From owner-freebsd-security Sat Dec 16 7:23:33 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 07:23:29 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 64D3337B400; Sat, 16 Dec 2000 07:23:27 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 147JBE-00009e-00; Sat, 16 Dec 2000 17:23:24 +0200 Date: Sat, 16 Dec 2000 17:23:24 +0200 (IST) From: Roman Shterenzon To: Kris Kennaway Cc: Some Person , Subject: Re: Security Update Tool.. In-Reply-To: <20001215200957.A10030@citusc.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Dec 2000, Kris Kennaway wrote: > On Sat, Dec 16, 2000 at 12:16:29AM +0000, Some Person wrote: > > > My question is, is there a util yet that in theory (maybe if so, or if > > someone writes one would work differently than what I'm imagining) queries a > > central database with all the security advisories, checks the local system > > for comparisons and vulnerabilities against that database and reports to the > > user who ran the util. > > Not at present - I was talking to someone a few months ago about doing > exactly this: the existing security advisories we publish contain all > of the information you need to implement such a thing (at least for > ports), although we'd probably need to structure them more rigidly so > they can be machine-parsed. However nothing concrete has materialised > yet, so there's still plenty of room for interested contributors to > step up and help :-) > > Note that identification of vulnerabilities is different from > automated correction of vulnerabilities - in order to do that it needs > some fairly complicated infrastructure in the ports system to upgrade > ports/packages and handle dependencies etc. Not that I want to > dissuade anyone from working on this very worthy project :-) > > Kris I'm the person Kris was talking about. I'm working on it, have little time, and switched to gnupg lately, but it'll be done eventually. Perhaps this thread will make me finish it earlier. I'd like to hear ideas which I will incorporate in it. Meanwhile the main idea is: 1) have a local directory for advisories 2) upon start, contact freebsd.org and check for newer advisories 3) check advisories with gnupg (security officer's pgp key has to be installed manually). 4) extract the valuable information from the advisory 5) check against /var/db/pkg/* (revisions, and before it was invented - dates, yes, I know it's weak, but I've nothing to with it). 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install -r) 7) anything else? Written in perl and will be called pkg_security. I guess it could be changed to sacheck if all binaries have the id in them, so using what(1) will reveal the cvs revision. Looking forward for your comments, --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message