From owner-freebsd-security Sat Dec 16 18:43:25 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 18:43:22 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f246.law7.hotmail.com [216.33.237.246]) by hub.freebsd.org (Postfix) with ESMTP id 0A95837B400; Sat, 16 Dec 2000 18:43:22 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 16 Dec 2000 18:43:21 -0800 Received: from 209.53.54.44 by lw7fd.law7.hotmail.msn.com with HTTP; Sun, 17 Dec 2000 02:43:21 GMT X-Originating-IP: [209.53.54.44] From: "Some Person" To: roman@xpert.com, kris@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Date: Sun, 17 Dec 2000 02:43:21 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 17 Dec 2000 02:43:21.0694 (UTC) FILETIME=[1EAF4FE0:01C067D3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Right on! That's excellent to hear.. sacheck, well, that was just a hypothetical name I gave it. ;) So far, I can't think of much more than what you've mentioned, but I'm sure later on I will think of things especially once it's implemented and I can test it out... I'll be sure to keep your email addy handy. > >On Fri, 15 Dec 2000, Kris Kennaway wrote: > > > On Sat, Dec 16, 2000 at 12:16:29AM +0000, Some Person wrote: > > > > > My question is, is there a util yet that in theory (maybe if so, or if > > > someone writes one would work differently than what I'm imagining) >queries a > > > central database with all the security advisories, checks the local >system > > > for comparisons and vulnerabilities against that database and reports >to the > > > user who ran the util. > > > > Not at present - I was talking to someone a few months ago about doing > > exactly this: the existing security advisories we publish contain all > > of the information you need to implement such a thing (at least for > > ports), although we'd probably need to structure them more rigidly so > > they can be machine-parsed. However nothing concrete has materialised > > yet, so there's still plenty of room for interested contributors to > > step up and help :-) > > > > Note that identification of vulnerabilities is different from > > automated correction of vulnerabilities - in order to do that it needs > > some fairly complicated infrastructure in the ports system to upgrade > > ports/packages and handle dependencies etc. Not that I want to > > dissuade anyone from working on this very worthy project :-) > > > > Kris > >I'm the person Kris was talking about. I'm working on it, have little >time, and switched to gnupg lately, but it'll be done eventually. >Perhaps this thread will make me finish it earlier. >I'd like to hear ideas which I will incorporate in it. >Meanwhile the main idea is: >1) have a local directory for advisories >2) upon start, contact freebsd.org and check for newer advisories >3) check advisories with gnupg (security officer's pgp key has to be >installed manually). >4) extract the valuable information from the advisory >5) check against /var/db/pkg/* (revisions, and before it was invented - >dates, yes, I know it's weak, but I've nothing to with it). >6) depending on running mode, complain or upgrade (pkg_delete; pkg_install >-r) >7) anything else? >Written in perl and will be called pkg_security. >I guess it could be changed to sacheck if all binaries have the id in >them, so using what(1) will reveal the cvs revision. > >Looking forward for your comments, > >--Roman Shterenzon, UNIX System Administrator and Consultant >[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message