How to PROVE your system is up to date?

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

How to PROVE your system is up to date?

Ed Flecko
I have State and Federal regulators that want me to PROVE (since their
only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
date, and there are no outstanding patches that need to be applied.
*I* know that's the case, because I follow the "patch" branch, but how
do I show (i.e., something I could print for them would be best) them
my system is up to date and that all patches have been applied???

Thank you,
Ed

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Michel Blais-2
From http://www.openbsd.org/security.html :
OpenBSD 5.1 Security Advisories
These are the OpenBSD 5.1 advisories -- all these problems are solved in
OpenBSD current and the patch branch.
None yet!

OpenBSD 5.1 have no know security issue yet.

Le 2012-09-18 12:36, Ed Flecko a écrit :

> I have State and Federal regulators that want me to PROVE (since their
> only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
> date, and there are no outstanding patches that need to be applied.
> *I* know that's the case, because I follow the "patch" branch, but how
> do I show (i.e., something I could print for them would be best) them
> my system is up to date and that all patches have been applied???
>
> Thank you,
> Ed
>


--
Michel Blais
Administrateur réseau / Network administrator
Targo Communications
www.targo.ca
514-448-0773

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Michał Markowski
2012/9/18 Michel Blais <[hidden email]>:
> From http://www.openbsd.org/security.html :
> OpenBSD 5.1 Security Advisories
> These are the OpenBSD 5.1 advisories -- all these problems are solved in
> OpenBSD current and the patch branch.
> None yet!

http://openbsd.org/errata51.html

--
Michał Markowski

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Ted Unangst-6
In reply to this post by Ed Flecko
On Tue, Sep 18, 2012 at 14:23, Michel Blais wrote:
> From http://www.openbsd.org/security.html :
> OpenBSD 5.1 Security Advisories
> These are the OpenBSD 5.1 advisories -- all these problems are solved in
> OpenBSD current and the patch branch.
> None yet!
>
> OpenBSD 5.1 have no know security issue yet.

Somebody fucked up, because errata51.html has a security patch on it.

But besides that, in the event there are errata, just pointing the
auditors at the web page isn't going to prove much.

My suggestion: keep a log of all patches applied.  Then you can
compare the log to the errata page.  Make a list of files affected,
and then demonstrate that their timestamps occur after the patch
publication.

>
> Le 2012-09-18 12:36, Ed Flecko a écrit :
>> I have State and Federal regulators that want me to PROVE (since their
>> only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
>> date, and there are no outstanding patches that need to be applied.
>> *I* know that's the case, because I follow the "patch" branch, but how
>> do I show (i.e., something I could print for them would be best) them
>> my system is up to date and that all patches have been applied???
>>
>> Thank you,
>> Ed

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Ed Flecko
In reply to this post by Ed Flecko
Thanks Michael!

I guess what I'm really asking is...

if and when there ARE patches that you've applied, either manually or
via following the patch branch, how do you know (i.e., prove to
someone like my pesky regulators) that the patches have been applied?
For example, I'm sure there's a log file, etc. somewhere that would
indicate the changes, isn't there?

Ed

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Ed Flecko
Thanks Ted!

You lost me -  could you explain what you mean, "Make a list of files affected,
and then demonstrate that their timestamps occur after the patch
publication."?

Ed

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

STeve Andre'
In reply to this post by Ed Flecko
On 09/18/12 12:36, Ed Flecko wrote:

> I have State and Federal regulators that want me to PROVE (since their
> only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
> date, and there are no outstanding patches that need to be applied.
> *I* know that's the case, because I follow the "patch" branch, but how
> do I show (i.e., something I could print for them would be best) them
> my system is up to date and that all patches have been applied???
>
> Thank you,
> Ed
>
>
As others have said, you look at the errata page, *and save it*.
For patches, use script(1) to completely log all your FTP's and
compiles & installs.  Liberal use of date might be a good idea.

