[Openvas-devel] First steps towards a OpenVAS feed for Debian Local Security Checks

Jan-Oliver Wagner jan-oliver.wagner at intevation.de
Thu Nov 1 15:17:32 CET 2007


Hello Thomas,

thanks a lot for your scripts!

I am currently evaluating them.
Would you be willing to share the debian local security check
for DSA 1193 under GNU GPL, so I have a sample how
you do the version checking with your own methods?

Best

	Jan

On Freitag, 26. Oktober 2007, Thomas Reinke wrote:
> > * ssh_get_info.nasl:
> >    The one in openvas-plugins is contributed by Thomas Reinke.
> >    It is a bit outdated though (e.g. Debian 4.0 is missing).
> >    Perhaps Tomas is willing to provide an update patch.
> >    However, also need to fix dependency to be
> >    ssh_authorization intead of ssh_settings (see below).
> > 
> 
> Ugh, for the life of me don't know why that was provided.
> That is old, and hasn't been updated by us for a LONG
> time. In fact, the only change we've done to that is to
> remove support for *ix systems, as we have a replacement
> for most of the functionality provided by this script.
> 
> I've attached a replacement script we use for all of our
> *IX distro checks. Not a pretty piece of code - you've
> been warned...
> 
> You'll note still the ss_ .inc file reference - again,
> because we froze on the original version of this file
> and didn't want to have changes backdoored into our
> systems.  Given your use of ssh_authorization, you'll
> have a couple of lines to change, but other than that
> should work.
> 
> I've also attached two ".inc" files that we use for
> checking various things.  the "ssvercheck.inc" is one
> I'd suggest using for doing version checks - it is
> intelligent and does the "Right Thing" in most cases.
> For example,  it does things like correctly evaluate
> 
>       1.3.9 < 1.3.10
>       1.3 < 1.20
>       1.2+etch5 < 1.2+etch10
> 
> For the myriad of times that I've seen bugs where
> a script checking for version 1.3.1 then tripped
> a vulnerability report against 1.3.10 of the product
> due to a poor regex check, this version checking
> algorithm avoids the regex and problem entirely by
> turning the version check into a simple comparison
> of " if version < 1.3.10 -> trip report"
> 
> The ssrpmcheck.inc does version checking for both
> rpm based distros (Redhat, Fedora, Mandriva) as
> well as dpkg based systems (Debian, Ubuntu).

-- 
Dr. Jan-Oliver Wagner                        Intevation GmbH, Osnabrück
Amtsgericht Osnabrück, HR B 18998             http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner



More information about the Openvas-devel mailing list