parsec_patches
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
parsec_patches [2018/11/28 15:25] – sgriggs | parsec_patches [2019/07/11 04:50] – sgriggs | ||
---|---|---|---|
Line 69: | Line 69: | ||
Firmware is definitely not something that PARSEC can be in the business of | Firmware is definitely not something that PARSEC can be in the business of | ||
patching. | patching. | ||
- | updates that come from the OEM. They can be embedded in the same package | + | updates that come from the hardware |
- | format we use (EPM - Enterprise Package Manager). | + | the big vendors do. They just *stop* doing it after the OS becomes end-of-support or end-of-life (EOS & EOL). |
- | the big vendors do. They just *stop* doing it after the OS becomes | + | |
- | end-of-support or end-of-life (EOS & EOL). | + | Also keep in mind that vendors tend to stop upgrading firmware after 1-3 years from the release date. This is because they generally feel pretty confident and stable about the code as their bug reports slow down and die off. By the time you'd want to sign a contract with PARSEC, you'd probably be well out of this period. So, to be fair and compare apples to apples, the OEM vendor isn't going to give you firmware updates beyond a certain point either, even despite having the legal means to do so. |
=== What is a Kernel Patch? === | === What is a Kernel Patch? === | ||
Line 195: | Line 195: | ||
using your AIX 5.3 system indefinitely and still be 100% above board for | using your AIX 5.3 system indefinitely and still be 100% above board for | ||
your regulatory compliance and patching. | your regulatory compliance and patching. | ||
- | |||
- | === Patch Schedules === | ||
- | |||
- | Patches are released only for paying customers within two weeks after the | ||
- | start of each new quarter. This allows for all issues found within the | ||
- | quarter to be part of a patch rollup. The rollups are batches of patches | ||
- | that catches you up to a secured place. | ||
In the event of a remote root exploit or a remotely exploitable issue in | In the event of a remote root exploit or a remotely exploitable issue in | ||
Line 240: | Line 233: | ||
is done actually quite simply in EPM. There is a directory called | is done actually quite simply in EPM. There is a directory called | ||
/ | / | ||
+ | |||
+ | If a customer specifically requests a patch be in native format, we can easily create that, also. | ||
== Patching and Regulatory Compliance == | == Patching and Regulatory Compliance == | ||
Line 249: | Line 244: | ||
and complex. | and complex. | ||
to parse than programmers. | to parse than programmers. | ||
+ | |||
+ | However, in most cases one simply needs to have a plan for patching and technology updates. If your plan is to [[version lock|version_locking_legacy_environments]], | ||
=== How Do I Know What I'm Required to Patch? === | === How Do I Know What I'm Required to Patch? === | ||
Line 338: | Line 335: | ||
Technical safeguards are the IT stuff you and I care about. The text of | Technical safeguards are the IT stuff you and I care about. The text of | ||
- | HIPPA doesn' | + | HIPPA doesn' |
but it does say what those solutions have to be capable of from a security | but it does say what those solutions have to be capable of from a security | ||
standpoint. | standpoint. | ||
- | .HIPPA IT Requirements in the Security Rule | + | **HIPPA IT Requirements in the Security Rule** |
- Open networks need to be encrypted. Closed networks are okay for cleartext. | - Open networks need to be encrypted. Closed networks are okay for cleartext. | ||
- Data integrity for PHI must be insured. Think checksumming. | - Data integrity for PHI must be insured. Think checksumming. | ||
Line 363: | Line 360: | ||
SOX is extremely vague and this creates headaches. The law to read is, US Title | SOX is extremely vague and this creates headaches. The law to read is, US Title | ||
- | 15, Chapter 98, Subchapter IV (ugh, I feel like a laywer). https:// | + | 15, Chapter 98, Subchapter IV (ugh, I feel like a laywer). |
- | has a section called https:// | + | has a section called |
is the part you want to read concerning IT rules. Unfortunately, | is the part you want to read concerning IT rules. Unfortunately, | ||
requirements are much more vague. However, again, I will provide a summary. | requirements are much more vague. However, again, I will provide a summary. | ||
- | .Sarbanes-Oxley IT 404 Requirements | + | **Sarbanes-Oxley IT 404 Requirements** |
- " | - " | ||
- The assessment must be done yearly and it must be reported to the SEC | - The assessment must be done yearly and it must be reported to the SEC | ||
It's a painful read and I'd recommend checking out the | It's a painful read and I'd recommend checking out the | ||
- | https:// | + | [[https:// |
SOX. Do they require patches? | SOX. Do they require patches? | ||
system could not be considered a secure source of financial information. | system could not be considered a secure source of financial information. | ||
Line 394: | Line 391: | ||
same basic spirit. You can't do anything that might put folks credit card | same basic spirit. You can't do anything that might put folks credit card | ||
info at risk. That includes not only their numbers, but also their | info at risk. That includes not only their numbers, but also their | ||
- | transaction history. Start with the https:// | + | transaction history. Start with the [[https:// |
and you can dig more into specific questions for different levels of PCI. | and you can dig more into specific questions for different levels of PCI. | ||
Line 428: | Line 425: | ||
installable shell archive: very handy. | installable shell archive: very handy. | ||
- | .Upgrading Secure Shell on Tru64 | + | **Upgrading Secure Shell on Tru64** |
- | ---- | + | < |
$ sudo ./ | $ sudo ./ | ||
Copyright 1999-2017 by Michael R Sweet, All Rights Reserved. | Copyright 1999-2017 by Michael R Sweet, All Rights Reserved. | ||
Line 478: | Line 475: | ||
Updating file permissions... | Updating file permissions... | ||
Installation is complete. | Installation is complete. | ||
- | ---- | + | </ |
As you can see, this is a somewhat interactive process. | As you can see, this is a somewhat interactive process. | ||
Line 495: | Line 492: | ||
don't update until something forces them to. | don't update until something forces them to. | ||
- | .Upgrading Sendmail | + | **Upgrading Sendmail** |
- | ---- | + | < |
$ cd epm/ | $ cd epm/ | ||
$ sudo ./ | $ sudo ./ | ||
Line 577: | Line 574: | ||
Updating file permissions... | Updating file permissions... | ||
Installation is complete. | Installation is complete. | ||
- | ---- | + | </ |
So, this is a MAJOR upgrade for Tru64 since it takes the mail server up two | So, this is a MAJOR upgrade for Tru64 since it takes the mail server up two | ||
Line 603: | Line 600: | ||
cycles and less hassle. | cycles and less hassle. | ||
- | The pricing for our PARSEC Patch program is typically a 10% uplift to your | ||
- | support cost. This helps us justify putting in the time to track the | ||
- | vulnerabilities and develop the patches, workarounds, | ||
- | make your money well spent. | ||
parsec_patches.txt · Last modified: 2019/07/11 04:58 by sgriggs