[clug] ACSC Essential 8 for Linux - local package repositories
Robert Edwards
bob at cs.anu.edu.au
Sat Mar 30 01:56:14 UTC 2019
I'm guessing that some on this list need to apply the Australian
Cyber Security Centre (ACSC) Essential 8 for the Linux devices
they manage in their workplaces as per:
Xhttps://www.acsc.gov.au/publications/protect/essential-eight-linux.htm
I look after lots of Debian and Ubuntu [GNU/]Linux systems (servers,
desktops, embedded devices) and use the "unattended-upgrades" facility
to automatically apply security patches as they come out.
I also maintain a local repository for various local packages.
The Essential 8 for Linux document suggests that "Patching Linux is
easy to achieve when combined with locally-hosted repositories and
scheduled scripts" from which I am understanding that any packages
that need upgrading on production servers should be coming from
a local repository after the new package has been tested/screened
etc. for vulnerabilities etc. (all makes sense).
I am wondering if anyone who is allowed to talk about this is doing
it and what strategies they might recommend for testing/delaying
new security updates before uploading to a local repository prior
to deploying to production servers?
(apparently it is "easy to achieve" - maybe it is easier to achieve
with commercial-grade distros like RedHat and Suse etc.?)
cheers,
Bob Edwards.
More information about the linux
mailing list