[clug] ACSC Essential 8 for Linux - local package repositories
Bob Edwards
bob at cs.anu.edu.au
Fri Apr 5 06:16:25 UTC 2019
On 31/3/19 4:02 pm, Stephen Hocking wrote:
> Using Red Hat Satellite, it's quite straight forward. There's a few
> white papers kicking around describing how to do it. Haven't really
> looked at the Debian/Ubuntu side of things.
>
Thanks for the tip on Red Hat Satellite, Stephen.
Alas, I am looking for an open-source solution...
I think I have a vague plan in mind and have started deploying a test
env. (design by prototype). I am including Docker and likely other
repos in my solution (same/similar requirements).
If anyone is interested, I guess we could discuss further.
cheers,
Bob Edwards.
> On Sat, 30 Mar 2019 at 12:56, Robert Edwards via linux
> <linux at lists.samba.org <mailto:linux at lists.samba.org>> wrote:
>
> I'm guessing that some on this list need to apply the Australian
> Cyber Security Centre (ACSC) Essential 8 for the Linux devices
> they manage in their workplaces as per:
> Xhttps://www.acsc.gov.au/publications/protect/essential-eight-linux.htm
> <http://www.acsc.gov.au/publications/protect/essential-eight-linux.htm>
>
> I look after lots of Debian and Ubuntu [GNU/]Linux systems (servers,
> desktops, embedded devices) and use the "unattended-upgrades" facility
> to automatically apply security patches as they come out.
>
> I also maintain a local repository for various local packages.
>
> The Essential 8 for Linux document suggests that "Patching Linux is
> easy to achieve when combined with locally-hosted repositories and
> scheduled scripts" from which I am understanding that any packages
> that need upgrading on production servers should be coming from
> a local repository after the new package has been tested/screened
> etc. for vulnerabilities etc. (all makes sense).
>
> I am wondering if anyone who is allowed to talk about this is doing
> it and what strategies they might recommend for testing/delaying
> new security updates before uploading to a local repository prior
> to deploying to production servers?
>
> (apparently it is "easy to achieve" - maybe it is easier to achieve
> with commercial-grade distros like RedHat and Suse etc.?)
>
> cheers,
> Bob Edwards.
>
> --
> linux mailing list
> linux at lists.samba.org <mailto:linux at lists.samba.org>
> https://lists.samba.org/mailman/listinfo/linux
>
>
>
> --
>
> "I and the public know
> what all schoolchildren learn
> Those to whom evil is done
> Do evil in return" W.H. Auden, "September 1, 1939"
>
More information about the linux
mailing list