[ubuntu-hardened] What method should I use to validate the packages installed on my server?
Seth Arnold
seth.arnold at canonical.com
Tue Feb 25 03:14:11 UTC 2020
AHello Jason,
On Mon, Feb 24, 2020 at 04:18:51PM -0500, Jason Franklin wrote:
> 1. Packages aren't installed without being approved beforehand. How
> could I formalize this process?
There's several methods: Landscape offers a central panel to inspect what
is installed on Ubuntu systems in your fleet. You could also replace the
use of Canonical-run or community-run apt update sources with your own apt
repository using aptly (package aptly; see also https://www.aptly.info )
and control which packages are available and when via your repository.
I don't believe landscape manages snap packages.
Consider also setting up a reproducable deployment system using
configuration management tools, like Juju, Ansible, Chef, Puppet,
etc. If your machines can be rebuilt and replaced in minutes, there's
less chance -- or need -- for one-off package installations.
> 2. Given a list of official Ubuntu packages that are approved, how can I
> show that there are no UNapproved official packages on a given box?
If you want to hand-roll your own tools, dpkg --list output shows the
state of packages known to dpkg.
snap list shows the state of packages known to snap.
I hope this helps.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20200225/7ec50488/attachment.sig>
More information about the ubuntu-hardened
mailing list