Jo, On 23-May-01 Christian Erpelding wrote:
Hi Bob and all!
I had an idea for a utility to make it easier to check a system is up-to-date with patches. I assumed that someone else must have had the idea already, but I couldn't find it on the web so I wrote the utility myself.
The vulnerability file should contain lines like
openssh VERSION=8.3.0p2 RELEASE=98
where the uppercase keywords correspond to rpm query tags.
I like the idea...
Sounds good. However, many admins (like myself) use source tarballs of certain packages instead of RPMs. For them, this script would be useless. On the other hand, there are numerous vulnerability scanners out there which are much more powerful than a script could probably ever be (satan, saint, sara, nessus...etc.pp.).
Perhaps it would be usefull to insert some more infos into the vulnerability file, like "SEVERITY=x" [x=1..10] and "INFO='Remote Root Exploit'".
If the vul-file would be maintained up-to-date, it would be easily possible to check the system everyday per cron-entry.
Does your program only complain about the specified rpm-version or about any version up to this one? Perhaps it would be better to split the field VERSION in FROM_VERSION and TO_VERSION to cover a range of vulnerable rpm-versions easily?!
Well... I think Roman and the other lads are shaken now ;) The whole thing really sounds very nice but may not be implemented that easy. Imagine an user running an old SuSE 6.1 with lots of unpatched packages but self-compiled kernel >= 2.2.x running such a script, he may get lots of false positives and ends up with quite some fuzz I guess. Anyone out to give it a try? (Well, not me if you�d ask ;)
-- MfG, Chr. Erpelding ce-data Datentechnik
---
Boris Lorenz