sec-updater Tool

Synopsis

sec-updater [--debug level] [--quiet] [--security] --os string --arch string --uri uri \
            --file filename

sec-updater -h | --help

Description

The sec-updater tool extracts information about security updates and backports of Linux repositories (e.g. Debian or Ubuntu). This information is used to update the package version information stored in the SQLite database of the strongTNC tool and also provide SWID tags of the updated package versions. The dpkg --compare-versions command is used to determine which package versions are affected by a given security update.

Options

-h

--help

Prints usage information and a short summary of the available commands

-v

--debug

Set debug level, default: 1

-q

--quiet

Disable debug output to stderr

-s

--security

Set when parsing a distributions file with security updates.

-o

--os

Name of operating system (OS). eg. Ubuntu 16.04

-a

--arch

Name of HW architecture. eg. x86_64

-u

--uri

URI where to download deb package from

-f

--file

Linux package information file to parse

Configuration

The following parameters can be configured in the sec-updater section of strongswan.conf:

Key Default Description

Key	Default	Description
database		Global IMV policy database URI. If it contains a password, make sure to adjust the access permissions of the config file accordingly
load		Plugins to load in `sec-updater` tool
tmp.deb_file	[→]	Temporary storage for downloaded deb package file. `[/tmp/deb]`
tmp.tag_file	[→]	Temporary storage for generated SWID tags. `[/tmp/tag]`
tnc_manage_command	[→]	strongTNC manage.py command used to import SWID tags. `[/var/www/tnc/manage.py]`

database

Global IMV policy database URI. If it contains a password, make sure to adjust the access permissions of the config file accordingly

load

Plugins to load in sec-updater tool

tmp.deb_file

[→]

Temporary storage for downloaded deb package file. [/tmp/deb]

tmp.tag_file

[→]

Temporary storage for generated SWID tags. [/tmp/tag]

tnc_manage_command

[→]

strongTNC manage.py command used to import SWID tags. [/var/www/tnc/manage.py]

SWID Tag Generation

The parameters of the swid_generator used when a ISO 19770-2:2015 SWID tag has to be derived from a downloaded deb package can be changed in the libimcv section of strongswan.conf:

Key Default Description

Key	Default	Description
command	[→]	SWID generator command to be executed. `[/usr/local/bin/swid_generator]`
tag_creator.name	[→]	Name of the `tagCreator` entity. `[strongSwan Project]`
tag_creator.regid	[→]	regid of the `tagCreator` entity. `[strongswan.org]`

command

[→]

SWID generator command to be executed. [/usr/local/bin/swid_generator]

tag_creator.name

[→]

Name of the tagCreator entity. [strongSwan Project]

tag_creator.regid

[→]

regid of the tagCreator entity. [strongswan.org]

Example

sec-updater {
  database = sqlite:///etc/pts/config.db
  tnc_manage_command = /var/www/tnc/manage.py
  tmp {
    deb_file = /tmp/sec-updater.deb
    tag_file = /tmp/sec-updater.tag
  }
}

libimcv {
  swid_gen {
    command = /usr/local/bin/swid_generator
    tag_creator {
      name = strongSwan Project
      regid = strongswan.org
    }
  }
}

Command Use

Here is an example how the sec-updater command can be used in a script file

sec-updater --os "Ubuntu 16.04" --arch "x86_64" --uri http://security.ubuntu.com/ubuntu \
            --security --file xenial-security/binary-amd64/Packages-main