I'm in charge of auditing the security configuration of an important farm of Unix servers. So far, I came up with a way to assess the basic configuration but not the installed updates.
-
The very problem here is that I just can't trust the package management tools on those machine. Indeed some of them did not sync with the repository for a long time (So I can't do a "yum check-updates" on Redhat for example). Some of those servers are not even connected to the internet and use an company repository.
-
Another problem is that I have multiple target systems: AIX, Debian, Centos/Redhat, etc… So the version could be different (AIX) and the tools available will be different.
-
And, last but not least, I can't install anything on the target system. So I need to use a script to retrieve the information and either: process it directly or save the information to be able to process it later on a server (Which may happen to run a different distribution than the one on which the information have been retrieved).
The best ideas I could come up with were:
-
either retrieve the list of installed packages on the machine (dpkg -l for example on debian) and process it on a dedicated server (Directly parsing the "Packages" file of debian repositories). Still, the problem remains the same for AIX and Redhat…
-
or use Nessus' scripts to assess vulnerability on the installed packages, but I find this a bit dirty.
Does anyone know any better/efficient way of doing this ?
P.S: I already took time to review some answers to similar problems. Unfortunately Chef, puppet, … don't meet the requirements I have to meet.
Edit:
Long story short. I need to have the list of missing updates on a Unix system just like MBSA on Windows. I'm not authorized to install anything on this system as it's not mine. All I have are scripts languages.
Thanks.
Best Answer
It is common to have some sort of proxy cache service acting as an intermediary between the upstream repositories and the target machines. It helps to save bandwidth and makes deployments faster, in the RHEL/CentOS world that would be
spacewalk, in Debian and derivatives adebmirrorand in the AIX world possibly a NIM server.Given the absence of ruby for AIX (some ports do exist, though), the appropriate configuration management for your environment would be
cfengine. If that looks overkill, you can also tryansible, which only requirespython. And there ispythoneven for AIX.It is also common and even expected that the versions, name of the services, name of the packages, etc... differ from platform to platform. You need to deal with separating data and code. If a mature configuration management system does not meet your requirements, I seriously doubt that a bunch of home-brewed scripts will.
The third requirement: "I can't install anything on the target system..." is not clear at all, and seems to be in conflict with the fact that you are using private repositories.
Last but not least, managing packages is only 1% of the tasks you need to perform in order to secure and audit your systems.