From: Subject: Solaris -- Patch Management Date: Wed, 14 Nov 2001 08:35:28 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0000_01C16CE7.50549450"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C16CE7.50549450 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Content-Location: http://ist.uwaterloo.ca/security/howto/2000-12-04/ Solaris -- Patch Management

Solaris -- Patch Management
Information Systems and = Technology=20
University of Waterloo

19-January-2001 		3D[IST]=20

Synopsis

It's a fundamental security practice that you keep your = operating=20 system and applications up to date (see the CERT=AE=20 Security Improvement Modules). Weaknesses are continually = discovered in=20 Solaris and third-party applications. Not only do the weaknesses pose = threats,=20 but the volume of weaknesses and the number of patches required to = address=20 those weaknesses can be a threat: if not managed carefully, they will = consume=20 too much time or they will be simply ignored. If you don't apply your = patches=20 the results are predictable -- all to often systems are compromised = because:=20
  1. systems are not patched regularly to address posted = vulnerabilities that=20 can be exploited.=20

  2. systems are configured to offer services which aren't required = but can=20 be exploited.
The purpose of this brief note is to give = some advice=20 to managers of Solaris systems so = they can=20 address these problems. Some tools are provided (see the kit in reference= s=20 below) so you can quickly determine the patch level and easily = apply=20 missing patches that the vendor has recommended. Patch management need = not be=20 an onerous responsibility.=20
3DRecommendation:=20 We = recommend that=20 Solaris system managers here at Waterloo participate in the = xhier=20 administrative structure. Typically, xhier Solaris systems = are=20 configured to automatically apply recommended patches through = strategies=20 similar to those discussed here. For those systems the tools = discussed here=20 only augment existing processes.
Our document on = Solaris = Network=20 Hardening addresses the issue of hardening a system by removing = network=20 services in detail -- we'll not belabor that issue.

Solaris Patches

Sun Microsystems maintains an extensive public support site = at SUNSOLVE ONLINE = where you=20 will find lots of information on patches, security bulletins and much = more --=20 all freely available even if you have no support contract. The SUNSOLVE=20 ONLINE Patches site includes patch clusters (for Solaris = 2.3=20 through to Solaris 8) and patch reports for all versions back to = Solaris 1.1=20 (sic!). However, we would not recommend that you continue with very = old=20 Solaris systems -- support from IST and from Sun is minimal on older = systems.=20
3DRecommendation:=20 If you are = running=20 an old version of Solaris you should update your system as soon as = possible=20 to the current release. If you need help you should contact your = local=20 support first and IST if they need help.

One patch management strategy some people recommend is to = periodically=20 retrieve the patch cluster for your Solaris version from SUNSOLVE=20 with either FTP or HTTP and install the = cluster.=20 That usually requires some down as cluster installation is not = recommended on=20 a live system -- the cluster will often contain patches that require = single=20 user mode. The strategy works well but you end up transferring a large = cluster=20 that includes all recommended patches including those that you've = already=20 applied. In any case, it's probably a wise idea to determine what you = need to=20 have installed before scheduling down time for a patch cluster install = -- if=20 you've been keeping your system patched then you should only need to = apply a=20 few patches and often these can be applied to a live system.=20

3DRecommendation:=20 We = understand that=20 the patch cluster may occasionally omit a security patch from the = patch=20 report -- clusters seem to bundle just the recommended patches. On = the other=20 hand, patch clusters are updated as required rather than at some = periodic=20 interval.

You will discover the Solaris = 8 Patch=20 Report (for the most recent Solaris version at this writing) and = patch=20 reports for all other releases at SUNSOLVE.=20 The patch reports, which are updated twice each month, table patches = as=20 "Recommended Patches", "Security Fixes" and "Y2000 Fixes". Using the = current=20 patch report one can compare the current Sun recommendations against = your=20 configuration and install only the patches that you require. One could = exercise some discretion -- e.g. that patch looks important but this = one=20 doesn't -- or you can install all the patches (recommended, security = and Y2K).=20 The choice is yours but I recommend the second alternative --=20

3DRecommendation:=20 You should = regularly=20 install all Solaris recommended, security and Y2K patches tabled in = the=20 Solaris patch report for your system.
In the next = section=20 we'll give you some tools so you can do that.

