[clug] ACSC Essential 8 for Linux - local package repositories

Bob Edwards bob at cs.anu.edu.au
Fri Apr 5 06:16:25 UTC 2019 

On 31/3/19 4:02 pm, Stephen Hocking wrote:
> Using Red Hat Satellite, it's quite straight forward. There's a few 
> white papers kicking around describing how to do it. Haven't really 
> looked at the Debian/Ubuntu side of things.
> 

Thanks for the tip on Red Hat Satellite, Stephen.

Alas, I am looking for an open-source solution...

I think I have a vague plan in mind and have started deploying a test
env. (design by prototype). I am including Docker and likely other
repos in my solution (same/similar requirements).

If anyone is interested, I guess we could discuss further.

cheers,
Bob Edwards.

> On Sat, 30 Mar 2019 at 12:56, Robert Edwards via linux 
> <linux at lists.samba.org <mailto:linux at lists.samba.org>> wrote:
> 
>     I'm guessing that some on this list need to apply the Australian
>     Cyber Security Centre (ACSC) Essential 8 for the Linux devices
>     they manage in their workplaces as per:
>     Xhttps://www.acsc.gov.au/publications/protect/essential-eight-linux.htm
>     <http://www.acsc.gov.au/publications/protect/essential-eight-linux.htm>
> 
>     I look after lots of Debian and Ubuntu [GNU/]Linux systems (servers,
>     desktops, embedded devices) and use the "unattended-upgrades" facility
>     to automatically apply security patches as they come out.
> 
>     I also maintain a local repository for various local packages.
> 
>     The Essential 8 for Linux document suggests that "Patching Linux is
>     easy to achieve when combined with locally-hosted repositories and
>     scheduled scripts" from which I am understanding that any packages
>     that need upgrading on production servers should be coming from
>     a local repository after the new package has been tested/screened
>     etc. for vulnerabilities etc. (all makes sense).
> 
>     I am wondering if anyone who is allowed to talk about this is doing
>     it and what strategies they might recommend for testing/delaying
>     new security updates before uploading to a local repository prior
>     to deploying to production servers?
> 
>     (apparently it is "easy to achieve" - maybe it is easier to achieve
>     with commercial-grade distros like RedHat and Suse etc.?)
> 
>     cheers,
>     Bob Edwards.
> 
>     -- 
>     linux mailing list
>     linux at lists.samba.org <mailto:linux at lists.samba.org>
>     https://lists.samba.org/mailman/listinfo/linux
> 
> 
> 
> -- 
> 
>    "I and the public know
>    what all schoolchildren learn
>    Those to whom evil is done
>    Do evil in return"		W.H. Auden, "September 1, 1939"
>

More information about the linux mailing list