Skip to content

canonical/ossa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

126 Commits
lib
lib
 
 
old
old
 
 
ossa-collector
ossa-collector
 
 
ossa-generator
ossa-generator
 
 
wip
wip
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
collector.sh
collector.sh
 
 
generator.sh
generator.sh
 
 
renovate.json
renovate.json
 
 

Repository files navigation

Open Source Security Audit (ossa)

A set of non-invasive, lightweight scripts to gather information about open source packages that are being used on LTS versions of Ubuntu for the purpose of a security and support assessment

Downloading the Scripts

git clone https://github.com/canonical/ossa.git

Available Scripts

  • ossa-collector - Gathers information about a remote machine's packages and processes, etc.
  • ossa-generator - This script processes the information obtained via collector.

Prerequisites

  • Target machine(s): (physical, virtual, container) running Ubuntu 14.04 or later

    • A standard user (non-privileged) account on the machine
    • An account with ssh access

  • Source Machine: (physical, virtual, container)

    • MacOS, Linux, and Windows 10 with "Windows Subsystem for Linux" (WSL) all work
      • Windows users can make use of powershell, but that is an exercise left to the user

Running the scripts

  • See README.md in each directory for documentation for notes on how to run each script and a description about the information that is collected.

Data Colllected

Files Collected Purpose
/etc/apt/sources.list To ensure proper package origin is used for assessment
/etc/hostname To identify hostname of assessed system(s)
/etc/hosts To identify hostname of assessed system(s)
/etc/lsb-release To indentify the release of Ubuntu being assessed
/var/lib/apt/lists/*Release To ensure proper package names/versions are used for assessment
/var/lib/apt/lists/*Packages To ensure proper package names/versions are used for assessment
/var/lib/dpkg/status To ensure proper package names/versions are used for assessment
dpkg -l output To ensure proper package names/versions are used for assessment
apt-cache policy output To ensure proper package origin is used for assessment
snap list output To show which snaps are being used on assessed system(s)
ps -auxwww output To help identify which packages are actually being used
ps -eao pid,ppid,user,stat,etimes,cmd --sort=cmd output To help identify which packages are actually being used
netstat -an output To help identify which packages are actually being used

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

3 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

Languages