hint, hint)

	This check is run through the standard program configuration once
installed (see /etc/tiger/cronrc):
# Check for Debian security measures every day at 1 am
1 * *   deb_checkmd5sums deb_nopackfiles deb_checkadvisories

	*However* There is one more check that you might want to add.
However, it has not yet been added to the standard cron scripts. That
check is 'check_patches'. This script works the following way:

1.- runs apt-get update
2.- checks if there are new packages available

	*IF* you are running an 'stable' system and add the
security.debian.org apt source line to your /etc/apt/sources this script
will be able to tell you if there are new packages that you need to
install. Since the only packages changing in this setup are security
updates then you have just what you wanted.

	Of course this will not work if you are running woody/testing or
sid/unstable. Since probably the new packages are much more than security
updates currently (maybe not that much in the woody case since we are
"frozen" :)

	You can add this script to the checks done by the cron job (at the
above configuration file) and it should work properly to warn you of this.

	Hope this helps. I will try to take the time and add this same
information to the "Debian Security Manual" as soon as possible.


To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: