parsec_patches
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Last revisionBoth sides next revision | ||
parsec_patches [2019/07/11 04:50] – sgriggs | parsec_patches [2019/07/11 04:53] – sgriggs | ||
---|---|---|---|
Line 16: | Line 16: | ||
patched. | patched. | ||
- | == What Exactly is a Patch? == | + | ===== What Exactly is a Patch? |
It might seem silly, but not everyone agrees on what constitutes a patch. | It might seem silly, but not everyone agrees on what constitutes a patch. | ||
Line 24: | Line 24: | ||
kernel, or a bit of hardware. | kernel, or a bit of hardware. | ||
- | === Stability versus Security Patches === | + | ===== Stability versus Security Patches |
Some, but not all vendors will bifurcate their patches into two categories: | Some, but not all vendors will bifurcate their patches into two categories: | ||
Line 44: | Line 44: | ||
- | === What is a Firmware Update? === | + | ===== What is a Firmware Update? |
Some hardware devices need their own internal code to function. Think of it | Some hardware devices need their own internal code to function. Think of it | ||
Line 74: | Line 74: | ||
Also keep in mind that vendors tend to stop upgrading firmware after 1-3 years from the release date. This is because they generally feel pretty confident and stable about the code as their bug reports slow down and die off. By the time you'd want to sign a contract with PARSEC, you'd probably be well out of this period. So, to be fair and compare apples to apples, the OEM vendor isn't going to give you firmware updates beyond a certain point either, even despite having the legal means to do so. | Also keep in mind that vendors tend to stop upgrading firmware after 1-3 years from the release date. This is because they generally feel pretty confident and stable about the code as their bug reports slow down and die off. By the time you'd want to sign a contract with PARSEC, you'd probably be well out of this period. So, to be fair and compare apples to apples, the OEM vendor isn't going to give you firmware updates beyond a certain point either, even despite having the legal means to do so. | ||
- | === What is a Kernel Patch? === | + | ===== What is a Kernel Patch? |
The kernel is the core of most operating systems. It describes only the most | The kernel is the core of most operating systems. It describes only the most | ||
Line 90: | Line 90: | ||
- | == PARSEC Patch Program == | + | ==== PARSEC Patch Program |
PARSEC has a product offering to address the issue of patching for version | PARSEC has a product offering to address the issue of patching for version | ||
Line 104: | Line 104: | ||
based on known vulnerabilities. | based on known vulnerabilities. | ||
- | === Selection of Patch Candidates === | + | ===== Selection of Patch Candidates |
We select patches based on the OS specific entries in the CVE database. | We select patches based on the OS specific entries in the CVE database. | ||
Line 126: | Line 126: | ||
in subsystems we have code-access to, for example Sendmail or Inetd. | in subsystems we have code-access to, for example Sendmail or Inetd. | ||
- | === What We Do NOT Patch and Why === | + | ===== What We Do NOT Patch and Why ===== |
PARSEC doesn' | PARSEC doesn' | ||
Line 155: | Line 155: | ||
deprecate the server if needed. | deprecate the server if needed. | ||
- | === What We Do Patch with Examples === | + | ===== What We Do Patch with Examples ===== |
Most of the time, OS vendors do not write basic system software if they | Most of the time, OS vendors do not write basic system software if they | ||
Line 201: | Line 201: | ||
rolled into that quarter' | rolled into that quarter' | ||
- | === Why We Use Enterprise Package Manager for Patches === | + | ===== Why We Use Enterprise Package Manager for Patches |
The EPM tool is an open source package management system written by Michael | The EPM tool is an open source package management system written by Michael | ||
Line 236: | Line 236: | ||
If a customer specifically requests a patch be in native format, we can easily create that, also. | If a customer specifically requests a patch be in native format, we can easily create that, also. | ||
- | == Patching and Regulatory Compliance == | + | === Patching and Regulatory Compliance |
Let's face it, many times patching is driven by the need to comply with some | Let's face it, many times patching is driven by the need to comply with some | ||
Line 247: | Line 247: | ||
However, in most cases one simply needs to have a plan for patching and technology updates. If your plan is to [[version lock|version_locking_legacy_environments]], | However, in most cases one simply needs to have a plan for patching and technology updates. If your plan is to [[version lock|version_locking_legacy_environments]], | ||
- | === How Do I Know What I'm Required to Patch? === | + | ===== How Do I Know What I'm Required to Patch? |
In almost all cases, the regulatory standards try to be broad and use a lot | In almost all cases, the regulatory standards try to be broad and use a lot | ||
Line 268: | Line 268: | ||
the common standards and what they actually require in further sections. | the common standards and what they actually require in further sections. | ||
- | === When am I Required to Patch? === | + | ===== When am I Required to Patch? |
Patching frequency is almost always dependent on what your local security | Patching frequency is almost always dependent on what your local security | ||
Line 280: | Line 280: | ||
enough. | enough. | ||
- | === GLBA Specifics === | + | ==== GLBA Specifics |
U.S. Congress gave us the Gramm-Leach-Bliley Act (GLBA), also called the | U.S. Congress gave us the Gramm-Leach-Bliley Act (GLBA), also called the | ||
Line 311: | Line 311: | ||
encryption' | encryption' | ||
- | === HIPPA Specifics === | + | ==== HIPPA Specifics |
The requirements in HIPPA are designed to protect individuals from | The requirements in HIPPA are designed to protect individuals from | ||
Line 349: | Line 349: | ||
As you can see, HIPPA is vague but only in ways that advantage the auditors. | As you can see, HIPPA is vague but only in ways that advantage the auditors. | ||
- | === SOX Specifics === | + | ===== SOX Specifics |
Sarbanes-Oxley is a law which is part of the US Title 15 code governing | Sarbanes-Oxley is a law which is part of the US Title 15 code governing | ||
Line 377: | Line 377: | ||
anything really specific from your IT security. | anything really specific from your IT security. | ||
- | === PCI Specifics === | + | ===== PCI Specifics |
The Payment Card Industry (PCI) standards aren't law, they are well accepted | The Payment Card Industry (PCI) standards aren't law, they are well accepted | ||
Line 403: | Line 403: | ||
protocols the code-path in those tools must be kept secure. | protocols the code-path in those tools must be kept secure. | ||
- | == Examples and Demonstrations == | + | === Examples and Demonstrations |
Just for fun, let's watch a few PARSEC patches in action and have a quick | Just for fun, let's watch a few PARSEC patches in action and have a quick | ||
Line 410: | Line 410: | ||
see something more concrete. | see something more concrete. | ||
- | === Upgrading Secure Shell === | + | ==== Upgrading Secure Shell ==== |
Here is an example on a Tru64 system. We have an ancient and highly | Here is an example on a Tru64 system. We have an ancient and highly | ||
Line 481: | Line 481: | ||
agreement and just do the installation quietly. | agreement and just do the installation quietly. | ||
- | === Upgrading Sendmail === | + | ==== Upgrading Sendmail |
Sendmail is another bit of software which comes from the open source world, | Sendmail is another bit of software which comes from the open source world, | ||
Line 581: | Line 581: | ||
has to face the Internet. | has to face the Internet. | ||
- | === Other Scenarios === | + | ==== Other Scenarios |
Keep in mind that there is a heckuva lot more software that can be patched | Keep in mind that there is a heckuva lot more software that can be patched |
parsec_patches.txt · Last modified: 2019/07/11 04:58 by sgriggs