[clug] ACSC Essential 8 for Linux - local package repositories

Michael Carden crash at michaelcarden.net
Sat Apr 6 06:36:25 UTC 2019 

On Fri, Apr 5, 2019 at 5:16 PM Bob Edwards via linux <linux at lists.samba.org>
wrote:

> Thanks for the tip on Red Hat Satellite, Stephen.
>
> Alas, I am looking for an open-source solution...
>

Well, if I understand it correctly, Satellite is just Red Hat's supported
version of https://spacewalkproject.github.io/faq.html

So that may at least address the open source part of it.

I feel bound to add that if you think that Satellite/Spacewalk will solve
your problem.... just run away and find another problem.

--
MC






>
> I think I have a vague plan in mind and have started deploying a test
> env. (design by prototype). I am including Docker and likely other
> repos in my solution (same/similar requirements).
>
> If anyone is interested, I guess we could discuss further.
>
> cheers,
> Bob Edwards.
>
> > On Sat, 30 Mar 2019 at 12:56, Robert Edwards via linux
> > <linux at lists.samba.org <mailto:linux at lists.samba.org>> wrote:
> >
> >     I'm guessing that some on this list need to apply the Australian
> >     Cyber Security Centre (ACSC) Essential 8 for the Linux devices
> >     they manage in their workplaces as per:
> >     Xhttps://
> www.acsc.gov.au/publications/protect/essential-eight-linux.htm
> >     <
> http://www.acsc.gov.au/publications/protect/essential-eight-linux.htm>
> >
> >     I look after lots of Debian and Ubuntu [GNU/]Linux systems (servers,
> >     desktops, embedded devices) and use the "unattended-upgrades"
> facility
> >     to automatically apply security patches as they come out.
> >
> >     I also maintain a local repository for various local packages.
> >
> >     The Essential 8 for Linux document suggests that "Patching Linux is
> >     easy to achieve when combined with locally-hosted repositories and
> >     scheduled scripts" from which I am understanding that any packages
> >     that need upgrading on production servers should be coming from
> >     a local repository after the new package has been tested/screened
> >     etc. for vulnerabilities etc. (all makes sense).
> >
> >     I am wondering if anyone who is allowed to talk about this is doing
> >     it and what strategies they might recommend for testing/delaying
> >     new security updates before uploading to a local repository prior
> >     to deploying to production servers?
> >
> >     (apparently it is "easy to achieve" - maybe it is easier to achieve
> >     with commercial-grade distros like RedHat and Suse etc.?)
> >
> >     cheers,
> >     Bob Edwards.
> >
> >     --
> >     linux mailing list
> >     linux at lists.samba.org <mailto:linux at lists.samba.org>
> >     https://lists.samba.org/mailman/listinfo/linux
> >
> >
> >
> > --
> >
> >    "I and the public know
> >    what all schoolchildren learn
> >    Those to whom evil is done
> >    Do evil in return"         W.H. Auden, "September 1, 1939"
> >
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>

More information about the linux mailing list