FreeBSD Security Advisory FreeBSD-SA-05:21.openssl
jere
jere at htnet.hr
Wed Oct 12 03:07:44 PDT 2005
Please read these articles/manuals:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/small-lan.html
http://2004.eurobsdcon.org/uploads/media/EBSD04_27.pdf
http://www.taosecurity.com/keeping_freebsd_applications_up-to-date.html
http://www.taosecurity.com/keeping_freebsd_up-to-date.html
These are very helpful articles on this matter and it seems every large
environment should have a big-bytecrunching-beast-server(s) to do the
dirty job of building OS and making packages you'll use. Another thing
is if you have same or similar hardware (today's blade servers come to
mention here) the whole process is focused to building just few (or just
one) OS/kernel versions you can instantly install on any production
server say via NFS (as explained in above articles) over isolated LAN
segment dedicated to this, if you want additional security and
reliability. Let's say it *is* possible to automate OS security patching
to some reasonable degree this way even in large environments but you
don't have this feature "out-of-box" - you have to build it yourself.
Beleive me, large environments like "out-of-box" solutions. :)
And there lies another problem. In large environments it is also
difficult to manage packages security issues. The problem is updated
port tree not just necessariliy fix the security issue - it often also
bumps version of affected package - something not always needed in
production and most often avoided. The first concern of production
(enterprise or not) should be stability. For example, one can use build
server to quickly build new packages but that package may be
automatically bumped to newer version - with patched security issue and
new features added. Currently FreeBSD admins don't have a clear chioce
to manage only ports security issues but I think it's primarily due to
lack of port maintainers.
Does anyone have other thoughts about this?
j.
Timothy Smith wrote:
> jere wrote:
>
>> unfortunately, this is the dark side of FreeBSD security patch
>> management :) and I think also the main reason FreeBSD isn't so
>> widely deployed into enterprise environments. It's ok for hacking or
>> managing few boxes but try to imagine how to manage security on
>> hundreds of them this way. :(
>>
>> on the other side (bright side :) you can try to use unofficial and
>> often somewhat slowly updating solutions such as bsdupdate
>> (www.bsdupdates.com) or freebsd-update (from ports tree).
>>
>> currently, FreeBSD just don't have a mechanism to handle security
>> advisories in quick way.
>>
>> any suggestions/corrections ?
>>
>> j.
>>
> your totally right, even though i hate to admit it. stuff like having to
> make world is a nightmare when admining lots of machines. i can't afford
> to make world only to find something screwed up, stuff like that would
> cost me a lot of time i can't afford.
> the make world documents mentioning backing up your system. it fails to
> give any preffered methods or utilites for doing this. anyone got some
> input on that.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list