From owner-freebsd-security@FreeBSD.ORG Wed Jul 5 15:17:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDCBA16A4DA; Wed, 5 Jul 2006 15:17:45 +0000 (UTC) (envelope-from freebsd-security@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABDEE43D49; Wed, 5 Jul 2006 15:17:44 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id k65FHguE053728; Thu, 6 Jul 2006 01:17:42 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id k65FHg61044302; Thu, 6 Jul 2006 01:17:42 +1000 (EST) (envelope-from freebsd-security@auscert.org.au) Message-Id: <200607051517.k65FHg61044302@app.auscert.org.au> To: Colin Percival from: freebsd-security@auscert.org.au In-Reply-To: Message from Colin Percival of "Fri, 30 Jun 2006 20:13:44 MST." <44A5E868.60508@freebsd.org> Date: Thu, 06 Jul 2006 01:17:42 +1000 Cc: freebsd-security@freebsd.org, "Dolan- Gavitt, Brendan F." Subject: Re: Determining vulnerability to issues described by SAs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2006 15:17:45 -0000 Hi Colin, On Fri, 30 Jun 2006 20:13:44 -0700, Colin Percival wrote: >Dolan- Gavitt, Brendan F. wrote: >> I've been trying for the past few days to come up with a method for >> checking a FreeBSD system to see if it is vulnerable to an issue >> described by a FreeBSD security advisory in some automated way [...] This is an issue I also have given some thought to. ... >> I'm fairly new to FreeBSD, so I may just be missing something >> here--is there a reliable way to determine if a system is patched >> according to a particular security advisory? > >In short, no. If you have any ideas, let me know. :-) I've been canonically rebuilding my systems for each patch (or at least every time a vulnerability affects my hosts) to cover this very issue, even if a rebuild isn't strictly necessary. In addition to this, however, I usually generate an mtree file from a pre-production installation so that I can compare any given build with running systems to identify changes, such as those occurring as a result of patching - kind of like a base 'tripwire', in fact. Would this be a solution? Each advisory could come with a custom mtree file that covers the affected files explicitly and/or another mtree file that covers the files for this patch _and_ for all previous patches up to that point; you could name the mtree after the patchlevel eg RELENG_5_3.mtree.p31 - this should work, regardless of how the patch was applied as the end result is (almost?) always the same at the binary level. regards, -- Joel Hatton -- Infrastructure Manager | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au