From owner-freebsd-security@FreeBSD.ORG Wed Oct 12 10:07:44 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B596516A41F for ; Wed, 12 Oct 2005 10:07:44 +0000 (GMT) (envelope-from jere@htnet.hr) Received: from ls405.htnet.hr (ls405.htnet.hr [195.29.150.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3DB643D48 for ; Wed, 12 Oct 2005 10:07:43 +0000 (GMT) (envelope-from jere@htnet.hr) Received: from ls422.t-com.hr (ls422.t-com.hr [195.29.150.237]) by ls405.htnet.hr (0.0.0/8.12.10) with ESMTP id j9CA7WXL013410; Wed, 12 Oct 2005 12:07:41 +0200 Received: from ls422.t-com.hr (localhost.localdomain [127.0.0.1]) by ls422.t-com.hr (Qmlai) with ESMTP id EDF26988043; Wed, 12 Oct 2005 12:07:40 +0200 (CEST) X-Envelope-Sender: jere@htnet.hr X-Envelope-Sender: jere@htnet.hr Received: from ls422.t-com.hr (localhost.localdomain [127.0.0.1]) by ls422.t-com.hr (Qmlai) with ESMTP id CCF8D988042; Wed, 12 Oct 2005 12:07:40 +0200 (CEST) Received: from [195.29.148.251] (bla.htnet.hr [195.29.148.251]) by ls422.t-com.hr (Qmlai) with ESMTP id 65BA48B8073; Wed, 12 Oct 2005 12:07:39 +0200 (CEST) Message-ID: <434CE0F1.6090400@htnet.hr> Date: Wed, 12 Oct 2005 12:09:53 +0200 From: jere Organization: bla User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050428) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Timothy Smith References: <200510111202.j9BC2obf081876@freefall.freebsd.org> <1129036481.4 34bbac1720a6@webmail.boxke.be><434BBF09.6040101@htnet.hr> <434CBDC2.4070405@open-networks.net> In-Reply-To: <434CBDC2.4070405@open-networks.net> X-Enigmail-Version: 0.89.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 12 Oct 2005 12:44:05 +0000 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-05:21.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2005 10:07:44 -0000 Please read these articles/manuals: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/small-lan.html http://2004.eurobsdcon.org/uploads/media/EBSD04_27.pdf http://www.taosecurity.com/keeping_freebsd_applications_up-to-date.html http://www.taosecurity.com/keeping_freebsd_up-to-date.html These are very helpful articles on this matter and it seems every large environment should have a big-bytecrunching-beast-server(s) to do the dirty job of building OS and making packages you'll use. Another thing is if you have same or similar hardware (today's blade servers come to mention here) the whole process is focused to building just few (or just one) OS/kernel versions you can instantly install on any production server say via NFS (as explained in above articles) over isolated LAN segment dedicated to this, if you want additional security and reliability. Let's say it *is* possible to automate OS security patching to some reasonable degree this way even in large environments but you don't have this feature "out-of-box" - you have to build it yourself. Beleive me, large environments like "out-of-box" solutions. :) And there lies another problem. In large environments it is also difficult to manage packages security issues. The problem is updated port tree not just necessariliy fix the security issue - it often also bumps version of affected package - something not always needed in production and most often avoided. The first concern of production (enterprise or not) should be stability. For example, one can use build server to quickly build new packages but that package may be automatically bumped to newer version - with patched security issue and new features added. Currently FreeBSD admins don't have a clear chioce to manage only ports security issues but I think it's primarily due to lack of port maintainers. Does anyone have other thoughts about this? j. Timothy Smith wrote: > jere wrote: > >> unfortunately, this is the dark side of FreeBSD security patch >> management :) and I think also the main reason FreeBSD isn't so >> widely deployed into enterprise environments. It's ok for hacking or >> managing few boxes but try to imagine how to manage security on >> hundreds of them this way. :( >> >> on the other side (bright side :) you can try to use unofficial and >> often somewhat slowly updating solutions such as bsdupdate >> (www.bsdupdates.com) or freebsd-update (from ports tree). >> >> currently, FreeBSD just don't have a mechanism to handle security >> advisories in quick way. >> >> any suggestions/corrections ? >> >> j. >> > your totally right, even though i hate to admit it. stuff like having to > make world is a nightmare when admining lots of machines. i can't afford > to make world only to find something screwed up, stuff like that would > cost me a lot of time i can't afford. > the make world documents mentioning backing up your system. it fails to > give any preffered methods or utilites for doing this. anyone got some > input on that. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >