[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: packages and security checks automated



On Thu, Aug 05, 2004 at 06:06:04AM +0000, Carl Libra wrote:
> Hi,
> 
> To make sure no vulnerable packages are installed I subscribed to the 
> mailing-list ports-security.
> 
> When a new treat is found it will be announced here. This works okay if you 
> have just a few packages installed. But on one of my machines a lot of 
> packages are installed (mainly for testing) and they have a lot of 
> dependencies with programs you will never look at as they are being used 
> only in the background.

$ pkg_info -a | grep -i <package name>

Is the above that hard?  Not being aware of what you've installed is,
well, not a very secure practice.

> Wouldn't be possible to add two scripts like on NetBSD 
> ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/security/audit-packages/README.html 
> that fetches a list and compares it to installed packages. If a vulnerable 
> package is found you will receive an email.
> 
> Hope this makes sense and can make life easier for administrators.

It makes sense, but then it needs developer time to maintain it and
make sure it is perfect, because people will end up relying on it.

You can add your own scripts of course.

-- 
<jakemsr_(_at_)_jakemsr_(_dot_)_com>