[clug] ACSC Essential 8 for Linux - local package repositories
Michael Carden
crash at michaelcarden.net
Sat Apr 6 06:36:25 UTC 2019
On Fri, Apr 5, 2019 at 5:16 PM Bob Edwards via linux <linux at lists.samba.org>
wrote:
> Thanks for the tip on Red Hat Satellite, Stephen.
>
> Alas, I am looking for an open-source solution...
>
Well, if I understand it correctly, Satellite is just Red Hat's supported
version of https://spacewalkproject.github.io/faq.html
So that may at least address the open source part of it.
I feel bound to add that if you think that Satellite/Spacewalk will solve
your problem.... just run away and find another problem.
--
MC
>
> I think I have a vague plan in mind and have started deploying a test
> env. (design by prototype). I am including Docker and likely other
> repos in my solution (same/similar requirements).
>
> If anyone is interested, I guess we could discuss further.
>
> cheers,
> Bob Edwards.
>
> > On Sat, 30 Mar 2019 at 12:56, Robert Edwards via linux
> > <linux at lists.samba.org <mailto:linux at lists.samba.org>> wrote:
> >
> > I'm guessing that some on this list need to apply the Australian
> > Cyber Security Centre (ACSC) Essential 8 for the Linux devices
> > they manage in their workplaces as per:
> > Xhttps://
> www.acsc.gov.au/publications/protect/essential-eight-linux.htm
> > <
> http://www.acsc.gov.au/publications/protect/essential-eight-linux.htm>
> >
> > I look after lots of Debian and Ubuntu [GNU/]Linux systems (servers,
> > desktops, embedded devices) and use the "unattended-upgrades"
> facility
> > to automatically apply security patches as they come out.
> >
> > I also maintain a local repository for various local packages.
> >
> > The Essential 8 for Linux document suggests that "Patching Linux is
> > easy to achieve when combined with locally-hosted repositories and
> > scheduled scripts" from which I am understanding that any packages
> > that need upgrading on production servers should be coming from
> > a local repository after the new package has been tested/screened
> > etc. for vulnerabilities etc. (all makes sense).
> >
> > I am wondering if anyone who is allowed to talk about this is doing
> > it and what strategies they might recommend for testing/delaying
> > new security updates before uploading to a local repository prior
> > to deploying to production servers?
> >
> > (apparently it is "easy to achieve" - maybe it is easier to achieve
> > with commercial-grade distros like RedHat and Suse etc.?)
> >
> > cheers,
> > Bob Edwards.
> >
> > --
> > linux mailing list
> > linux at lists.samba.org <mailto:linux at lists.samba.org>
> > https://lists.samba.org/mailman/listinfo/linux
> >
> >
> >
> > --
> >
> > "I and the public know
> > what all schoolchildren learn
> > Those to whom evil is done
> > Do evil in return" W.H. Auden, "September 1, 1939"
> >
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
More information about the linux
mailing list