Re: Scalable Debian vulnerability tracking
I have a package that we have been working on for a while that might be
a good starting point. It tracks information about several machines,
storing them in a central repository. There is a client piece installed
on each machine which runs on a cron job, and currently e-mails the
results to one or more centralized servers. I wrote it with the idea in
mind that other transport agencies could be used, however.
The server piece is a php app w/MySQL backend that allows reporting,
including ad-hoc reports. The other functions such as maintenance
tracking would probably not be of interest to you, but those are just
modules that can be disabled (in the new version we're working on). The
UI is primitive and ugly.
Again, the package is pretty primitive, but has been tested on a dozen
Debian servers and two Fedora servers over the past year. It has one
report that would be of interest to you that retrieves the current
version of a package installed on all (or some) machines.
This is gpl'd, and I would be happy to supply the .deb, the source tree
or svn access if you would like to look at it.
You can see some very, very outdated documentation at
http://wiki.linuxservertech.com/index.php/Sysinfo. That documentation is
is about one major version behind, and the links are to the older
version. I'm making some big changes right now.
Rodo (at this domain to email directly)
Michael Tautschnig wrote:
>> Hi folks,
>> I work for an hosting provider, and am looking at how to improve
>> visibility into vulnerability exposure.
>> We have over 800 Debian hosts that we manage fore customers, and will
>> have over 1,000 by the end of this quarter.
>> A major problem we face is that our change distribution mechanism is
>> poor. We're working on that problem, but in the meantime, I'm looking
>> at ways to assert that we are / are not vulnerable to specific issues
>> disclosed by the Debian project. I realize that this isn't the whole
>> game, but it's an huge part of it.
>> First prize is a web application that we can draw reports from (or will
>> push reports to us or whatever), that knows what security issues have
>> been identified and addressed by the Debian project, what versions of
>> packages are installed on all servers, and therefore which packages on
>> which servers should have been upgraded but have not yet been.
>> Yup, basically the output of debsecan --only-fixed --suite etch. But
>> I'd prefer not to use email as the transport mechanism (unreliable),
>> and I'd have to write an aggregator for all those mails, because
>> working through mail from over a thousand servers is error prone.
> This is definitely not a complete solution to your problem, but it might help
> you along the way:
> - Run apt-get update + apt-show-versions on each host (daily, hourly, whatever
> you like)
> - If you don't like email for aggregation, a central syslog may be an option.
> Pipe the output of apt-show-versions through logger and filter and aggregate
> the logs on your server.
> We don't have hundreds of servers, but this scheme works fairly well around
> here, using a very simply daily cron job and logwatch as the aggregator.