Hi,
is there a way / software to find out which security patches my different CentOS systems are missing? Maybe with the according CESA announcement displayed?
TIA, Frank.
On 01/19/2010 10:32 AM, Frank.Brodbeck@klingel.de wrote:
is there a way / software to find out which security patches my different CentOS systems are missing? Maybe with the according CESA announcement displayed?
I am working on a bit of code that would make something like this possible in the near future ( ~ a month or so ). However, till then I'd recommend going with just yum list and if you want, some mangling with yum-changelog will give you cve's and bz's.
Karanbir Singh mail-lists@karan.org schrieb am 19.01.2010 11:48:54:
On 01/19/2010 10:32 AM, Frank.Brodbeck@klingel.de wrote:
is there a way / software to find out which security patches my different CentOS systems are missing? Maybe with the according CESA announcement displayed?
I am working on a bit of code that would make something like this possible in the near future ( ~ a month or so ). However, till then I'd recommend going with just yum list and if you want, some mangling with yum-changelog will give you cve's and bz's.
As this is something I'd be very interested in, is there a way I could help? If so feel free to contact me on or off list :-)
Thanks, Frank.
On 01/19/2010 11:07 AM, Frank.Brodbeck@klingel.de wrote:
I am working on a bit of code that would make something like this possible in the near future ( ~ a month or so ). However, till then I'd recommend going with just yum list and if you want, some mangling with yum-changelog will give you cve's and bz's.
As this is something I'd be very interested in, is there a way I could help? If so feel free to contact me on or off list :-)
Absolutely, I plan on putting the code onto a public vcs repo soon. I want to have the basic harness working before going public though.
The 'core' of this is an automated test harness that would be used for the centos-distro packages at pre-build, post-build and pre-release stages.
From: "Frank.Brodbeck@klingel.de" Frank.Brodbeck@klingel.de
is there a way / software to find out which security patches my different CentOS systems are missing? Maybe with the according CESA announcement displayed?
Try the yum-security package...
JD
Or I can highly recommend configuring a local spacewalk server.... It is certainly usable right now overall (even if still under development in some areas) and the Redhat guys are very quick to squash reported bugs.
Getting it runnign here has made my life much easier in provisioning, configuring and general maintenance of our systems...
2010/1/19 John Doe jdmls@yahoo.com
From: "Frank.Brodbeck@klingel.de" Frank.Brodbeck@klingel.de
is there a way / software to find out which security patches my different CentOS systems are missing? Maybe with the according CESA announcement displayed?
Try the yum-security package...
JD
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 19/01/2010 11:49, John Doe wrote:
Try the yum-security package...
Since when does it work for centos ?
- -- best regards, markus
On Wed, Jan 20, 2010 at 11:36 AM, Markus Falb markus.falb@fasel.at wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 19/01/2010 11:49, John Doe wrote:
Try the yum-security package...
Since when does it work for centos ?
I've been using it for at least 6 months. Sure hope it works!
Dave
is there a way / software to find out which security patches my different CentOS systems are missing? Maybe with the according CESA announcement displayed?
I'll put in a plug for a software project that I am developer/contributor for, OpenVAS (Open Vulnerability Assessment Scanner).
If you configure OpenVAS to use a SSH enabled login account, it will tell you which security patches you are missing. If you do just a remote scan, it will give you an incomplete list of missing patches.
It is cross-platform too.
-geoff
--------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/
On 01/19/2010 11:08 AM, Geoff Galitz wrote:
I'll put in a plug for a software project that I am developer/contributor for, OpenVAS (Open Vulnerability Assessment Scanner).
I look at this a while back, well over a year i think now. And the problem was that openvas does not actually test for the Vuln but it tries to use content to assume the exploits will not work. That is a very risky situation to get into.
I look at this a while back, well over a year i think now. And the problem was that openvas does not actually test for the Vuln but it tries to use content to assume the exploits will not work. That is a very risky situation to get into.
In terms of a proper security assessment; this is a debate that we have within the OpenVAS developer community and I am actually on your side with this. I won't bother the Centos list with more details than that unless anyone specifically wants me to go into greater details except to say that this is not technical limitation, just a policy of the authors who are writing the testing scripts.
However, in terms of simply looking to see what known patches are missing, the current method of assessment is sufficient and complete. The question assumes that patches already exist and therefore they can be queried for in the RPM database to see if they exist (with the needed info encoded in the release strings).
If we are talking about missing patches that do NOT exist, IOW, looking for vulnerabilities that the Centos devs or upstream have not addressed yet... then other tools may be more appropriate.
-geoff
--------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/
-
Dave -
Frank.Brodbeck@klingel.de -
Geoff Galitz -
James Hogarth -
John Doe -
Karanbir Singh -
Markus Falb