Patching Tools

GetApplyPatch(8)=20 and CheckPatches(8)=20 are two Bourne shell scripts for Solaris patch management that we've = developed=20 with the help of colleagues on the net (CheckPatches(8)=20 was originally a Perl script posted to Usenet by Bruce Barnett). The = scripts=20 rely on the vendor's patch report to construct an incremental list of = patches=20 required. These tools have been peer reviewed, many thanks to Sean = Boran of SecurityPortal and other=20 participants on the YASSP = project, and can=20 help you manage patches on your Solaris system. These tools are found = at=20 Waterloo in the optional solaris-harden package distributed by=20 xhier (that package is under development and addresses many = other=20 issues in hardening a Solaris server); they're also available to sites = (here=20 and elsewhere) that do not participate in xhier as a = traditional Unix=20 "tar" kit (see reference= s=20 below).=20

A quick introduction to these two tools:=20

  1. CheckPatches(8)=20 is a script that uses the vendor provided s= howrev(1m)=20 command to see what patches are installed, compares this against the = Solaris=20 patch report, and makes a list of recommended, security and Y2K = patches that=20 need installation. It expects to find = "SolarisX.PatchReport"=20 in the current directory and will fetch a copy if none is found. You = can use=20 the "-f" option to fetch the most recent Patch report from the=20 FTP site.=20
    CheckPatches -f
    A sample = cron=20 job to automate this process and email the results is provided as CheckPatches.cron.=20 The recommendation is that the job be run twice a month shortly = after the=20 posting of patch reports.=20

  2. GetApplyPatch(8)=20 is a script to get and apply a patch. Arguments are a list of patch = numbers.=20 If run from the command line, it is interactive and will ask you to = confirm=20 the down load, show the patch documentation, install the patch and = delete=20 the temporary files it created.=20
    GetApplyPatch 108875-07 =
    Interactive=20 mode gives you an opportunity to determine if the patch requires any = special=20 efforts or can be applied on the fly -- most can be. The tool will = run=20 without prompting in "batch mode" and will apply every patch as = instructed.=20 That can be problematic if the patch requires that you bring the = system to=20 single user mode or reboot after installation.=20

  3. Both scripts can be used together in a pipeline to fetch all = required=20 patches and install them (you are prompted through the installation = of each=20 patch and can abandon the process at any time).=20
    CheckPatches | sort -u | GetApplyPatch=20
    A sample cron job to automate this process and = mail the=20 results is provided as GetApplyPatch.cron.=20 The recommendation is that the job be run twice a month shortly = after the=20 posting of patch reports.=20
    3DRecommendation:=20 But an = emphatic=20 beware -- blindly applying patches to productions systems without = first=20 testing them in a non-production environment can cause very nasty=20 problems!

These tools include support for the Solaris Intel platform = (although we=20 have no direct experience), FTP proxies may be = configured, and=20 you can down load from your local FTP mirror rather = than=20 SUNSOLVE. You should see the manual pages for each = command to=20 learn more about what they can do -- see CheckPatches(8)=20 and GetApplyPatch(8).=20 The distribution kit comes with additional notes.=20

Finally, you could use the Patchdiag tool from=20 SUNSOLVE along with the latest patchdiag.xref = data to=20 see what recommended and security patches are missing, then download = and=20 install the missing ones. The GetApplyPatch tool will help = with=20 fetching and installing patches.

Beware: Cautionary Tales

These tools are written as Bourne shell scripts so you can = look at=20 the source code and determine what they do. You'll find there's = nothing earth=20 shattering -- they're very simple minded. Nevertheless, some = cautionary tales:=20
  1. I have configured systems to regularly retrieve the patch report = and=20 automatically install all outstanding patches discovered. I would = never=20 recommend that you do the same on any critical production = system. The=20 strategy works fine on a desktop workstation but would be foolish = indeed on=20 a back room server.=20

  2. The CheckPatches.cron=20 periodic cron job is a safe addition to your Solaris system but may = require=20 some adjustments for your site. If you decide to use it please = use a=20 different time to trigger the cron job -- we don't want to=20 overburden SUNSOLVE with everyone connecting at the = same=20 time.=20

  3. If you're maintaining many systems you probably ought to mirror = the=20 SUNSOLVE patch tree and configure these tools to = access your=20 site rather than burdening Sun. That will be required if your site = is=20 firewalled to prevent access to external sites.=20

  4. My test environments have been Solaris 2.6 through Solaris 8 on = sparc=20 platforms with direct connections to the Internet. I have no = experience with=20 FTP proxies nor with Solaris on the Intel platform.=20

  5. The manual pages provide additional information and should be = required=20 reading -- see especially the CheckPatches(8)=20 discussion of how to manage the exception file. You will should list = patches=20 that do not apply to your system when you discover that they don't = apply.=20

  6. The s= howrev(1m)=20 command is part of the "SUNWadmfw: System & Network = Administration=20 Framework" package -- we always have it installed even though it's = not part=20 of the core installation.=20

  7. You should know how to back out of a patch -- find the back out = script=20 in the directory /var/sadm/patch/NNNNNN-MM. The = directory=20 /var/sadm/patch will accumulate patch kits over time = and should=20 be pruned.

