> > Hi folks, > > I work for an hosting provider, and am looking at how to improve > visibility into vulnerability exposure. > > We have over 800 Debian hosts that we manage fore customers, and will > have over 1,000 by the end of this quarter. > > A major problem we face is that our change distribution mechanism is > poor. We're working on that problem, but in the meantime, I'm looking > at ways to assert that we are / are not vulnerable to specific issues > disclosed by the Debian project. I realize that this isn't the whole > game, but it's an huge part of it. > > First prize is a web application that we can draw reports from (or will > push reports to us or whatever), that knows what security issues have > been identified and addressed by the Debian project, what versions of > packages are installed on all servers, and therefore which packages on > which servers should have been upgraded but have not yet been. > > Yup, basically the output of debsecan --only-fixed --suite etch. But > I'd prefer not to use email as the transport mechanism (unreliable), > and I'd have to write an aggregator for all those mails, because > working through mail from over a thousand servers is error prone. > [...] This is definitely not a complete solution to your problem, but it might help you along the way: - Run apt-get update + apt-show-versions on each host (daily, hourly, whatever you like) - If you don't like email for aggregation, a central syslog may be an option. Pipe the output of apt-show-versions through logger and filter and aggregate the logs on your server. We don't have hundreds of servers, but this scheme works fairly well around here, using a very simply daily cron job and logwatch as the aggregator. HTH, Michael
Attachment:
pgpYJVHGBkst6.pgp
Description: PGP signature