Auditing Linux: Software Packages and Managers

Auditing Linux: Software Packages and Managers

No system can do its job without any installed software packages. However after installation of the system, or running it for a while, it often becomes unclear why some software was ever installed. This article looks at methods on auditing installed software, check for security updates and the related follow-up.

Package managers

To enable system administrators to properly manage software and upgrading them, Linux uses a package manager. This suite often consists of a package database, the software packages itself and several support tools. These tools in particular are used to query the database, install/remove software and assist in the upgrade process. But as usual, there are often some less known parameters which might make your job easier. For auditors it is especially interesting to know what options are available, to gather more specific information focused on proper software management.

Since there are many Linux package managers, we will focus on YUM in this article. Others will be discussed in a separate article. Still, the general principles will apply to others as well.

Repositories

Most Linux distributions make use of a so called software repository. This list of software enables the vendor to centrally maintain software packages. For the user, it means software can quickly be installed (no fiddling with cdroms) and query the central system for available software updates.

Package signing

To protect the centrally stored packages, it’s important that no malicious updates can placed in this central location without detection. Vendors can protect their users by signing each packet digitally and have the user tools validate the related signature before installation.

To enable packet signing, one should ensure that GPG checks are enabled.

/etc/yum.conf

gpgcheck=1

YUM security plugin

Red Hat and some of the derivatives like Scientific have the possibility to install a security plugin for YUM. This way more information can be gathered about any available security advisories or upgrades.

Display available advisories and related packages (with version):

root@scientific /]# yum list-sec

SLBA-2013:0961-1           bugfix         module-init-tools-3.9-21.el6_4.x86_64
SLBA-2013:1647-1           bugfix         mysql-libs-5.1.71-1.el6.x86_64
SLSA-2014:0164-1           moderate/Sec.  mysql-libs-5.1.73-3.el6_5.x86_64
SLSA-2013:1861-1           moderate/Sec.  nss-3.15.3-3.el6_5.x86_64
SLBA-2013:1558-1           bugfix         nss-softokn-3.14.3-9.el6.x86_64
SLBA-2013:1558-1           bugfix         nss-softokn-freebl-3.14.3-9.el6.x86_64
SLSA-2013:1861-1           moderate/Sec.  nss-sysinit-3.15.3-3.el6_5.x86_64
SLSA-2013:1861-1           moderate/Sec.  nss-tools-3.15.3-3.el6_5.x86_64
SLBA-2013:0598-1           bugfix         openldap-2.4.23-32.el6_4.x86_64
SLBA-2013:0778-1           bugfix         openldap-2.4.23-32.el6_4.1.x86_64
SLSA-2014:0126-1           moderate/Sec.  openldap-2.4.23-34.el6_5.1.x86_64
SLSA-2014:0015-1           important/Sec. openssl-1.0.1e-16.el6_5.4.x86_64

Display available packages:

