Comments (7)
Hi Marc,
How does the Debian check work to see if there is an update? Or in other words, what does it need to detect it?
from lynis.
Quack Michael,
The tool checks a specific page (currently https://downloads.cisofy.com/lynis/), detect the links in the page and filter them to get the various versions available, get the associated asc files too. The tool which is called uscan
is used to grab the tarball securely and check the signature and also leveraged in an automated way in a Debian service to detect new versions to package.
It would be possible to use the Github release page instead but the asc files are missing and the signature check would not be possible anymore.
\_o<
from lynis.
Thanks, I did not know how Debian do this check. FreeBSD has a similar tool (portswatch) and they simply try to find a new version, instead of reading the directory listing.
I have reverted a few things, so that the directory index is available for the newer packages. I might make a small change soon to look things a bit prettier, but then the directory structure for the main path should remain.
Is the type of listing that uscan scans something you manage as a package maintainer in the watch file?
Can you trigger a new check to see that things are working again?
from lynis.
It can read from any page, not just directory listings I think. I wonder how FreeBSD do it.
I can parametrize the URL and pattern matching but there is not listing type. It seems any kind of http or ftp URL is fine.
I cannot trigger a check but I can run the tool locally and it works again now, thanks:
$ uscan --report --verbose
uscan info: uscan (version 2.23.7) See uscan(1) for help
uscan info: Scan watch files in .
uscan info: Check debian/watch and debian/changelog in .
uscan info: package="lynis" version="3.0.9-1" (as seen in debian/changelog)
uscan info: package="lynis" version="3.0.9" (no epoch/revision)
uscan info: ./debian/changelog sets package="lynis" version="3.0.9"
uscan info: Found upstream signing keyring: debian/upstream/signing-key.asc
uscan info: Process watch file at: debian/watch
package = lynis
version = 3.0.9
pkg_dir = .
uscan info: opts: pgpsigurlmangle=s/$/.asc/
uscan info: line: https://downloads.cisofy.com/lynis/ lynis(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))(?i)(?:\.(?:tar\.xz|tar\.bz2|tar\.gz|tar\.zstd?|zip|tgz|tbz|txz)) debian uupdate
uscan info: Parsing pgpsigurlmangle=s/$/.asc/
uscan info: line: https://downloads.cisofy.com/lynis/ lynis(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))(?i)(?:\.(?:tar\.xz|tar\.bz2|tar\.gz|tar\.zstd?|zip|tgz|tbz|txz)) debian uupdate
uscan info: Last orig.tar.* tarball version (from debian/changelog): 3.0.9
uscan info: Last orig.tar.* tarball version (dversionmangled): 3.0.9
uscan info: Requesting URL:
https://downloads.cisofy.com/lynis/
uscan info: Matching pattern:
(?:(?:https://downloads.cisofy.com)?\/lynis\/)?lynis(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))(?i)(?:\.(?:tar\.xz|tar\.bz2|tar\.gz|tar\.zstd?|zip|tgz|tbz|txz))
uscan info: Found the following matching hrefs on the web page (newest first):
https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz (3.1.1) index=3.1.1-1
https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz (3.1.1) index=3.1.1-1
https://downloads.cisofy.com/lynis/lynis-3.1.0.tar.gz (3.1.0) index=3.1.0-1
https://downloads.cisofy.com/lynis/lynis-3.1.0.tar.gz (3.1.0) index=3.1.0-1
uscan info: Looking at $base = https://downloads.cisofy.com/lynis/ with
$filepattern = lynis(?:[-_]?[Vv]?(\d[\-+\.:\~\da-zA-Z]*))(?i)(?:\.(?:tar\.xz|tar\.bz2|tar\.gz|tar\.zstd?|zip|tgz|tbz|txz)) found
$newfile = https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz
$newversion = 3.1.1
$lastversion = 3.0.9
uscan info: Matching target for downloadurlmangle: https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz
uscan info: Upstream URL(+tag) to download is identified as https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz
uscan info: Filename (filenamemangled) for downloaded file: lynis-3.1.1.tar.gz
Newest version of lynis on remote site is 3.1.1, local version is 3.0.9
=> Newer package available from:
=> https://downloads.cisofy.com/lynis/lynis-3.1.1.tar.gz
uscan info: Scan finished
from lynis.
Perfect. That is very useful for testing if we alter the page. I was thinking, an option could be the replace the page and only list the link to the latest version (and the signature).
Can you share the definition that does the check? The one that does the check at downloads.cisofy.com. Or if possible, the full configuration file. Then I can use that later to test and confirm that I don't break things ;-)
FreeBSD does it by checking the "next" version to show up. So if 3.1.1 is the current one, they check for 3.1.2, 3.2.0, and 4.0.0.
from lynis.
As things work now, closing this issue. Feel free to add details if needed.
from lynis.
@mboelen uscan reads various package configuration files, not just its own configuration, so you need to clone the whole https://salsa.debian.org/debian/lynis.git
repository and then you can run uscan --report --verbose
(available in the devscripts
package) to test if that works fine.
The check is interesting but in my experience I think that would mean to test de shitload of versions. Sometimes upstream decide to go with 3.1.1.1, or skip a version because of some error during the release steps or because of a last minute fix, or would change the version scheme entirely… I don't think uscan folks would like to implement such approach. Thanks for sharing anyway.
Thanks again for the fix.
from lynis.
Related Issues (20)
- Cryptography tests get stuck on Debian 12 HOT 2
- Consider to add MFA checking on Lynis HOT 4
- Consider to add checks for some more kernel and memory hardenig HOT 1
- Firewalls [x] but nftables HOT 2
- fail2ban.configreader prints warning to stderr (allowipv6) HOT 8
- Error message on debian 12 HOT 4
- Exception found! [KRNL-5730] _ReportException_ should have _GREPTOOL_ passed in and not _GREPBINARY_ HOT 1
- Unraid /boot Function/test: [KRNL-5830:2] Can not find any vmlinuz or kernel files in
- SSH daemon is running - Exception Found HOT 3
- Unknown OS found - Neon KDE HOT 1
- Lynis on OpenBSD HOT 9
- [INSE-8000] The inetd service is not detected HOT 1
- [PKGS-7410] Does not detect the package containing the kernel. HOT 1
- PKGS-7392 - Found one or more vulnerable package right after dist-upgrade HOT 10
- NETW-3200 and FILE-6430 do no longer detect blacklisted modules HOT 2
- Function/test: [SSH-7404:01], Exception found!
- Unknown OS found - gardenlinux
- JBD2 is mistakenly undetected as a missing module in kernel while being built-in to it
- [PKGS-7398] NixOS: Add package audit tool vulnnix
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lynis.