Wednesday, December 18, 2013

Inject a little security in to your CentOS repositories

There are many aspects to securing a network and many articles, essays, and books have been written on the topic. One aspect of any security checklist is updating vulnerable system packages. Every operations person deals with this and there are many tools at your disposal to make this job more manageable.

If you're using CentOS, you can leverage Redhat's spacewalk project. However, this will do more than just track errata. Spacewalk will also inventory your hardware and software, install software, provision servers and take care of some monitoring. If that suits your use-case, then spacewalk could be the option for you.

Steve Meier of the CEFS project has made the process for tracking CentOS errata via spacewalk very easy and free. He provides a parsed errata.xml file generated from the centos-announce mailing lists and the scripts you need to import them in to your spacewalk server.


However, not everyone wants to run spacewalk. There are many reasons this may be the case. If you are one of these people, you're left with tracking the centos-announce mailing list using your own processes.

We'd like to present another option. What if we want to leverage the power of yum to tell us when a package needs to be updated? We can do this by installing the yum-plugin-security package. You're now one step closer, but the CentOS repositories do not come with a updateinfo.xml file that includes the relevant data that the plugin uses.

This is where we got the idea to leverage the CEFS project data and utilize the functionality of the updateinfo.xml file. All we needed to do is convert the errata.xml data in to the appropriate updateinfo.xml format and inject it in to the applicable CentOS repositories.

VM Farms would like to announce the public release of a utility to allow anyone to generate the updateinfo.xml errata files for insertion in to their CentOS repositories. Please visit our public repository to download a copy and start scanning.

Usage

The following example illustrates how you would go about using this for a CentOS 6 repo. The assumption is that you've set the BUILD_PREFIX=/security and that your CentOS-6-Updates directory lives under /repositories/
wget -q -N -P/security http://cefs.steve-meier.de/errata.latest.xml

generate_updateinfo.py /security/errata.latest.xml

/usr/bin/modifyrepo /security/updateinfo-6/updateinfo.xml /repositories/CentOS-6-Updates/repodata
Now that your repos have the data they need you can install the yum-plugin-security package and make use of it like so
yum install yum-plugin-security

yum security-list

Loaded plugins: changelog, fastestmirror, security
Loading mirror speeds from cached hostfile
CentOS-6-OS                                                 | 1.2 kB     00:00
CentOS-6-Updates                                            | 1.2 kB     00:00

CESA_2013__1764        security    ruby-1.8.7.352-13.el6.x86_64
CESA_2013__1764        security    ruby-irb-1.8.7.352-13.el6.x86_64
CESA_2013__1764        security    ruby-libs-1.8.7.352-13.el6.x86_64
CESA_2013__1764        security    ruby-rdoc-1.8.7.352-13.el6.x86_64
CESA_2013__1806        security    samba-client-3.6.9-167.el6_5.x86_64
CESA_2013__1806        security    samba-common-3.6.9-167.el6_5.x86_64
CESA_2013__1806        security    samba-winbind-3.6.9-167.el6_5.x86_64
CESA_2013__1806        security    samba-winbind-clients-3.6.9-167.el6_5.x86_64

10 comments:

  1. Wow thanks for making this! It's a great tool!

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. This blog talks about the local repository. any help over how to do it using internet repository?

    ReplyDelete
    Replies
    1. Hi 007,

      This technique will only work housing a local repository so you can inject those XML files. You may be able to do some research and circumvent the need to house all the RPMS by using a local cobbler repository that doesn't mirror the RPMs, but holds repo-metadata, but that's outside the scope of the project and left up to the reader as a cool exercise. Thanks for showing interest!

      Delete
  4. Hello - thank you all for your work on this. It has been a big help so far. I have a couple of questions for you in relation to its use that might help others too. In the configuration variables within the script I have used RELEASES = ['6','other'] which produces two updateinfo.xml files, one for each directory that is built i.e. updateinfo-6 & updateinfo-other. For my local repo I have run the modify repo command for the updateinfo-6/updateinfo.xml against my local Centos Updates repo directory. But what happens with the updateinfo-other/updateinfo.xml? Which local repo channel do I modify with that one?

    Apologies in advance if I've not understood something simple! :)

    ReplyDelete
    Replies
    1. No apologies necessary. I'll adjust the README to add a bit of clarity. The "other" repo is there for anything that doesn't match the particular numbered repos you're tracking. It's a repo that should remain there, but you don't have to use it. It's there for debugging and legacy purposes.

      Delete
  5. Hi,

    I'm very new to this and need a lot of help...

    how do you guy run the command below
    generate_updateinfo.py /security/errata.latest.xml

    ReplyDelete
  6. heelo, i really need your script but when i run
    wget -q -N -P/security http://cefs.steve-meier.de/errata.latest.xml
    i am getting
    [root@localhost Desktop]# ./generate_updateinfo.py /security/errata.latest.xml
    ./generate_updateinfo.py: line 5: syntax error near unexpected token `newline'
    ./generate_updateinfo.py: line 5: `'

    what i am missing and where should i put
    BUILD_PREFIX=/security
    do you mean an environmental variable?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  7. Security personals are selected in such incredible extent that they have dwarfed the police authorities, and with all the most recent innovation consolidated in their grasp alongside the analyst preparing given to them, they are a top rivalry for the cops in clutching the position of in control for security.
    How to remove fb virus

    ReplyDelete