Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for "genuine packages" #7

Open
widhalmt opened this issue Jun 23, 2021 · 3 comments
Open

Check for "genuine packages" #7

widhalmt opened this issue Jun 23, 2021 · 3 comments
Labels
to-be-discussed to be discussed

Comments

@widhalmt
Copy link
Member

We could use a more thorough check of which packages were installed:

  • Were the packages provided by the actual vendor (e.g. Icinga) or were they custom built by the user or someone else?
  • Are these release packages or devel snapshots?

I know, that's not possible to determine on every platform but where we can, we should collect the information.

Background: At least once we took some time hunting down a bug only to realize that the user had built custom packages using wrong libraries. The tool worked more or less but had some issues that were directly linked to using the wrong libraries. Since this is all but common it took us quite a while to find out.
@lazyfrosch
Copy link
Contributor

There is not really a good way to do it.

Apart from checksuming effective files on disk, we can not further audit the packages the software was installed from - it is usually only present on disk for a some time after installation.

We could add collect information about repositories, but this is not really a good indication for where the packages are from. Release packages are often not present in enterprise environment, so not helpful either.

@widhalmt
Copy link
Member Author

We built a way for rpm into Icinga Diagnostics. https://github.com/Icinga/icinga2-diagnostics/blob/master/icinga-diagnostics.sh#L127

I'd be totally fine if we take what we can get and if a distribution lacks a way, then maybe just put out a hint telling us that there's no information about that available. But I don't want to miss an option just because one of the supported distributions is not capable of doing it.

I'm not so much interested in where the packages came from, more if they come from the original vendor. Given, that could mean we would have to provide a list of keys.

As functionality is to be split up between parts of support collector I don't think anymore, it's a good thing to have this within the collector part. But the collector should check whether the files belong to a package and if so, which key signed the package. If that information is available.

@lazyfrosch
Copy link
Contributor

Very much possible to check the signature, but not really reliable and merely an indication in my eyes.

Also I don't think there is a way to implement a similar way for deb-based systems.

@tbauriedel tbauriedel added the to-be-discussed to be discussed label Mar 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
to-be-discussed to be discussed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lazyfrosch @widhalmt @tbauriedel