Auditing Linux: Software Packages and Managers
No system can do its job without any installed software packages. However after installation of the system, or running it for a while, it often becomes unclear why some software was ever installed. This article looks at methods on auditing installed software, check for security updates and the related follow-up.
Package managers
To enable system administrators to properly manage software and upgrading them, Linux uses a package manager. This suite often consists of a package database, the software packages itself and several support tools. These tools in particular are used to query the database, install/remove software and assist in the upgrade process. But as usual, there are often some less known parameters which might make your job easier. For auditors it is especially interesting to know what options are available, to gather more specific information focused on proper software management.
Since there are many Linux package managers, we will focus on YUM in this article. Others will be discussed in a separate article. Still, the general principles will apply to others as well.
Repositories
Most Linux distributions make use of a so called software repository. This list of software enables the vendor to centrally maintain software packages. For the user, it means software can quickly be installed (no fiddling with cdroms) and query the central system for available software updates.
Package signing
To protect the centrally stored packages, it’s important that no malicious updates can placed in this central location without detection. Vendors can protect their users by signing each packet digitally and have the user tools validate the related signature before installation.
To enable packet signing, one should ensure that GPG checks are enabled.
/etc/yum.conf
gpgcheck=1
YUM security plugin
Red Hat and some of the derivatives like Scientific have the possibility to install a security plugin for YUM. This way more information can be gathered about any available security advisories or upgrades.
Display available advisories and related packages (with version):
# yum list-sec
SLBA-2013:0961-1 bugfix module-init-tools-3.9-21.el6\_4.x86\_64
SLBA-2013:1647-1 bugfix mysql-libs-5.1.71-1.el6.x86_64
SLSA-2014:0164-1 moderate/Sec. mysql-libs-5.1.73-3.el6\_5.x86\_64
SLSA-2013:1861-1 moderate/Sec. nss-3.15.3-3.el6\_5.x86\_64
SLBA-2013:1558-1 bugfix nss-softokn-3.14.3-9.el6.x86_64
SLBA-2013:1558-1 bugfix nss-softokn-freebl-3.14.3-9.el6.x86_64
SLSA-2013:1861-1 moderate/Sec. nss-sysinit-3.15.3-3.el6\_5.x86\_64
SLSA-2013:1861-1 moderate/Sec. nss-tools-3.15.3-3.el6\_5.x86\_64
SLBA-2013:0598-1 bugfix openldap-2.4.23-32.el6\_4.x86\_64
SLBA-2013:0778-1 bugfix openldap-2.4.23-32.el6\_4.1.x86\_64
SLSA-2014:0126-1 moderate/Sec. openldap-2.4.23-34.el6\_5.1.x86\_64
SLSA-2014:0015-1 important/Sec. openssl-1.0.1e-16.el6\_5.4.x86\_64
Display available packages:
# yum updateinfo security 2> /dev/null
Loaded plugins: security
SLSA-2013:0567-1 important/Sec. kernel-2.6.32-358.0.1.el6.x86_64
SLSA-2013:0630-1 important/Sec. kernel-2.6.32-358.2.1.el6.x86_64
SLSA-2013:0744-1 important/Sec. kernel-2.6.32-358.6.1.el6.x86_64
SLSA-2013:0830-1 important/Sec. kernel-2.6.32-358.6.2.el6.x86_64
SLSA-2013:0911-1 important/Sec. kernel-2.6.32-358.11.1.el6.x86_64
SLSA-2013:1051-1 moderate/Sec. kernel-2.6.32-358.14.1.el6.x86_64
SLSA-2013:1173-1 important/Sec. kernel-2.6.32-358.18.1.el6.x86_64
SLSA-2013:1436-1 moderate/Sec. kernel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1645-2 important/Sec. kernel-2.6.32-431.el6.x86_64
SLSA-2013:1801-1 important/Sec. kernel-2.6.32-431.1.2.el6.x86_64
SLSA-2014:0159-1 important/Sec. kernel-2.6.32-431.5.1.el6.x86_64
SLSA-2013:0567-1 important/Sec. kernel-firmware-2.6.32-358.0.1.el6.noarch
SLSA-2013:0630-1 important/Sec. kernel-firmware-2.6.32-358.2.1.el6.noarch
SLSA-2013:0744-1 important/Sec. kernel-firmware-2.6.32-358.6.1.el6.noarch