For further completeness you could do an ls -l on the files that
are being patched, do the patches, and then another ls -l to
show that the files were indeed changed.

I've had some mild run-ins with "inspectors" who had zero
understanding of what they were doing.  Showing them a non-
Windows machine makes it only worse.  But showing the
process via script(1) will make it easier for second level
people to look at your work.

Lastly, take a copy and (paper) mail it to yourself.  If the
inspectors then demand proof, let them open it while being
videoed.

Yes, paranoid.  (I'm in the US)

--STeve Andre'

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Nick Holland
In reply to this post by Ed Flecko
On 09/18/2012 12:36 PM, Ed Flecko wrote:
> I have State and Federal regulators that want me to PROVE (since their
> only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
> date, and there are no outstanding patches that need to be applied.
> *I* know that's the case, because I follow the "patch" branch, but how
> do I show (i.e., something I could print for them would be best) them
> my system is up to date and that all patches have been applied???
>
> Thank you,
> Ed

I believe it's a matter of process.  Show them you have the check,
update and upgrade process documented, including building both userland
and kernel as two steps of ONE process, and then, the date of the kernel
should show the date updates were last applied.  Now, if the kernel date
is newer than the most recent patch, you should be set.

"What if there's only a userland issue?"  well, you still follow YOUR
PROCESS, building a new kernel and userland, and then you can follow the
same process to show that yes, your system is up to date.  On modern hw,
that's easier and faster than documenting why a bug impacting tetris(6)
isn't an issue on your firewall.

There are other ways to do things, but as I understand it, the trick is
you have a process documented (and that implies, you follow it).  i.e.,
weekly, check errataXX.html for updates...if there are any, kick off the
build cycle and then a reboot.

You want a process you (and someone else) can and do follow...maybe you
follow the mail lists, so you might get advanced warning before your
weekly check, but your /process/ is to check weekly, and you do that.
The idea is, if you get hit by a bus, your successor grabs the book and
knows how to maintain the system to the documented level of security.
i.e., if you check on Fridays and a fatal issue comes up on Tuesday, you
know your maximum window of vulnerability.

However, you have to talk to your auditor to make sure whatever you are
doing is appropriate for your regulatory environment...

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Ed Flecko
In reply to this post by STeve Andre'
Excellent!...thanks Steve.

:-)

Ed

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Simon Perreault-2
In reply to this post by Ed Flecko
Le 2012-09-18 12:36, Ed Flecko a écrit :
> I have State and Federal regulators that want me to PROVE (since their
> only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
> date, and there are no outstanding patches that need to be applied.
> *I* know that's the case, because I follow the "patch" branch, but how
> do I show (i.e., something I could print for them would be best) them
> my system is up to date and that all patches have been applied???

Ask them what they would consider acceptable?

This is fuzzy stuff. They're not looking for a math-style proof. They
need to ensure you're following best practices. So ask them what they
want, then give it to them.

My two cents (Canadian)...

Simon

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Ted Unangst-6
In reply to this post by Ed Flecko
On Tue, Sep 18, 2012 at 12:43, Ed Flecko wrote:
> Thanks Ted!
>
> You lost me -  could you explain what you mean, "Make a list of files
> affected,
> and then demonstrate that their timestamps occur after the patch
> publication."?

Well, in the event of say, a fix for openssl, you'd want to verify
that /usr/lib/libcrypto.so was installed correctly, not that you just
patched the source tree.  Depends on your auditor.  If writing "I
patched it" in a notebook in your desk is enough, that's enough.
Sometimes they want a verification procedure, though I suspect having
a verification procedure that's written down is more important than
anything that said procedure actually does.

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Artturi Alm
In reply to this post by Ed Flecko
2012/9/18 Ed Flecko <[hidden email]>:
> Thanks Ted!
>
> You lost me -  could you explain what you mean, "Make a list of files affected,
> and then demonstrate that their timestamps occur after the patch
> publication."?
>
> Ed
>

I'm not Ted, but i'd say it means that you should manually keep a list of files
affected by applied patches, and run the list through with stat(1) for
demonstration.
however, i'd try and see if they would accept script(1) file of the
patching session.


