[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Scalable Debian vulnerability tracking

> Hi folks,
> I work for an hosting provider, and am looking at how to improve 
> visibility into vulnerability exposure.
> We have over 800 Debian hosts that we manage fore customers, and will 
> have over 1,000 by the end of this quarter.
> A major problem we face is that our change distribution mechanism is 
> poor.  We're working on that problem, but in the meantime, I'm looking 
> at ways to assert that we are / are not vulnerable to specific issues 
> disclosed by the Debian project.  I realize that this isn't the whole 
> game, but it's an huge part of it.
> First prize is a web application that we can draw reports from (or will 
> push reports to us or whatever), that knows what security issues have 
> been identified and addressed by the Debian project, what versions of 
> packages are installed on all servers, and therefore which packages on 
> which servers should have been upgraded but have not yet been.
> Yup, basically the output of debsecan --only-fixed --suite etch.  But 
> I'd prefer not to use email as the transport mechanism (unreliable), 
> and I'd have to write an aggregator for all those mails, because 
> working through mail from over a thousand servers is error prone.


This is definitely not a complete solution to your problem, but it might help
you along the way:

- Run apt-get update + apt-show-versions on each host (daily, hourly, whatever
  you like)
- If you don't like email for aggregation, a central syslog may be an option.
  Pipe the output of apt-show-versions through logger and filter and aggregate
  the logs on your server.

We don't have hundreds of servers, but this scheme works fairly well around
here, using a very simply daily cron job and logwatch as the aggregator.


Attachment: pgpYJVHGBkst6.pgp
Description: PGP signature

Reply to: