> From: Cy Schubert - ITSD Open Systems Group <Cy.Schubertuumail.gov.bc.ca>
> Subject: Re: Sun Solaris login bug patches out

> [ ... ]

> > > A UNIX box with a high uptime is indicative of that box not being
> > > maintained with the latest security patches.
> > or in my book: a system which has been set up securely !
>
> So a system that hasn't been rebooted to install kernel or libc
> security patches is just as secure as one that does not have the
> patches?

that depends on several factors:
* does the system allow 'ordinary' users to login interactively ?
* do the patches fix problems you won't run into ?
* etc.

> I'm excluding clustered systems from this arguemnt.

:) My objection is the generalization of the 'reboot' issue, and the
overall 'rush' to install the latest greatest patches. In my
experience there are a lot of admins who install a patch the moment
they see one announced. But when asked what the patch is for, most of
them don't know...

> > [ ... ]
> Applications that require 24x7 availability should be installed on
> clustered systems.

Or have other failsafe procedures taken.

But practise is that most times management will overlook those issues,
and sys admins will go 'beyond the call of duty' to minimize the
impact of certain issues when they become aware of them... It's
something I do to... If I notice our webserver is being sluggish -
because someones CGI-shell-script which wades through several thousand
Rolling Stones pictures is having a field day - I will try and
minimize the impact (chmod a-x is a favorite ;) )... But in the end,
an expectency is created...

And breaking that expectency is very hard.

> [ ... ]
> It's been documented that historically 80% of exploits are perpetrated
> by insiders, e.g. employees. Your firewall protects you from the 20%
> of the attacks that come from the outside. On the inside you need to
> make sure that your software is as resistant to attack as possible.

Yes, but you have to differentiate between network based attacks (PoD
etc.) and host based. In my experience a lot of users also have a
notion of not being 'trusted' by the admins, because all those patches
fixing host based root compromises are installed...

You have to balance it out. Which risks are deemed acceptable for
which systems ?

> [ ... ]
> BTW, we install our patches on /foobar, a duplicate copy of the system
> disk. Then boot off the alternate system disk. Downtime is limited to
> about 30-45 minutes on Sunday morning at 6:00 AM for the larger Oracle
> database systems and 5 minutes for systems that take less time to boot.

Our main sysadmin devised a similar system...
Every non-RAID5 disk (data !) has an online duplicate, which is
mirrored (ufsdump|ufsrestore) every night. When upgrades/updates
commence that mirroring is disabled. In the event of a desired switch
one only has to enter 'boot mirror' on the PROM...

> > [ ... SGI IRIX 6.2 machine ... ]
> > Even if it were unfiltered from the Internet, it's a rather secure
> > system, and doesn't warrant any updates/patches/whatever...

> Would you be willing to put your job on the line for that?
> Probably not.

yes.
I know who stripped the system, and trust in his capabilities.

The same goes for my own workstations, those also are rather secure.
My servers are a bit different, certain r-services are deemed
'necessary', but I try to isolate and compartmentalize problems and
possible entry-points...

> A port scan might be a good idea to make sure you don't have any
> surprises waiting for you.

Port State Service
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
513/tcp open login
514/tcp open shell

Remote operating system guess: IRIX 6.2 - 6.5
Uptime 149.444 days (since Sat Aug 4 15:50:29 2001)

Port scans - as well as other tools - are an essential part of every
admins toolkit. Apart from setting something up secure, you also have
to monitor, check etc.

> Regards,
> Cy Schubert

Kind regards,
JP Velders

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]