SECURITY Getting GLSAs by Email
From Gentoo Linux Wiki
Contents |
[edit] Abstract
This document outlines a method for receiving regular notifications via email of Gentoo Linux Security Advisories (GLSA) related to the specific packages you have installed.
[edit] The Problem
GLSA's were created as a means of informing administrators of packages that have security issues associated with them, and the means to update and/or fix those problems. The problem is that there is currently no method of receiving notifications via email (or otherwise) about security implications relating to your specific package set.
[edit] Steps
Create the file /usr/local/bin/glsa.sh:
| File: /usr/local/bin/glsa.sh |
#!/bin/bash
E_OPTERROR=65
TIMESTAMP="`date +"%s"`"
MailReport=0
MailTo="${USER}@$(domainname -d)"
MailFrom="${USER}@$(domainname -d)"
TMPLOG=/tmp/.glsa-check-${TIMESTAMP}.${PPID}
TMPDATA=/tmp/.glsa-check-data-${TIMESTAMP}.${PPID}
trap 'rm -f "${TMPLOG}" "${TMPDATA}"; exit;' TERM INT EXIT HUP KILL
function usage() {
echo "Usage: `basename $0` [-h] [-m [-t <to email>] [-f <from email>]]"
echo " -m: Mail Report (automatically turned on if -t or -f are used)"
echo " -t: Email address to mail report to (default: ${USER}@$(domainname -d))"
echo " -f: Email address to use as the From address (default: ${USER}@$(domainname -d))"
echo " -h: This help stuff :-)"
}
function generateReport() {
local counter advisory
/usr/bin/glsa-check --nocolor --list 2>&1 | grep -E '^[0-9-]+ \[N' > "${TMPDATA}"
if [ -z "$(cat ${TMPDATA} | tr -d "\n\r ")" ]; then
exit;
else
total=$(cat ${TMPDATA} | wc -l)
{
counter=0;
echo "Current Relevant Security Advisories:";
echo "-------------------------------------";
echo
echo "Summary:";
echo "--------";
echo
while read line; do
advisory="$(echo $line | perl -pi -e 's/^([0-9-]+)[^\]]+\] ([^(]+).*/(GLSA \1) \2/g')";
counter=$(($counter + 1));
echo "${counter} - ${advisory}";
done < "${TMPDATA}"
echo
echo "Full text listing:";
echo "------------------";
echo
counter=0;
for advisory in $(cat "${TMPDATA}" | perl -pi -e 's/^([0-9-]+).*\n/\1 /g'); do
counter=$(($counter + 1));
echo -en "${counter} - ";
/usr/bin/glsa-check --dump $advisory 2>/dev/null
done
} > "${TMPLOG}"
if [ ${MailReport} -eq 1 ]; then
mail "${MailTo}" -a "From: ${MailFrom}" -s "$(uname -n) Security Advisories (${total} package(s))" < "${TMPLOG}"
else
cat "${TMPLOG}"
fi
fi
}
while getopts "hmt:f:" Option
do
case $Option in
m ) MailReport=1;;
t ) {
MailTo="${OPTARG}"
MailReport=1
if [ -z "${MailTo}" -o $(echo "${MailTo}" | grep -cP '^[A-Za-z0-9_.-]+@([a-zA-Z0-9]+\.)+[a-zA-Z0-9]+') -le 0 ]; then
echo
echo "Invalid (-t) Mail To address '${MailTo}' !!";
echo
usage;
exit $E_OPTERROR;
fi
};;
f ) {
MailReport=1
MailFrom="${OPTARG}"
if [ -z "${MailFrom}" -o $(echo "${MailFrom}" | grep -cP '^[A-Za-z0-9_.-]+@([a-zA-Z0-9]+\.)+[a-zA-Z0-9]+') -le 0 ]; then
echo
echo "Invalid (-f) Mail From address '${MailFrom}' !!";
echo
usage;
exit $E_OPTERROR;
fi
};;
h | *) usage;
exit 1;;
esac
done
shift $(($OPTIND - 1))
generateReport
exit 0;
|
Make sure the script is executable:
chmod ug+x /usr/local/bin/glsa.sh
Create a cronjob for it to run at 5 after midnight every night:
| File: crontab |
5 0 * * * /usr/local/bin/glsa.sh -t noc@somewhere.com -f glsa@somewhere.com |
Warning: You'll want to set this script to run (via cron) after your weekly/daily/whatever emerge sync, otherwise, it won't be able to give you accurate GLSA information
[edit] Dependencies
- mailx
- perl
- glsa-check (duh!)
[edit] Other Options
- Gentoo provides an RSS feed of security advisories located at http://www.gentoo.org/rdf/en/glsa-index.rdf. Providing you know all the packages you have installed, you could simply subscribe to this feed to know when issues arise. While it won't give you detailed information about the specific GLSAs which need to be applied on a machine, it can at least be helpful in letting you know which packages (or kinds of them) are usually more of an issue than others.
