On Mon, Jun 28, 2004 at 03:29:23PM +0200, Max Vozeler wrote:
> That sound good, I was thinking to include more information. Trouble is
> that my script scans only binary packages at this time and the machine
> I'm doing this on is alreay at 95% of it's disk capacity, so there's not
> really much room for including source packages.
I have a similar problem, I tried to rebuild X last week with the
SSP compiler, only to have it die because of lack of disk space. 9
hours into the compile.
*sighs*
Getting the information from source packages would be almost trivial,
although I suspect you'd have a lot of false positives. The only issue
is having a fast mirror, or all the source handy.
When Sarge is released I certainly intend to buy a CD-ROM set so that
I can do interesting things without exhausting my bandwidth allowance,
something else I've been running into a lot recently :(
> That is, unless there is a mechanism that I could use to automatically
> track new packages that enter the archive. That would take away the need
> for a complete mirror and I could just delete the processed packages.
You could scan the section from the end of the DWN perhaps? That
always has a section with new and noteworthy packages in it. Failing
that you could look at the NEW queue on master if you're a Debian
developer.
> > Also, it would be great if someone coded in a way to automaticall run some
> > automatic auditing software (such as RATS/Flawfinder/Pscan) and have that
> > indexed in a way similar to how lintian.debian.org does it. It could make
> > it easy to find packages which need to be analysed in depth. Any volunteer?
> > :-)
>
> That would be nice indeed. Some of the bugs I've come across could have
> been found easily with an automated vulnerability scanner. Especially
> stuff like passing user-controllable format strings to syslog() just
> shouldn't happen any more..
I've already started work on something very similar, I'll post a
URL tomorrow or so. I have a system which downlaods and unpacks
a given package then runs a recursive scan on it.
It would be used for a general audit - if I had the space to hold
all the source packages...
I set asside a couple of hundred pounds for a non-x86 machine a while
back - and still haven't been able to find a cheap working one, so
it's almost certain I'll buy a pair of big drives with the cash
instead. Not as sexy but at least it would be useful.
>
> The script could also scan packages for other interesting facts like
>
> "includes header file sys/socket.h"
> "installs into /etc/cron*"
> "installs into /usr/lib/cgi-bin"
> ..
>
> Anyone with big enough a machine to have this run on? :)
>
> I'd volunteer to write the extraction scripts.
I'll post my code soon, any comments or suggestions would be
appreciated.
The hardest part is getting a buildable source - many packages include
the source in tarballs (eg. Apache) so "apt-get source foo" isn't
sufficient to download the source and scan it..
Steve
-- # The Debian Security Audit Project. http://www.debian.org/security/auditReceived on Mon Jun 28 2004 - 14:45:21 BST