SLSA-2013:0830-1 important/Sec. kernel-firmware-2.6.32-358.6.2.el6.noarch
SLSA-2013:0911-1 important/Sec. kernel-firmware-2.6.32-358.11.1.el6.noarch
SLSA-2013:1051-1 moderate/Sec. kernel-firmware-2.6.32-358.14.1.el6.noarch
SLSA-2013:1173-1 important/Sec. kernel-firmware-2.6.32-358.18.1.el6.noarch
SLSA-2013:1436-1 moderate/Sec. kernel-firmware-2.6.32-358.23.2.el6.noarch
SLSA-2013:1645-2 important/Sec. kernel-firmware-2.6.32-431.el6.noarch
SLSA-2013:1801-1 important/Sec. kernel-firmware-2.6.32-431.1.2.el6.noarch
SLSA-2014:0159-1 important/Sec. kernel-firmware-2.6.32-431.5.1.el6.noarch
SLSA-2014:0164-1 moderate/Sec. mysql-libs-5.1.73-3.el6\_5.x86\_64
SLSA-2013:1861-1 moderate/Sec. nss-3.15.3-3.el6\_5.x86\_64
SLSA-2013:1861-1 moderate/Sec. nss-sysinit-3.15.3-3.el6\_5.x86\_64
SLSA-2013:1861-1 moderate/Sec. nss-tools-3.15.3-3.el6\_5.x86\_64
SLSA-2014:0126-1 moderate/Sec. openldap-2.4.23-34.el6\_5.1.x86\_64
SLSA-2014:0015-1 important/Sec. openssl-1.0.1e-16.el6\_5.4.x86\_64
SLSA-2014:0151-1 low/Sec. wget-1.12-1.11.el6\_5.x86\_64
updateinfo list done
To get a more friendly overview, use yum -security check-update
9 package(s) needed for security, out of 82 available
b
kernel.x86_64 2.6.32-431.5.1.el6 sl-security
kernel-firmware.noarch 2.6.32-431.5.1.el6 sl-security
mysql-libs.x86_64 5.1.73-3.el6_5 sl-security
nss.x86_64 3.15.3-3.el6_5 sl-security
nss-sysinit.x86_64 3.15.3-3.el6_5 sl-security
nss-tools.x86_64 3.15.3-3.el6_5 sl-security
openldap.x86_64 2.4.23-34.el6_5.1 sl-security
openssl.x86_64 1.0.1e-16.el6_5.4 sl-security
tzdata.noarch 2013i-2.el6 sl6x-security
wget.x86_64 1.12-1.11.el6_5 sl-security
xorg-x11-drv-ati-firmware.noarch 7.1.0-3.el6 sl6x
This command also displays how many updates are specifically related to security, while also displaying the total amount of available updates. For an auditor this command output provides the proper evidence what kind of software upgrade policy is used (no patching, some patches, all patches) and the current status.
Bugzilla / CVE
To display specific bugfixes based on the bugzilla ID (if present), use yum list-sec bugzillas or yum list-sec cve to get CVE ID’s.
Output (partial):
920961 bugfix udev-147-2.51.el6.x86_64
947067 bugfix udev-147-2.51.el6.x86_64
982902 bugfix udev-147-2.51.el6.x86_64
998237 bugfix udev-147-2.51.el6.x86_64
967554 bugfix upstart-0.6.5-12.el6_4.1.x86_64
950532 bugfix util-linux-ng-2.17.2-12.9.el6_4.2.x86_64
955520 bugfix util-linux-ng-2.17.2-12.9.el6_4.3.x86_64
816342 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
846790 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
864585 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
870128 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
870854 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
872291 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
885313 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
911756 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
915844 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
917678 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
947062 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
966735 bugfix util-linux-ng-2.17.2-12.14.el6.x86_64
833831 low/Sec. wget-1.12-1.11.el6_5.x86_64
795919 bugfix xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
822280 bugfix xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
879102 bugfix xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
882086 bugfix xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
907616 bugfix xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
Installing only security updates
For system administrators it might be a big relieve to increase patching cycles, but reduce the patches to only security related updates. This way no new features or other bug fix releases will impact the stability of production systems. By using the package manager tools and right filters as shown above, it becomes much easier to select only the security updates.
Useful articles to continue:
