Determining vulnerability to issues described by SAs
freebsd-security at auscert.org.au
freebsd-security at auscert.org.au
Wed Jul 5 15:17:45 UTC 2006
Hi Colin,
On Fri, 30 Jun 2006 20:13:44 -0700, Colin Percival wrote:
>Dolan- Gavitt, Brendan F. wrote:
>> I've been trying for the past few days to come up with a method for
>> checking a FreeBSD system to see if it is vulnerable to an issue
>> described by a FreeBSD security advisory in some automated way [...]
This is an issue I also have given some thought to.
...
>> I'm fairly new to FreeBSD, so I may just be missing something
>> here--is there a reliable way to determine if a system is patched
>> according to a particular security advisory?
>
>In short, no. If you have any ideas, let me know. :-)
I've been canonically rebuilding my systems for each patch (or at least
every time a vulnerability affects my hosts) to cover this very issue,
even if a rebuild isn't strictly necessary.
In addition to this, however, I usually generate an mtree file from a
pre-production installation so that I can compare any given build with
running systems to identify changes, such as those occurring as a result
of patching - kind of like a base 'tripwire', in fact. Would this be a
solution? Each advisory could come with a custom mtree file that covers
the affected files explicitly and/or another mtree file that covers the
files for this patch _and_ for all previous patches up to that point; you
could name the mtree after the patchlevel eg RELENG_5_3.mtree.p31 - this
should work, regardless of how the patch was applied as the end result is
(almost?) always the same at the binary level.
regards,
-- Joel Hatton --
Infrastructure Manager | Hotline: +61 7 3365 4417
AusCERT - Australia's national CERT | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert at auscert.org.au
More information about the freebsd-security
mailing list