-Artturi

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Brandon Adams-6
In reply to this post by Ed Flecko
> You lost me -  could you explain what you mean, "Make a list of files affected,
> and then demonstrate that their timestamps occur after the patch
> publication."?

Each patch affects a certain number of files (binaries, libraries,
possibly package manifests). These files should have modified
timestamps that occur after a patch was released. I believe this is
the 6th column of output from an ls -l command.

You can use a port like security/aide to generate logs of critical
files containing checksums of the files. If you do this regularly,
you can identify files that changed and provide explanations
of why the files changed (for instance, a patch was necessary).
Regulators often want this sort of thing.

- Brandon

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Jan Stary
In reply to this post by Nick Holland
On Sep 18 16:02:58, Nick Holland wrote:
> On 09/18/2012 12:36 PM, Ed Flecko wrote:
> >I have State and Federal regulators that want me to PROVE (since their
> >only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
> >date, and there are no outstanding patches that need to be applied.
> >*I* know that's the case, because I follow the "patch" branch, but how
> >do I show (i.e., something I could print for them would be best) them
> >my system is up to date and that all patches have been applied???

You have to ask THEM that. Anyway, you could just
`yes yes | head > /etc/this-system-is-up-to-date`
and show the file to them, rigorously.

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Frank Brodbeck-3
In reply to this post by Ed Flecko
On Tue, Sep 18, 2012 at 12:43:49PM -0700, Ed Flecko wrote:
> Thanks Ted!
>
> You lost me -  could you explain what you mean, "Make a list of files affected,
> and then demonstrate that their timestamps occur after the patch
> publication."?

I think what he means is something along the line of keeping the output of:

make -n install

and if someone asks if you applied the patch show them a ``stat -x'' for
each file that has been installed so they can see that the mtime is
after the errata has been published.

Or if you have a gold server, patch it up and generate a checksum for
each file that has been reinstalled due to a patch, so you can say 'My
gold server has been patched (see above) and my other machines too as you
can see via the cksum/hash of the files'

After all it depends on what the 'pesky people' want to see/hear. Just
be creative about it.

Frank.

--
Frank Brodbeck <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Janne Johansson-3
In reply to this post by Ed Flecko
2012/9/18 Ed Flecko <[hidden email]>:
> I have State and Federal regulators that want me to PROVE (since their
> only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
> date, and there are no outstanding patches that need to be applied.

One interresting point would be "how do you prove it on that other OS?"
Does it suffice to write "I ran winders-update" for that OS, or do you
list all installed errata numbers and re-checksum the DLL files there?

Whatever the proof-level you have for that OS, it should be somewhat
trivial to do similar verifications on any other OS.

--
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Kevin Chadwick-2
In reply to this post by Ed Flecko
> I have State and Federal regulators that want me to PROVE (since their
> only used to looking at Micro$oft servers) my OBSD 5.1 server is up to
> date, and there are no outstanding patches that need to be applied.

It is extremely rare that a patch for base actually affects the parts
that I am using. So the likelihood is that there are no outstanding
patches and you can't get better proof than that. Of course that will
probably raise questions like, 'it must be insecure then' rather than
wow it must be a secure system. A normally correct viewpoint when
looking at most software such as Apples Safari browser (> 4 months, no
updates).

--
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)
_______________________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: How to PROVE your system is up to date?

Ted Unangst-6
In reply to this post by Ed Flecko
On Wed, Sep 19, 2012 at 17:01, Janne Johansson wrote:

> One interresting point would be "how do you prove it on that other OS?"
> Does it suffice to write "I ran winders-update" for that OS, or do you
> list all installed errata numbers and re-checksum the DLL files there?

We're getting a little far afield, but windows update keeps a log of
every update, which is very easy to see (and for which I am sure
automated tools exist to check).