[clug] ACSC Essential 8 for Linux - local package repositories

Robert Edwards bob at cs.anu.edu.au
Sat Mar 30 01:56:14 UTC 2019


I'm guessing that some on this list need to apply the Australian
Cyber Security Centre (ACSC) Essential 8 for the Linux devices
they manage in their workplaces as per:
Xhttps://www.acsc.gov.au/publications/protect/essential-eight-linux.htm

I look after lots of Debian and Ubuntu [GNU/]Linux systems (servers,
desktops, embedded devices) and use the "unattended-upgrades" facility
to automatically apply security patches as they come out.

I also maintain a local repository for various local packages.

The Essential 8 for Linux document suggests that "Patching Linux is
easy to achieve when combined with locally-hosted repositories and
scheduled scripts" from which I am understanding that any packages
that need upgrading on production servers should be coming from
a local repository after the new package has been tested/screened
etc. for vulnerabilities etc. (all makes sense).

I am wondering if anyone who is allowed to talk about this is doing
it and what strategies they might recommend for testing/delaying
new security updates before uploading to a local repository prior
to deploying to production servers?

(apparently it is "easy to achieve" - maybe it is easier to achieve
with commercial-grade distros like RedHat and Suse etc.?)

cheers,
Bob Edwards.



More information about the linux mailing list