SUMMARY: security and patches

From: Dave Wreski (dave@nic.com)
Date: Wed Jan 07 1998 - 22:33:44 CST


Hi all. Basically, I was interested in finding Solaris-specific resources
on things I can do to secure boxes before putting them into production. I
was specifically having problems with having patches and packages on the
box that would never be used, and were security risks.

Many good responses:

1. Casper Dik <casper@holland.Sun.COM>

>I want to make sure that by installing the patches I don't end up
>installing a service that I didn't previously have. Will running the
>cluster patch script install a patch for lpd, for example, if the lpd
>package hasn't previously been installed?

If you removed the entire package, the patch won't install
("no applicable packages found").

If you just removed a few files, and those file are included in the patch,
the files will be restored.
>Is this the most prudent way to upgrade a box with security and keeping
>current in mind? I understand there is a program out there that will
>monitor the current state of your machine with respect to the currently
>available patches? Does anyone know anything more about this?

Monitor the security patches and download them. I'd also suggest taking
all of the recommended patches.

Another recommendation of mine is getting
ftp.wins.uva.nl:/pub/solaris/fix-modes.tar.gz

Also, check the sunworldonline columns (including back issues) off Suin's
home page and check the security column.

2. Gnuchev Fedor <qwe@ht.eimb.rssi.ru>

there is a patchxref on sunsolve1 - atol with daily updated database of
patches - so you can check which patches are required according to what
packages are really loaded on your machine
patch will not be applied if the package is not installed
 what's more unpleasant it will fail to apply if you'd made some changes
to the system and replaced files within a package - since it checks
against /var/sadm/install/contents database.

> Should I just remove the entire existing named and sendmail packages
> before proceeding? Is that generally the proper approach?
Well, NO - do not remove - move all files as *.bak or *.orig - but keep
them (well, for no good reason actually - except possibility to bail out)
//frankly - never had to bail out - ISC tools are fine on Solaris :-)

Thanks to all, and a few I haven't mentioned because of duplication.

Dave



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:29 CDT