sec-updater Tool

Synopsis

sec-updater [--debug level] [--quiet] [--security] --os string --arch string --uri uri \
            --file filename

sec-updater -h | --help

Description

The sec-updater tool extracts information about security updates and backports of Linux repositories (e.g. Debian or Ubuntu). This information is used to update the package version information stored in the strongTNC SQLite database. The dpkg --compare-versions command is used to determine which package versions are affected by a given security update.

Options

-h

--help

Prints usage information and a short summary of the available commands

-v

--debug level

Set debug level, default: 1

-q

--quiet

Disable debug output to stderr

-s

--security

Set when parsing a distributions file with security updates.

-o

--os <string>

Name of operating system (OS). eg. Ubuntu 16.04

-a

`--arch <string>>

Name of HW architecture. eg. x86_64

-u

--uri <uri>

URI where to download deb package from

-f

--file <filename>

Linux package information file to parse

Configuration

The following parameters can be configured in the sec-updater section of strongswan.conf:

Key Default Description

load

Plugins to load in sec-updater tool

tmp.deb_file

[→]

Temporary storage for downloaded deb package file. [/tmp/deb]

tmp.tag_file

[→]

Temporary storage for generated SWID tags. [/tmp/tag]

tnc_manage_command

[→]

strongTNC manage.py command used to import SWID tags. [/var/www/tnc/manage.py]

SWID Tag Generation

The parameters of the swid_generator used when a ISO 19770-2:2015 SWID tag has to be derived from a downloaded deb package can be changed in the libimcv section of strongswan.conf:

Key Default Description

command

[→]

SWID generator command to be executed. [/usr/local/bin/swid_generator]

tag_creator.name

[→]

Name of the tagCreator entity. [strongSwan Project]

tag_creator.regid

[→]

regid of the tagCreator entity. [strongswan.org]

Example

sec-updater {
  database = sqlite:///etc/pts/config.db
  tnc_manage_command = /var/www/tnc/manage.py
  tmp {
    deb_file = /tmp/sec-updater.deb
    tag_file = /tmp/sec-updater.tag
  }
}

libimcv {
  swid_gen {
    command = /usr/local/bin/swid_generator
    tag_creator {
      name = strongSwan Project
      regid = strongswan.org
    }
  }
}

Command Use

Here is an example how the sec-updater command can be used in a script file

sec-updater --os "Ubuntu 16.04" --arch "x86_64" --uri http://security.ubuntu.com/ubuntu \
            --security --file xenial-security/binary-amd64/Packages-main