Date: Sun, 17 Dec 2000 02:43:21 From: "Some Person" <ntvsunix@hotmail.com> To: roman@xpert.com, kris@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <F246vUPfYUimAxP9ZoL00001a62@hotmail.com>
next in thread | raw e-mail | index | archive | help
Right on! That's excellent to hear.. sacheck, well, that was just a hypothetical name I gave it. ;) So far, I can't think of much more than what you've mentioned, but I'm sure later on I will think of things especially once it's implemented and I can test it out... I'll be sure to keep your email addy handy. > >On Fri, 15 Dec 2000, Kris Kennaway wrote: > > > On Sat, Dec 16, 2000 at 12:16:29AM +0000, Some Person wrote: > > > > > My question is, is there a util yet that in theory (maybe if so, or if > > > someone writes one would work differently than what I'm imagining) >queries a > > > central database with all the security advisories, checks the local >system > > > for comparisons and vulnerabilities against that database and reports >to the > > > user who ran the util. > > > > Not at present - I was talking to someone a few months ago about doing > > exactly this: the existing security advisories we publish contain all > > of the information you need to implement such a thing (at least for > > ports), although we'd probably need to structure them more rigidly so > > they can be machine-parsed. However nothing concrete has materialised > > yet, so there's still plenty of room for interested contributors to > > step up and help :-) > > > > Note that identification of vulnerabilities is different from > > automated correction of vulnerabilities - in order to do that it needs > > some fairly complicated infrastructure in the ports system to upgrade > > ports/packages and handle dependencies etc. Not that I want to > > dissuade anyone from working on this very worthy project :-) > > > > Kris > >I'm the person Kris was talking about. I'm working on it, have little >time, and switched to gnupg lately, but it'll be done eventually. >Perhaps this thread will make me finish it earlier. >I'd like to hear ideas which I will incorporate in it. >Meanwhile the main idea is: >1) have a local directory for advisories >2) upon start, contact freebsd.org and check for newer advisories >3) check advisories with gnupg (security officer's pgp key has to be >installed manually). >4) extract the valuable information from the advisory >5) check against /var/db/pkg/* (revisions, and before it was invented - >dates, yes, I know it's weak, but I've nothing to with it). >6) depending on running mode, complain or upgrade (pkg_delete; pkg_install >-r) >7) anything else? >Written in perl and will be called pkg_security. >I guess it could be changed to sacheck if all binaries have the id in >them, so using what(1) will reveal the cvs revision. > >Looking forward for your comments, > >--Roman Shterenzon, UNIX System Administrator and Consultant >[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F246vUPfYUimAxP9ZoL00001a62>