Is there a tool similar to freeBSD's portaudit? Something that will report packages that have known vulnerabilities.
Thanks.
J
Jaigh Jaddo wrote:
Is there a tool similar to freeBSD's portaudit? Something that will report packages that have known vulnerabilities.
Someone may well have a better answer, but... you can look at: http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/?root=fedora
$ cvs -d:pserver:anonymous@cvs.fedora.redhat.com:/cvs/fedora co \ fedora-security/audit
will pull it locally where you could parse it for things you're interested in.
You might get a better answer on the fedora-security list:
https://www.redhat.com/mailman/listinfo/fedora-security-list
El Viernes, 3 de Agosto de 2007 07:48, Jaigh Jaddo escribió:
Is there a tool similar to freeBSD's portaudit? Something that will report packages that have known vulnerabilities.
Thanks.
J
As far as I know there isn't. It's exactly what RHN does.
Cheers Manuel
Jaigh Jaddo writes:
Is there a tool similar to freeBSD's portaudit? Something that will report packages that have known vulnerabilities.
No. For the simple reason that a known vulnerability results in an updated package. If you want to make sure that you're not running any known vulnerability, run "yum update".
Sam Varshavchik wrote:
Jaigh Jaddo writes:
Is there a tool similar to freeBSD's portaudit? Something that will report packages that have known vulnerabilities.
No. For the simple reason that a known vulnerability results in an updated package. If you want to make sure that you're not running any known vulnerability, run "yum update".
There can be known vulnerabilities that are not fixed yet. I thought that was what Jaigh was asking about, and this is the sort of info that's in the fedora-security/audit files.
There are several reasons for this.
1. Clearly there can be vulnerabilities that have not been fixed yet or have been fixed and there has not been a package created yet. In this case I would access my risk and disable the vulnerable service as needed.
2. I am running a large enterprise and cannot risk upgrading packages unless there is a clear reason to do so (ie. Security vulnerability). Doing a global yum update is risking for the enterprise. It is fine at home.
Thanks to all for the replies.
JJ
On Aug 3, 2007, at 7:13 AM, Todd Zullinger wrote:
Sam Varshavchik wrote:
Jaigh Jaddo writes:
Is there a tool similar to freeBSD's portaudit? Something that will report packages that have known vulnerabilities.
No. For the simple reason that a known vulnerability results in an updated package. If you want to make sure that you're not running any known vulnerability, run "yum update".
There can be known vulnerabilities that are not fixed yet. I thought that was what Jaigh was asking about, and this is the sort of info that's in the fedora-security/audit files.
-- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
We never reflect how pleasant it is to ask for nothing. -- Seneca -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Jaigh Jaddo wrote:
There are several reasons for this.
- Clearly there can be vulnerabilities that have not been fixed yet
or have been fixed and there has not been a package created yet. In this case I would access my risk and disable the vulnerable service as needed.
- I am running a large enterprise and cannot risk upgrading
packages unless there is a clear reason to do so (ie. Security vulnerability). Doing a global yum update is risking for the enterprise. It is fine at home.
With that in mind, I have a few other suggestions and comments. Fedora may not be the most suitable OS for such a situation. RHEL or CentOS would seem like better candidates. Perhaps you have a need for newer software though.
You may want to check out the yum-security and yum-changelog plugins, which may help you in determining which updates you want to apply. You can also filter the fedora-package-announce list for security related updates.
On Fri, 2007-08-03 at 15:57 -0400, Todd Zullinger wrote:
You can also filter the fedora-package-announce list for security related updates.
In addition to that mailing list, you could also subscribe to http://secunia.com/secunia_security_advisories/
--Tim
With that in mind, I have a few other suggestions and comments. Fedora may not be the most suitable OS for such a situation. RHEL or CentOS would seem like better candidates. Perhaps you have a need for newer software though.
I would second that.
If you really are more interested in a stable platform with only important security updates, then really Fedora isn't for you. Fedora stays as close to upstream as possible and frequently, in fact most often I would say, updates are not security related and just package updates. Occasionally things get broken by this fast turn over.
It sounds like you should look at more stable distro like centos or scientific linux (free RHEL clones without the service agreements) as perhaps being more suitable to your needs. SL5 is now out, and whilst not quite as new and funky as Fedora7, still fairly up to date.
Chris
-
Caitlyn O'Hanna -
Chris Jones -
Jaigh Jaddo -
Manuel Aróstegui -
Sam Varshavchik -
Todd Zullinger