Re: Sun Solaris login bug patches out
From: Eric Jon Rostetter (eric.rostetter@physics.utexas.edu)Date: 01/02/02
- Previous message: Per Lejontand: "Re: dtlogin"
- Maybe in reply to: Jan-Philip Velders: "Re: Sun Solaris login bug patches out"
- Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: Sun Solaris login bug patches out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> Date: Wed, 02 Jan 2002 16:54:45 -0600 (CST) From: Eric Jon Rostetter <eric.rostetter@physics.utexas.edu>
Quoting Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>:
> That doesn't make any sense at all. A UNIX box with a high uptime is
> indicative of that box not being maintained with the latest security
> patches.
This isn't always true. Sometimes the patches are not needed, or simply
don't require a reboot after installation.
> IMO I think it's a shame that this attitude is part of the
> UNIX culture. A maintenance schedule that installs patches at regular
> intervals, including kernel patches which require a reboot, and
> including all security patches is a definite must. If I were cracker,
> I'd target UNIX systems with 3+ months of uptime because I'd have a
> better probability of finding exploitable bugs.
A regular schedule to perform maintenance is a must. But a reboot may not
be. Also, if you have to wait for the regular scheduled time to install
an important patch, that may make matters worse also -- being a slave to
the schedule can be as bad as not having one.
I have lots of boxes that are up 3+ months that get all the needed patches
installed. They just don't always need patches which require reboots, so
their uptime stays unaffected. Also, some are so striped down and allow
no logins that they just don't require a lot of the patches that come out.
Installing all the patches that come out can cause major problems. Sometimes
patches install additional software that you don't want installed, making
your machine less secure. Sometimes they overwrite your custom configuration
files making your machine less secure. Each patch has to be examined, and
installed or not as needed. And if the patch doesn't need a reboot, then
there is not always a need to reboot (sometimes nothing further is needed,
sometimes you just need to restart a service, sometimes a reboot is needed).
And if you just blindly install the patches (without checking for changes
such as adding services, overwriting configuration files, etc) you may be
causing more harm than good.
> Why a system has been rebooted is more important than how often.
Which is what I'm saying. Don't just reboot it because you installed a patch,
unless the patch requires a reboot.
>
> Regards, Phone: (250)387-8437
> Cy Schubert Fax: (250)387-5766
> Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca
> Open Systems Group, ITSD
> Ministry of Management Services
> Province of BC
> FreeBSD UNIX: cy@FreeBSD.org
>
>
>
Eric Jon Rostetter
The Department of Physics
The University of Texas at Austin
Austin, Texas 78712-1081
Office: RLM 7.126
Telephone: 512-471-5821
Email: eric.rostetter@physics.utexas.edu
- Previous message: Per Lejontand: "Re: dtlogin"
- Maybe in reply to: Jan-Philip Velders: "Re: Sun Solaris login bug patches out"
- Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: Sun Solaris login bug patches out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
