PARSEC Technical Information

User Tools

Site Tools

Trace:
parsec_patches

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
Next revisionBoth sides next revision
parsec_patches [2018/11/28 15:21] – created sgriggsparsec_patches [2018/11/28 15:29] sgriggs
Line 175: Line 175:
 examine the history of security problems using a tool from cvedetails.com examine the history of security problems using a tool from cvedetails.com
 showing the incidence of security problems for this OS.  showing the incidence of security problems for this OS. 
-https://www.cvedetails.com/version/15934/IBM-AIX-5.3.html[CVEs for AIX]+[[https://www.cvedetails.com/version/15934/IBM-AIX-5.3.html|CVEs for AIX]]
  
 It takes some hand waving to explain the results.  You have to remember that It takes some hand waving to explain the results.  You have to remember that
Line 188: Line 188:
 for AIX 5.3 and guess what?  IBM didn't patch it and probably never will.  for AIX 5.3 and guess what?  IBM didn't patch it and probably never will. 
 When we examine the associated When we examine the associated
-https://www-01.ibm.com/support/docview.wss?uid=isg1IV67907[IBM APAR] bug+[[https://www-01.ibm.com/support/docview.wss?uid=isg1IV67907|IBM APAR]] bug
 issue.  PARSEC has a byte-patch available for the issue, but IBM only issue.  PARSEC has a byte-patch available for the issue, but IBM only
 shipped a new binary for AIX versions 6 & 7. shipped a new binary for AIX versions 6 & 7.
Line 292: Line 292:
  
 The real meat of the GLBA text is called The real meat of the GLBA text is called
-https://www.law.cornell.edu/uscode/text/15/6801[The Safeguards Rule] and+[[https://www.law.cornell.edu/uscode/text/15/6801|The Safeguards Rule]] and
 this is where IT folks should concentrate. this is where IT folks should concentrate.
  
Line 298: Line 298:
 me summarize it. me summarize it.
  
-.GLBA IT Requirements+**GLBA IT Requirements**
   - You must secure customer's NPI data keeping it private and confidential.   - You must secure customer's NPI data keeping it private and confidential.
   - You must protect the data against any anticipated threats.   - You must protect the data against any anticipated threats.
Line 325: Line 325:
 manage servers in the healthcare industry?  Well, the part of HIPPA we need manage servers in the healthcare industry?  Well, the part of HIPPA we need
 to pay all the attention to in that case is called to pay all the attention to in that case is called
-https://www.hhs.gov/hipaa/for-professionals/security/index.html[The Security Rule]. +[[https://www.hhs.gov/hipaa/for-professionals/security/index.html|The Security Rule]]. 
 It is very similar to the GLBA requirements. It is very similar to the GLBA requirements.
  
Line 338: Line 338:
  
 Technical safeguards are the IT stuff you and I care about. The text of Technical safeguards are the IT stuff you and I care about. The text of
-HIPPA doesn't say *exactly* what kind of solutions you have to implement,+HIPPA doesn't say **exactly** what kind of solutions you have to implement,
 but it does say what those solutions have to be capable of from a security but it does say what those solutions have to be capable of from a security
 standpoint. standpoint.
  
-.HIPPA IT Requirements in the Security Rule+**HIPPA IT Requirements in the Security Rule**
   - Open networks need to be encrypted. Closed networks are okay for cleartext.    - Open networks need to be encrypted. Closed networks are okay for cleartext. 
   - Data integrity for PHI must be insured. Think checksumming.   - Data integrity for PHI must be insured. Think checksumming.
Line 363: Line 363:
  
 SOX is extremely vague and this creates headaches. The law to read is, US Title SOX is extremely vague and this creates headaches. The law to read is, US Title
-15, Chapter 98, Subchapter IV (ugh, I feel like a laywer). https://www.law.cornell.edu/uscode/text/15/chapter-98/subchapter-IV[This] +15, Chapter 98, Subchapter IV (ugh, I feel like a laywer). [[https://www.law.cornell.edu/uscode/text/15/chapter-98/subchapter-IV|This]
-has a section called https://www.law.cornell.edu/uscode/text/15/7266[Enhanced review of periodic disclosures by issuers] and this+has a section called [[https://www.law.cornell.edu/uscode/text/15/7266|Enhanced review of periodic disclosures by issuers]] and this
 is the part you want to read concerning IT rules. Unfortunately, their is the part you want to read concerning IT rules. Unfortunately, their
 requirements are much more vague. However, again, I will provide a summary. requirements are much more vague. However, again, I will provide a summary.
  
-.Sarbanes-Oxley IT 404 Requirements+**Sarbanes-Oxley IT 404 Requirements**
   - "Internal controls must be assessed for effectiveness"    - "Internal controls must be assessed for effectiveness" 
   - The assessment must be done yearly and it must be reported to the SEC   - The assessment must be done yearly and it must be reported to the SEC
  
 It's a painful read and I'd recommend checking out the It's a painful read and I'd recommend checking out the
-https://www.sans.org/reading-room/whitepapers/legal/overview-sarbanes-oxley-information-security-professional-1426[SOX For IT Pros] guide by SANS.  It will help you decode the requirements for+[[https://www.sans.org/reading-room/whitepapers/legal/overview-sarbanes-oxley-information-security-professional-1426|SOX For IT Pros]] guide by SANS.  It will help you decode the requirements for
 SOX.  Do they require patches?  Well yes of course, otherwise an insecure SOX.  Do they require patches?  Well yes of course, otherwise an insecure
 system could not be considered a secure source of financial information.  system could not be considered a secure source of financial information. 
Line 394: Line 394:
 same basic spirit. You can't do anything that might put folks credit card same basic spirit. You can't do anything that might put folks credit card
 info at risk. That includes not only their numbers, but also their info at risk. That includes not only their numbers, but also their
-transaction history. Start with the https://www.pcicomplianceguide.org/faq[FAQ]+transaction history. Start with the [[https://www.pcicomplianceguide.org/faq|FAQ]]
 and you can dig more into specific questions for different levels of PCI.  and you can dig more into specific questions for different levels of PCI. 
  
Line 428: Line 428:
 installable shell archive: very handy. installable shell archive: very handy.
  
-.Upgrading Secure Shell on Tru64 +**Upgrading Secure Shell on Tru64** 
-----+<code>
 $ sudo ./openssh.install  $ sudo ./openssh.install 
 Copyright 1999-2017 by Michael R Sweet, All Rights Reserved. Copyright 1999-2017 by Michael R Sweet, All Rights Reserved.
Line 478: Line 478:
 Updating file permissions... Updating file permissions...
 Installation is complete. Installation is complete.
-----+</code>
  
 As you can see, this is a somewhat interactive process.  You can simply add As you can see, this is a somewhat interactive process.  You can simply add
Line 495: Line 495:
 don't update until something forces them to.  don't update until something forces them to. 
  
-.Upgrading Sendmail +**Upgrading Sendmail** 
-----+<code>
 $ cd epm/tru64-5.1-alpha $ cd epm/tru64-5.1-alpha
 $ sudo ./sendmail.install  $ sudo ./sendmail.install 
Line 577: Line 577:
 Updating file permissions... Updating file permissions...
 Installation is complete. Installation is complete.
-----+</code>
  
 So, this is a MAJOR upgrade for Tru64 since it takes the mail server up two So, this is a MAJOR upgrade for Tru64 since it takes the mail server up two
parsec_patches.txt · Last modified: 2019/07/11 04:58 by sgriggs
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki