Keeping administrators up to date

Posted Jan 18, 2013 15:01 UTC (Fri) by ortalo (guest, #4654)
Parent article: Keeping administrators up to date

Could you elaborate on the distinction you make between these kind of tools and classical vulnerability scanners or security assessment tools, like http://www.openvas.org/ or http://oval.mitre.org/ ?
Maybe those tools could be more integrated in a distribution (easier to install and setup), that's true.
Another approach is (once again ;-) àla OpenBSD: /etc/security is a shell script run everyday to spot known problems and mail root.

However, IMHO, none of those tools will, for the moment, be smart enough to actually convince an otherwise busy and reluctant administrator to spend *more* time on securing something. That's an uphill battle IMO. I'd rather spend that time preventing unsecure packages to enter the distribution in the first place. (Yep, I confess: I am a potential customer for a debiansec/ variant; and even potentially willing to help.)

to post comments

Keeping administrators up to date

Posted Jan 19, 2013 3:00 UTC (Sat) by pabs (subscriber, #43278) [Link] (1 responses)

OpenVAS/etc are completely different to debsecan. They actively scan for potential issues. debsecan just takes a database of CVEs and matches them against installed packages. Similar to rc-alert, which sends mail about release-critical bug reports or wnpp-alert, which warns about orphaned packages.

OpenVAS and an OVAL interpreter are available in Debian.

If you would like to help make Debian more secure, check out these links:

http://security-tracker.debian.org/tracker/data/report
http://www.debian.org/security/audit/
http://www.debian.org/doc/manuals/developers-reference/pk...
http://www.debian.org/security/

Keeping administrators up to date

Posted Jan 23, 2013 14:38 UTC (Wed) by ortalo (guest, #4654) [Link]

Thanks for the pointers, I'll check them carefully. Really.

"OpenVAS/OVAL/co. are completely different from debsecscan"... from a security-oriented perspective: okay, but otherwise, I am not so sure.

If you have a security-oriented administrator, the distinction really matters (especially for an audit). However, he has already paid attention to both tools output and has probably already done enough to secure/audit the system. For him, the problem is more to assist in managing the tools output (especially over time) in order to get proper credit for his security work. (It would probably be nice too to have some evidence that unfixed issues are due to external causes; at least to neutralize liability where it matters.) And combine with intrusion detection too. (Starts to get a big thing, fortunately, you have a security administrator there to help...)

The average administrator may not make so much distinction between OpenVAS and debsecscan; he will take whatever tool is easier for him and the less intrusive (probably debsecscan then). However, he will need results carefully targetted at its level of knowledge and availability and very well justified (ie.: this is critical, really, or this is extremely easy, really).

IMHO, none of the tools adequately fills one of the two niches. One problem I see is that a third niche (regular administrator with time for security-oriented work) may simply not exist. However, many of our tools seem to work for that niche; hence the flow of "read-click-and-forget" things with security in the last decade, with their (predictable) cohort of "forgot to click" issues (along with "never reading anyway" or the rarer "read it all until late at night and then left in a hurry without clicking").