[root@scientific /]# yum updateinfo security 2> /dev/null
Loaded plugins: security
SLSA-2013:0567-1 important/Sec. kernel-2.6.32-358.0.1.el6.x86_64
SLSA-2013:0630-1 important/Sec. kernel-2.6.32-358.2.1.el6.x86_64
SLSA-2013:0744-1 important/Sec. kernel-2.6.32-358.6.1.el6.x86_64
SLSA-2013:0830-1 important/Sec. kernel-2.6.32-358.6.2.el6.x86_64
SLSA-2013:0911-1 important/Sec. kernel-2.6.32-358.11.1.el6.x86_64
SLSA-2013:1051-1 moderate/Sec.  kernel-2.6.32-358.14.1.el6.x86_64
SLSA-2013:1173-1 important/Sec. kernel-2.6.32-358.18.1.el6.x86_64
SLSA-2013:1436-1 moderate/Sec.  kernel-2.6.32-358.23.2.el6.x86_64
SLSA-2013:1645-2 important/Sec. kernel-2.6.32-431.el6.x86_64
SLSA-2013:1801-1 important/Sec. kernel-2.6.32-431.1.2.el6.x86_64
SLSA-2014:0159-1 important/Sec. kernel-2.6.32-431.5.1.el6.x86_64
SLSA-2013:0567-1 important/Sec. kernel-firmware-2.6.32-358.0.1.el6.noarch
SLSA-2013:0630-1 important/Sec. kernel-firmware-2.6.32-358.2.1.el6.noarch
SLSA-2013:0744-1 important/Sec. kernel-firmware-2.6.32-358.6.1.el6.noarch
SLSA-2013:0830-1 important/Sec. kernel-firmware-2.6.32-358.6.2.el6.noarch
SLSA-2013:0911-1 important/Sec. kernel-firmware-2.6.32-358.11.1.el6.noarch
SLSA-2013:1051-1 moderate/Sec.  kernel-firmware-2.6.32-358.14.1.el6.noarch
SLSA-2013:1173-1 important/Sec. kernel-firmware-2.6.32-358.18.1.el6.noarch
SLSA-2013:1436-1 moderate/Sec.  kernel-firmware-2.6.32-358.23.2.el6.noarch
SLSA-2013:1645-2 important/Sec. kernel-firmware-2.6.32-431.el6.noarch
SLSA-2013:1801-1 important/Sec. kernel-firmware-2.6.32-431.1.2.el6.noarch
SLSA-2014:0159-1 important/Sec. kernel-firmware-2.6.32-431.5.1.el6.noarch
SLSA-2014:0164-1 moderate/Sec.  mysql-libs-5.1.73-3.el6_5.x86_64
SLSA-2013:1861-1 moderate/Sec.  nss-3.15.3-3.el6_5.x86_64
SLSA-2013:1861-1 moderate/Sec.  nss-sysinit-3.15.3-3.el6_5.x86_64
SLSA-2013:1861-1 moderate/Sec.  nss-tools-3.15.3-3.el6_5.x86_64
SLSA-2014:0126-1 moderate/Sec.  openldap-2.4.23-34.el6_5.1.x86_64
SLSA-2014:0015-1 important/Sec. openssl-1.0.1e-16.el6_5.4.x86_64
SLSA-2014:0151-1 low/Sec.       wget-1.12-1.11.el6_5.x86_64
updateinfo list done

To get a more friendly overview, use yum –security check-update

9 package(s) needed for security, out of 82 available

b
kernel.x86_64                           2.6.32-431.5.1.el6       sl-security
kernel-firmware.noarch              2.6.32-431.5.1.el6       sl-security
mysql-libs.x86_64                     5.1.73-3.el6_5             sl-security
nss.x86_64                              3.15.3-3.el6_5             sl-security
nss-sysinit.x86_64                    3.15.3-3.el6_5             sl-security
nss-tools.x86_64                      3.15.3-3.el6_5             sl-security
openldap.x86_64                      2.4.23-34.el6_5.1        sl-security
openssl.x86_64                        1.0.1e-16.el6_5.4        sl-security
tzdata.noarch                           2013i-2.el6                sl6x-security
wget.x86_64                            1.12-1.11.el6_5          sl-security
xorg-x11-drv-ati-firmware.noarch        7.1.0-3.el6              sl6x

This command also displays how many updates are specifically related to security, while also displaying the total amount of available updates. For an auditor this command output provides the proper evidence what kind of software upgrade policy is used (no patching, some patches, all patches) and the current status.

Bugzilla / CVE

To display specific bugfixes based on the bugzilla ID (if present), use yum list-sec bugzillas or yum list-sec cve to get CVE ID’s.

Output (partial):

920961  bugfix         udev-147-2.51.el6.x86_64
947067  bugfix         udev-147-2.51.el6.x86_64
982902  bugfix         udev-147-2.51.el6.x86_64
998237  bugfix         udev-147-2.51.el6.x86_64
967554  bugfix         upstart-0.6.5-12.el6_4.1.x86_64
950532  bugfix         util-linux-ng-2.17.2-12.9.el6_4.2.x86_64
955520  bugfix         util-linux-ng-2.17.2-12.9.el6_4.3.x86_64
816342  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
846790  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
864585  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
870128  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
870854  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
872291  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
885313  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
911756  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
915844  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
917678  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
947062  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
966735  bugfix         util-linux-ng-2.17.2-12.14.el6.x86_64
833831  low/Sec.      wget-1.12-1.11.el6_5.x86_64
795919  bugfix         xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
822280  bugfix         xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
879102  bugfix         xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
882086  bugfix         xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch
907616  bugfix         xorg-x11-drv-ati-firmware-7.1.0-3.el6.noarch

Installing only security updates

For system administrators it might be a big relieve to increase patching cycles, but reduce the patches to only security related updates. This way no new features or other bug fix releases will impact the stability of production systems. By using the package manager tools and right filters as shown above, it becomes much easier to select only the security updates.

Useful articles to continue:

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)