scanrpm: script to check system for known vulnerable packages
Dear All, I had an idea for a utility to make it easier to check a system is up-to-date with patches. I assumed that someone else must have had the idea already, but I couldn't find it on the web so I wrote the utility myself. For this utility to work it needs someone (and I think that someone really needs to be SuSE) to maintain a machine-readable list of packages known to have security holes. All the utility does is reads such a list and then reports any vulnerable packages it finds on the system. So you would use it something like wget -O - ftp://ftp.suse.com/vulnerabilities.txt | scanrpm The vulnerability file should contain lines like openssh VERSION=8.3.0p2 RELEASE=98 where the uppercase keywords correspond to rpm query tags. Do people think this is useful? If so, are SuSE willing to take it on? Of course, the utility would be useful for bad guys as well as good guys, but we are used to that. Current version of the scanrpm utility can be found at http://www.cs.rhul.ac.uk/home/bobv/utils/scanrpm Nothing in the utility is SuSE-specific, but I guess the database would be. Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Hi Bob and all!
I had an idea for a utility to make it easier to check a system is up-to-date with patches. I assumed that someone else must have had the idea already, but I couldn't find it on the web so I wrote the utility myself.
The vulnerability file should contain lines like
openssh VERSION=8.3.0p2 RELEASE=98
where the uppercase keywords correspond to rpm query tags.
I like the idea... Perhaps it would be usefull to insert some more infos into the vulnerability file, like "SEVERITY=x" [x=1..10] and "INFO='Remote Root Exploit'". If the vul-file would be maintained up-to-date, it would be easily possible to check the system everyday per cron-entry. Does your program only complain about the specified rpm-version or about any version up to this one? Perhaps it would be better to split the field VERSION in FROM_VERSION and TO_VERSION to cover a range of vulnerable rpm-versions easily?! -- MfG, Chr. Erpelding ce-data Datentechnik
Jo, On 23-May-01 Christian Erpelding wrote:
Hi Bob and all!
I had an idea for a utility to make it easier to check a system is up-to-date with patches. I assumed that someone else must have had the idea already, but I couldn't find it on the web so I wrote the utility myself.
The vulnerability file should contain lines like
openssh VERSION=8.3.0p2 RELEASE=98
where the uppercase keywords correspond to rpm query tags.
I like the idea...
Sounds good. However, many admins (like myself) use source tarballs of certain packages instead of RPMs. For them, this script would be useless. On the other hand, there are numerous vulnerability scanners out there which are much more powerful than a script could probably ever be (satan, saint, sara, nessus...etc.pp.).
Perhaps it would be usefull to insert some more infos into the vulnerability file, like "SEVERITY=x" [x=1..10] and "INFO='Remote Root Exploit'".
If the vul-file would be maintained up-to-date, it would be easily possible to check the system everyday per cron-entry.
Does your program only complain about the specified rpm-version or about any version up to this one? Perhaps it would be better to split the field VERSION in FROM_VERSION and TO_VERSION to cover a range of vulnerable rpm-versions easily?!
Well... I think Roman and the other lads are shaken now ;) The whole thing really sounds very nice but may not be implemented that easy. Imagine an user running an old SuSE 6.1 with lots of unpatched packages but self-compiled kernel >= 2.2.x running such a script, he may get lots of false positives and ends up with quite some fuzz I guess. Anyone out to give it a try? (Well, not me if you�d ask ;)
-- MfG, Chr. Erpelding ce-data Datentechnik
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---
participants (3)
-
Bob Vickers -
Boris Lorenz -
Christian Erpelding