Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Need patch policy help
Special Forums Cybersecurity Need patch policy help Post 302697983 by DGPickett on Friday 7th of September 2012 05:08:01 PM
Old 09-07-2012
The discpline you are referring to is called Configuration Management, and there are many free and buy apps that can partially or completely do this. Part of this is tracking changes at the sites where you pick up open source. You can put a free watcher on each of them, so you can tell if they have new offerings.

You need a firm, written policy on configuration management, including what patches you take as normal maintenance, e/g/. updates to the latest stable release, even if you have to temporarily go closer to the ragged edge to get patches for emergency fixes, or even create your own patched files to get the fix in otherwise stable code or without forcing a major version update. You need to introduce these changes with proper SDLC, testing so you do not destabilize your product, and so you can roll back if bad things emerge.

One way to make this easy/cheap is with clone trees and symbolic links. A clone tree is a tree of directories in the same device as the master, with most files hard linked from the master (using 0 inodes and storage) but with the new files for this release. A symbolic link can point to the tree that is the current version. You can have versioned subtrees for simpler management, hung in the master trees by symbolic links, for instance for each source of open source software or major sub-application or team. If you use the right options and UNIX tools, hard and soft links can be transported from one system to another and saved in archive files. Dumb copies will make new files, but you can go back and replace them with hardlinks where the files cmp or cksum as identical. Infdividual developers can make their own clone trees to work in, being careful not to modify shared files. Shared files should all be made read-only as part of their make/build, to help ensure this.

There are free sites that can email you if a page changes, and some source sites have a newsletter that tells when there are new versions. You need to turn each of these that apply, immediately into a pendingplanned update toyour system. It is bad policy to run old code.

Bought code, opens source code and locally written code should be all in separate and distinct directory trees. It is embarassing or worse if a vendor has to come to fix their product and a file has been changed by accident. Local mods in one open source tree can be lost if a new open source tree is built. Sell your local mods back to the open sourcers, and you will be an open sourcer, too!
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Policy Manager

I have searched all over the SCO website and can't seem to find an answer to this error message. Has anyone seen the following error, and if so what steps do I need to take to fix it? I don't really want to reload the entire OS if I don't have to. LOGIN: ERROR- Failed to initialize policy... (1 Reply)
Discussion started by: mikeinmi
1 Replies

2. IP Networking

Patch-o-matic (patch for iptable) for linux2.4.08 & iptable1.2.7a

Hello friends I'm running Redhat 9.0 with linux kernel 2.4.20-8 & have iptables version 1.2.7a & encountering a problem that I narrate down. I need to apply patch to my iptable and netfilter for connection tracking and load balancing that are available in patch-o-matic distribution by netfilter.... (0 Replies)
Discussion started by: Rakesh Ranjan
0 Replies

3. Red Hat

Account lockout policy

Hi all; I m using Red Hat Enterprise Linux Server release 5.1 (Tikanga) and I'm trying to setup password lockout policy so that a user account locks out after 3 failed attempts. Here are the entires of my /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes... (1 Reply)
Discussion started by: maverick_here
1 Replies

4. Solaris

Solaris patch access policy in Fujitsu systems

Hi, I would need help to understand Solaris patching policy in Fujitsu systems. PRIMEPOWER and SPARC Enterprise/Solaris Patches Which is the difference between "Public patches and patch clusters" and "All Patches"? Do I need a maitenance contract with Fujtisu to download "Public patches... (0 Replies)
Discussion started by: mariocq
0 Replies

5. Red Hat

NIS password policy

Hi, I am running NIS server on redhat linux 5 and I want to implement password restrictions for the yppasswd, how can I do it.Please help me. I can implement password restriction for passwd by configuring /etc/pam.d/system-auth and setting crack_lib.so but I don't know how to implent the same... (3 Replies)
Discussion started by: ktrimu
3 Replies

6. Solaris

LACP Policy - Which is best?

Hello, I have these S10 boxes with LACP using the L4 policy. Does the L4 policy create a lot more overhead as opposed to using the L2? I'm noticing that my traffic does not seem to be very well load balanced accross the NIC's, and I am wondering if the policy I'm using has anything else to do... (1 Reply)
Discussion started by: BG_JrAdmin
1 Replies

7. AIX

Password Policy

I need help. I have set a password policy. But I want to dis allow setting user name as password. My policy is as below... min length =8 min diff=2 min alpha=2 max repeats=2 dictionary= /usr/share/dict/words Still user can set his username as password (i.e. Jackie1234). Code tags for... (11 Replies)
Discussion started by: powerAIX
11 Replies

8. Solaris

Help to create a regex for this policy

Help with creating regex in tripwire : the rule is " The idea of it looks to ensure that just ‘share' isn't used in dfstab, must be /usr/sbin/share" Perform the following to determine if the system is configured as recommended: # grep -v '^#' /etc/dfs/dfstab | grep 'share' | grep -v... (1 Reply)
Discussion started by: bathija12
1 Replies

LEARN ABOUT OSF1

lndir

lndir(1X)																 lndir(1X)

NAME

       lndir - create a shadow directory of symbolic links to another directory tree

SYNOPSIS

       lndir fromdir [todir]

DESCRIPTION

       lndir  makes a shadow copy todir of a directory tree fromdir, except that the shadow is not populated with real files but instead with sym-
       bolic links pointing at the real files in the fromdir directory tree.  This is usually useful for maintaining  source  code  for  different
       machine	architectures.	 You  create a shadow directory containing links to the real source which you will have usually NFS mounted from a
       machine of a different architecture, and then recompile it.  The object files will be in the shadow directory, while the  source  files	in
       the shadow directory are just symlinks to the real files.

       This  has  the  advantage  that	if  you update the source, you need not propagate the change to the other architectures by hand, since all
       source in shadow directories are symlinks to the real thing: just cd to the shadow directory and recompile.

       The todir argument is optional and defaults to the current directory.  The fromdir argument may be relative (e.g., ../src) and is  relative
       to todir (not the current directory).

       Note that RCS, SCCS, and CVS.adm directories are not shadowed.

       Note  also  that if you add files, you must run lndir again.  Deleting files is difficult because the symlinks will point to places that no
       longer exist.

BUGS

       The patch routine needs to be able to change the files. You should never run patch from a shadow directory.

       Use a command like the following to clear out all files before you can relink (if the fromdir has been moved, for instance):

	    find todir -type l -print | xargs rm

       The following command will find all files that are not directories:

	    find . ! -type d -print

																	 lndir(1X)
All times are GMT -4. The time now is 10:32 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy