First of all, I’ve put the sources for Linux Sea online at GitHub. Not only does that safeguard any latest changes from not hitting my backup in time before my laptop dies (it’s terminal, but I can’t let him go yet ;-) but it also allows people who want to help with it (or translate it) to pull in the sources.
Note that it is still not finished (no spelling and grammar check done yet, still need to add some exercises, etc); once it is, I will tag the sources appropriately.
On the cvechecker state, it is also still under development, but progress is going nicely. Most of the work now is in updating the versions.dat file with information on how to obtain the current version of a package/tool. It is an easy activity – most of the work is in finding out how CVE entries would label a tool (what vendor and product name would be chosen) and because I am too lazy, I am currently only adding those that already have CVE entries assigned to them (so I can just take a look at the correct values).
It is also my first attempt at using autotools. Quite some overkill for such a small project, but why not. At least it allows me to try to do some new things here ;-)
A while ago I had the idea to create a simple tool that checks the CVE database against my current system. It would allow me to check if my system is somewhat up to date (no pending security vulnerabilities), but also to get an automated overview of the various software packages (and versions) using a distribution-agnostic method.
So I started coding. The idea is to have a tool which can interprete CVE data, gather current version information from the system and match the CVEs against these versions and report the results to me.
I have created a sourceforge project to host the source code and preliminary documentation for the tool. Although the tool runs, it is still far from finished. On the site, you can check out the progress of the development (there’s a first todo-list on the main page).
Do you think this is a good idea? I’d be happy to hear it.
For a personal POC I wanted to see if it is possible to generate, based on the collection of CVE entries publicly available, a report informing a system administrator about possible vulnerabilities. Nothing fancy, just based upon versions.
A simple example: tool detects Perl, acquires installed Perl version, then matches the collection of CVE entries against this Perl version. If at least one CVE is found, report it. The idea is then to make this as generic as possible (not specific for an operating system or Linux distribution), so not use a package version but really the tool version (or library version).
Of course, whenever I am planning such minor POCs, I search the Internet for possible existing tools (just like kev009 describes – “But First, Write No Code”). And I found out that there are already quite some “foundation components” available…
- CPE is a structured way of naming software (vendor, title, version …)
- OVAL is a method for performing structured tests (like regular expression matches in text) for reporting purposes
Many more of these efforts are linked through the Mitre sites. The above two are the most important ones though – it seems that it might be possible to use OVAL to describe the tests I wanted for the POC.
To be continued…
Everyone that has been using Gentoo for a while now knows about tools such as qlist that show you the list of files installed by an (installed) package, or qfile that allows you to find which package provided a particular file on your system.
One thing lacking is to be able to find out which package would provide a file. Unlike the previous tools, this tool cannot rely on the information found on your system as the package isn’t installed yet.
There have been projects in the past that attempted to provide such functionality, almost always through an online queryable database. Many haven’t survived, due to too high expectations or little server infrastructure resources. But it seems like PortageFileList is to stay for a while.
The project not only offers an online interface for querying information, it also provides a package (app-portage/pfl) that allows you to query their infrastructure from the command line. The package provides a tool called e-file which supports SQL-like syntax for the queries.
~$ e-file '%bin/xdm'
The above command will then display, using the well-known emerge/Portage output, which package provides the file (as well as which file was matched by the query).
Definitely a nice tool to have around. Thanks guys of PortageFileList!
Posted in Gentoo
|
Tagged Gentoo
|
Today, IBM generously hosted the GSE TWS BeLux 2010 conference. Although it was organized together with the GSE DB2 conference (which I would also have loved to attend) I must say I was pretty impressed with the topics given, especially those after the lunch.
For me, personally, the topic on TWS 8.5.1 with broker functionality was most impressive. Not that the features are extremely innovative, but they are very useful (especially in an enterprise context). I don’t know if you have (production) experience with TWS Broker (or even 8.5.1′s broker functionality) – if you do, I’d love to hear about it!
Posted in TWS
|
Tagged gse, TWS
|
Another update to Quizzer, now at version 3. But more importantly, updates to the Linux Sea related chapters are made available online – get a taste for it at the online quizzer set.
Feedback is, as always, very much appreciated.
A new version of the Quizzer webscript is available. The demo has also been updated with quick tests on the first few chapters of Linux Sea.
More exercises on the following chapters will follow soon.
Updates to the script include visual accept/reject of single-choice and multiple choice answers and improved support for Internet Explorer (which I don’t have at home to validate).
Do you ever write down things in the hope you never forget them, but still think it would be better if you could somehow take a test of that subject from time to time to make sure you don’t forget?
I do, and I found it quite difficult to keep the knowledge live without having to reread the things every now and then. For that purpose, I started writing a simple JavaScript/XML/XSL fileset that allowed me to present questions (randomly if necessary) from a structured set of questions. In the beginning, it was too simple to share (string matching) but quickly grew to something more elaborate: regular expression support, multiple string-answer support, in-paragraph answer boxes and single/multiple choice answers.
With this fileset in place, I can keep track of things I would most likely otherwise forget: just select the category which I want to take a test from, and start with a (lot of) random question(s).
I’ve decided to put this fileset online (including demo files) and will extend the demo file with questions regarding my book, Linux Sea, allowing readers of the book to take online tests after they’ve finished a chapter.
Yesterday (argh, the day before yesterday) I went to a SAI conference on nosql. In Belgium, SAI is a non-profit organization for IT people which focuses on knowledge sharing.
The conference that day was on nosql. The presentation given by OuterThought was very good and offered a nice introduction to the “new types of database architectures” that are being actively developed as we speak.
Although the use of these nosql databases within KBC (where I work for) is limited (I’m not aware of any application that is already using this technology) it would be plain wrong to discard the technology as “too immature”. With the recent developments that we face in the IT industry, applications are nowadays quick in adopting such new technologies and I suspect that off-the-shelf applications will soon come with such nosql database technology as part of the solution.
For large enterprises, this does face some (hard?) challenges: how do you control your network usage (some of the technologies are easy to use, but hard to tune), how do you design your architecture, where is your data, how can you ensure that you do not “lock in” into a single nosql technology (i.e. how do you ensure interoperability and migrations between technologies), do you still need SAN-based replication or will you now let the technology handle this for you, etc.
So yes, the nosql technology is nice to look into (and definitely something to follow up on) but make sure you don’t introduce it in your organization without thinking about the entire integration and management aspect.
Just a quick heads-up that a dozen pages in the Linux Sea book have been added. Nothing spectacular, just a few more paragraphs on services/runlevels, a few updates on software management and on boot failure resolutions.
