Skip to content
Parser for Ubuntu Security Notices written in perl
Branch: master
Clone or download
James S. White
James S. White Merge pull request #4 from jameswhite/dont_ship_data
don't ship stuff that can be fetched
Latest commit 5e04056 Sep 17, 2015
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin
lib
.gitignore
readme.md

readme.md

USNeasy an Ubuntu Security Notice parser in perl.

Why?

################################################################################ Every time a security notice comes in, I go through the same routine: Skim the notice, determine if it's a remote or local vuln, script up something in bash or puppet to determine if any of my systems have the vulnerable packages installed, set up a patch schedule, and crank through the patching.

It's all far too manual. There are gui tools in ubuntu that tell me when my systems need patching, but I wanted something I could put into a nagios check.

The security notices are pretty formulaic. So it seemed like a trivial task to parse them and coerce them into JSON. So that's what I did.

Usage

  1. Fetch the Security Notices from lists.ubuntu.com (note: you might want to delete the current -.txt as it won't re-download it if it exists, and it is still getting appended on remote)
[ -f data/$(date +"%Y-%B").txt ] && rm -f data/$(date +"%Y-%B").txt
[ -f cve/allitems-cvrf-year-$(date +"%Y").xml ] && rm -f cve/allitems-cvrf-year-$(date +"%Y").xml
[ -f nvd/nvdcve-2.0-$(date +"%Y").xml ] && rm -f nvd/nvdcve-2.0-$(date +"%Y").xml
bin/fetch
  1. Parse the Security Notices now in ./data and create the json files in ./output
bin/parse data
  1. Run the nagios check that will scan the json files in ./output and compare them to the local system
*WIP*

Erratta

It will bypass the older format USNs, (pre-2011) as they were not in the same format and I don't have a lot of reason to scan distributions from that far back.

You can’t perform that action at this time.