Date: 18 Dec 2000 06:21:24 -0400 From: Lowell Gilbert <lowell@world.std.com> To: ntvsunix@hotmail.com (Some Person), freebsd-security@freebsd.org Subject: Re: Security Update Tool.. Message-ID: <44u2814tti.fsf@lowellg.ne.mediaone.net> In-Reply-To: ntvsunix@hotmail.com's message of "16 Dec 2000 01:16:42 %2B0100" References: <F184Mum03yMJiQTyfPe00000f1e@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
ntvsunix@hotmail.com (Some Person) writes: > Hey ppl. Sorry I just joined the list so I dunno what kinda posts usally go > on here but I was just browsing www.freebsd.org/security and... > > Well, seeing there's new security discoveries, patches and a whole schlew of > CERT advisories etc.. it's hard to keep up with what needs securing, and > what to secure, from the base system, from the ports, etc. > > My question is, is there a util yet that in theory (maybe if so, or if > someone writes one would work differently than what I'm imagining) queries a > central database with all the security advisories, checks the local system > for comparisons and vulnerabilities against that database and reports to the > user who ran the util. > > ie, sacheck -H sa-host.freebsd.org > > I completely made that up, but jsut an idea. ie, sacheck (security advisor > check) checks against -H sa-host.freebsd.org. > > Please, if I sound like a complete idiot, no need to flame.. ;) I'm trying > to explain what I think would be a good idea in the best way I can via email > and I'm still an intermediate (non-expert) FreeBSD user. I don't know > programming (yet) so I probly don't have all the terms, but I do have ideas. > > ps: Hope I did make atleast some sense in describing my idea. It's not a terrible idea, but the unified FreeBSD development model makes it less useful than it seems. The number of security advisories is relatively low (a few dozen per year?), even if you include CERT, so the payoff is somewhat limited. Because of the unified development model, the way to apply fixes is usually to upgrade to a more recent version of the software, so keeping up to date is pretty much the bottom line. If you actually wrote your "sacheck" program, I'll bet it wouldn't have much trouble getting into the system (assuming it was *well* written), or at least the ports. You'd need a slightly more regularized format for the advisories, however, which probably means cooperation from the security officer. Furthermore, the benefits are small enough that it may be hard to get anyone else to write it for you. And I'm sure I'm not the only one who thinks it's a *good* idea for administrators (especially of Internet-connected machines) to actually read security advisories. Be well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44u2814tti.fsf>