getting the running patch level
Peter Jeremy
peter at rulingia.com
Mon Aug 20 21:06:52 UTC 2012
On 2012-Aug-19 16:46:37 +0200, Paul Schenkeveld <freebsd at psconsult.nl> wrote:
> - Teach both installworld and freebsd-update to maintain manifest
> files of what is installed and log that update, place all manifests
> somewhere under /var/db and the update log in /var/log.
I'm not sure what detail you intend here. One line per installworld
or similar sounds OK. One line per file seems excessive - especially
if you intend to retain history ("df -ki" suggests that a base install
is around 30,000 files).
> - Having manifests of what's installed, one could check if all files
> are stil the right version, if older manifests are not discarded
> when performing an update this could also detect files that were
> not updated for whatever reason or that were reverted, i.e. by
> restoring some backup. E.g.:
>
> Current userland version: 8.3-RELEASE-p4
> /usr/sbin/named is at 8.3-RELEASE-p2
> /usr/bin/openssl is at 8.3-RELEASE
How do you envisage this tool determining that /usr/sbin/foo is at
8.3-RELEASE-p2 and this is incorrect when userland is at (eg)
8.3-RELEASE-p4? Note that updating your system from 8.3-RELEASE-p2 to
8.3-RELEASE-p4 may not change /usr/sbin/foo and therefore it will
remain untouched.
>The /etc/issue file mentioned several times in this thread is like motd
>but intended to be shown before a login prompt. This works for console
>logins (getty) but not for remote logins.
SSH includes provision for displaying information prior to login - see
the "Banner" option in sshd_config. Note that this is most definitely
the wrong place to include system version details.
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120820/75f2eaa9/attachment.pgp
More information about the freebsd-security
mailing list