SECURITY_Getting_GLSAs_by_Email

This article is part of the Security series.

1 Abstract
2 The Problem
3 Steps
- 3.1 Notes
4 Dependencies
5 Other Options

Abstract

This document outlines a method for receiving regular notifications via email of Gentoo Linux Security Advisories (GLSA) related to the specific packages you have installed.

The Problem

GLSA's were created as a means of informing administrators of packages that have security issues associated with them, and the means to update and/or fix those problems. The problem is that there is currently no method of receiving notifications via email (or otherwise) about security implications relating to your specific package set.

Steps

Create the file /usr/local/bin/glsa.sh:

File: /usr/local/bin/glsa.sh

#!/bin/bash

E_OPTERROR=65

TIMESTAMP="`date +"%s"`"
MailReport=0
MailTo="${USER}@$(domainname -d)"
MailFrom="${USER}@$(domainname -d)"
TMPLOG=/tmp/.glsa-check-${TIMESTAMP}.${PPID}
TMPDATA=/tmp/.glsa-check-data-${TIMESTAMP}.${PPID}

trap 'rm -f "${TMPLOG}" "${TMPDATA}"; exit;' TERM INT EXIT HUP KILL

function usage() {

    echo "Usage: `basename $0` [-h] [-m [-t <to email>] [-f <from email>]]"
        echo "       -m:  Mail Report (automatically turned on if -t or -f are used)"
        echo "       -t:  Email address to mail report to (default: ${USER}@$(domainname -d))"
        echo "       -f:  Email address to use as the From address (default: ${USER}@$(domainname -d))"
        echo "       -h:  This help stuff :-)"
}

function generateReport() {

    local counter advisory

    /usr/bin/glsa-check --nocolor --list 2>&1 | grep -E '^[0-9-]+ \[N' > "${TMPDATA}"

    if [ -z "$(cat ${TMPDATA} | tr -d "\n\r ")" ]; then
        exit;
    else
        total=$(cat ${TMPDATA} | wc -l)
        {
            counter=0;
            echo "Current Relevant Security Advisories:";
            echo "-------------------------------------";
            echo
            echo "Summary:";
            echo "--------";
            echo

            while read line; do
                advisory="$(echo $line | perl -pi -e 's/^([0-9-]+)[^\]]+\] ([^(]+).*/(GLSA \1) \2/g')";
                counter=$(($counter + 1));

                echo "${counter}  -  ${advisory}";
            done < "${TMPDATA}"

                echo
            echo "Full text listing:";
            echo "------------------";
                    echo

            counter=0;
            for advisory in $(cat "${TMPDATA}" | perl -pi -e 's/^([0-9-]+).*\n/\1 /g'); do
                counter=$(($counter + 1));
                echo -en "${counter} - ";
                /usr/bin/glsa-check --dump $advisory 2>/dev/null
            done
        } > "${TMPLOG}"

        if [ ${MailReport} -eq 1 ]; then
            mail "${MailTo}" -a "From: ${MailFrom}" -s "$(uname -n) Security Advisories (${total} package(s))" < "${TMPLOG}"
        else
            cat "${TMPLOG}"
        fi
    fi
}

while getopts "hmt:f:" Option
do
  case $Option in
    m ) MailReport=1;;
    t ) {
            MailTo="${OPTARG}"
            MailReport=1
            if [ -z "${MailTo}" -o $(echo "${MailTo}" | grep -cP '^[A-Za-z0-9_.+-]+@([a-zA-Z0-9-]+\.)+[a-zA-Z0-9]+') -le 0 ]; then
                echo
                echo "Invalid (-t) Mail To address '${MailTo}' !!";
                echo
                usage;
                exit $E_OPTERROR;
            fi
        };;
    f ) {
            MailReport=1
            MailFrom="${OPTARG}"
            if [ -z "${MailFrom}" -o $(echo "${MailFrom}" | grep -cP '^[A-Za-z0-9_.+-]+@([a-zA-Z0-9-]+\.)+[a-zA-Z0-9]+') -le 0 ]; then
                echo
                echo "Invalid (-f) Mail From address '${MailFrom}' !!";
                echo
                usage;
                exit $E_OPTERROR;
            fi
        };;
    h | *) usage;
        exit 1;;
  esac
done

shift $(($OPTIND - 1))

generateReport

exit 0;

Make sure the script is executable:

chmod ug+x /usr/local/bin/glsa.sh

Create a cronjob for it to run at 5 after midnight every night:

File: crontab

5 0 * * *  /usr/local/bin/glsa.sh -t noc@somewhere.com -f glsa@somewhere.com

Warning: You'll want to set this script to run (via cron) after your weekly/daily/whatever emerge sync, otherwise, it won't be able to give you accurate GLSA information

Notes

For email addresses; if you use an underscore in your domain name, you need to add it to match group. Many die hard DNS folk frown on underscores in domain names since it's not explicitly permitted per RFC. However, many people do use them.
If your grep is not compiled with pcre, remove -P and replace + with \+, and ( with \(.

Dependencies

mailx
perl
glsa-check (duh!)

Other Options

Gentoo provides an RSS feed of security advisories located at http://www.gentoo.org/rdf/en/glsa-index.rdf. Providing you know all the packages you have installed, you could simply subscribe to this feed to know when issues arise. While it won't give you detailed information about the specific GLSAs which need to be applied on a machine, it can at least be helpful in letting you know which packages (or kinds of them) are usually more of an issue than others.

Retrieved from "http://www.gentoo-wiki.info/SECURITY_Getting_GLSAs_by_Email"