tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: audit-packages/download-vulnerability-list integration?

>> idea. Think about systems which are not allowed to be modified or
>> what if every new installation connects to a server for getting it at
>> the same time. Or what if such systems have no packagea at all installed.


> If NetBSD ships with obvious security features that are switched off by 
> default, people will not be happy when they get hacked in a way that the 
> could have been prevented. The question shouldn't be be "should we turn 
> these features on?", but "how do we turn them on without annoying 
> people?".

That'll become more diffcult :) From an administrators point of view I
would like to see prepared configuration settings for this. Hubert
mentioned daily.conf as a way to include these features.

Here are my thoughts of this (admin view):

1.) Updating the vuln file

As I am the admin of the server I know if this server is connected
to the internet and if the vuln list should be downloaded on a daily
basis from TNF or if I want to set up an internal infrastructure with a
mirror for this file.
At my site we run 6 servers with pkgsrc packages installed (no NetBSD
tho) and I want to mirror the vuln file internally as 5 servers can't
access directly.
I also want to set up an automatic check with gpg so that I know if this
file is correctly signed or not.

2.) Checking the packages

I don't want this on any server. I am using a central server with all
the needed packages installed on. So if this server has vulnerable
packages on, all the other server will be vulnerable, too. So I just
want to check only one server.

3.) Load for TNF

That's a problem - true. I like the idea of randomness. We should add a
"splay" time so that not every client in a timezone nails
with requests at the same time. What about some dns magic for that? We
could set up a round-robin dns for the mirrors so that the vuln file
will be requested for a set of mirrors.

My conclusions:

I like the idea for the automatic download and the automatic check for
vulnerabilties. Howver, I would like to see them as tasks for daily.conf
and disabled but well configured by default.
Leave the decision if a NetBSD installation is checked by the admin of
the system.

- Uli

Attachment: pgpxmEsRFqa9t.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index