On Mon, Nov 27, 2006 at 08:37:42PM +0100, mario wrote: > Do you have a strategy or anything to automate this task a little more? > The server farm is growing and i might have to look after 20 or 30 > installations soon. I can already see myself updating ubuntu/debian > installations all day long :(.
Let me throw some ideas around... If your installation where slightly bigger (maybe 100 systems) I would suggest you invest your time working with OVAL [1] and CVE [2]: a) deploy an OVAL agent at the nodes with apt-capabilities b) have a central OVAL server send new signatures to nodes so they can tell you wether they are vulnerable or not (and need to have a DSA applied or not) c) priorise work based on the severity of the vulnerability (you can use both NIST's CVE DB [1] and the priorities set by the Debian Testing Security team in their tracker for this) d) request systems to update with a patch (remote ssh connection will do for this) Unfortunately, a) is not yet possible. I have working OVAL agents for Debian (i.e. they compile) but have not had the time yet to write an adapter for Apt (shouldn't be too difficult). I'm trying to finish the DSA to OVAL xml signature converter so that generating xml signatures from the DSAs published at the website will be a breeze, but I have not yet finished with that. Any help with that would be appreciated. The only thing I can find close to that is to use Nessus with "Local Security Checks" and use the feed which provides tests for Debian vulnerabilities (I believe this is possible with the free feed, but maybe they have changed it). This is hardly optimal as it requires the systems to be live in the network when you are 'scanning it'. You can also do it by hand, if you are so inclined: a) have the systems send you their status files when they are online to a central system b) have a central system pick up those files and compare that information with a database of known vulnerabilites in Debian c) priorise the systems and vulnerabilities based on the above criteria d) have the central system ask the other systems to install the patch from security.debian.org (or your local repository) based on c) The first two parts of that (by-hand) solution are already written in the scripts provided by Tiger (check the package source: systems/Linux/deb_checkadvisories and systems/Linux/2/update_advisories) Unfortunately, nobody has written off a free "enterprise patch management" for Debian. There are non-free commercial alternatives you can easily find, but I'm not going to publitize them in this mailing list (contact me in private if you are desperate looking for one). Regards Javier [1] http://oval.mitre.org [2] http://cve.mitre.org [1] Formerly ICAT, now it's the National Vulnerability Database
signature.asc
Description: Digital signature