See Also

Further readings and references:=20
  • Ch= eckPatches/GetApplyPatch/MirrorPatches=20 Tool Kit -- contains all scripts, manual pages, installation = notes and=20 Makefile (Unix tar file format).=20
  • SUNSOLVE = ONLINE;=20 SUNSOLVE=20 ONLINE Patches; SUNSOLVE=20 ONLINE Patch Primer -- patch clusters, patch reports, = the=20 patchdiag tool and the patchdiag.xref data.=20
  • Solaris = 8=20 Patch Report (via anonymous FTP from=20 SUNSOLVE). All current patches, patch reports and = patch=20 README's are found in the same directory.=20
  • SUN DOCUMENTATION=20 ONLINE -- includes Solaris Answerbook.=20
  • The YASSP = project --=20 YASSP is an acronym n for Yet Another Solaris = Security=20 Package -- (by) Jean Chounard.=20
  • IST Production Support = -- central=20 services at UWaterloo; Security: How to = Documents=20 -- includes this document; Solaris=20 Network Hardening -- protecting a system by removing network = services.=20

Acknowledgments

Many thanks to Sean Boran for patiently testing, commenting = and=20 providing much of this text; the participants in the YASSP project who = required=20 these tools; CheckPatches(= 8)=20 was originally written in Perl by Bruce Barnett and posted to Usenet; = and=20 thanks to Patrick Matlock who manages Solaris patches within = xhier.=20

Your comments, concerns and questions should be addressed to the author.

Revisions

4-Sep-2001. A new tool to MirrorPatches=20 has been added to the kit. That's so a site can maintain a local = mirror of the=20 Sunsolve site. Clients then can hit the local mirror rather than = Sunsolve.=20 Needs some text added to the above.=20

19-Jan-2001. Sean (again) notes that C= heckPatches=20 was not returning a correct exit status. This has been fixed.=20

19-Jan-2001. Sean Boran notes that Solaris 7 is in the middle of a=20 transition from patches in .tar.Z format to patches in = .zip format. = GetApplyPatch=20 script has been updated to try to fetch patches for Solaris 7 in both = formats.=20

Reg=20 Quinton, Information Systems = and=20 Technology
2000/12/04 - 2001/09/04 =
------=_NextPart_000_0000_01C16CE7.50549450 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21 AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5 peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S 9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs= ------=_NextPart_000_0000_01C16CE7.50549450 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/icons/hand.right.gif R0lGODlhFAAWAMIAAP/////Mmcz//5lmMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRo ZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIg MTk5NQAh+QQBAAACACwAAAAAFAAWAAADTCi63P4wykkdubiSwDuRVydi5CWEYjBsKbe2rDjMdMwR w1iaaZx7jcDm8nOpVsFjsSh0CFuq46fxko0eKOtsiu0UuRHfVlOqmM9oSgIAOw== ------=_NextPart_000_0000_01C16CE7.50549450 Content-Type: image/jpeg Content-Transfer-Encoding: base64 Content-Location: http://ist.uwaterloo.ca/security/howto/images/back.jpg /9j/4AAQSkZJRgABAgEASABIAAD/7QG4UGhvdG9zaG9wIDMuMAA4QklNA+kAAAAAAHgAAwAAAEgA SAAAAAAC2gIo/+H/4gL5AkYDRwUoA/wAAgAAAEgASAAAAAAC2gIoAAEAAABkAAAAAQABAQEAAAAB Jw8AAQABAAAAAAAAAAAAAAAAAAIAGQGQAAAAAABAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAA4 QklNA+0AAAAAABAASAAAAAEAAQBIAAAAAQABOEJJTQPzAAAAAAAIAAAAAAAAAAA4QklNJxAAAAAA AAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAGAAAAAAABAC9mZgABAKGZmgAGAAAA AAABADIAAAABAFoAAAAGAAAAAAABADUAAAABAC0AAAAGAAAAAAABOEJJTQP4AAAAAABwAAD///// ////////////////////////A+gAAAAA/////////////////////////////wPoAAAAAP////// //////////////////////8D6AAAAAD/////////////////////////////A+gAADhCSU0EBgAA AAAAAgAC/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEM DAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQR DAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAYABgAwEiAAIR AQMRAf/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAAAQAC AwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIz NHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSltcXV 5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEi EwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N1 4/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//dAAQABv/aAAwDAQACEQMR AD8A9GHtHKbcToFKQmn5BFSwlS8p1TaKQLQElLFgTe3hJz5UNZSUkcdICZo8U0kJCSkpnP7o+aGT rqiF2kKOwclJSzXaqTgCowJTgT3SU//Q9FAcE+3u5Rc4ypAyNSipQMmAE5b4mEwIHCkAOTqUlMDH ASACRBJ0TQQUlMnN00TNHjwn3GIT699ElK3DwTF274JbR3PyShJSgB2GiRmNE4BPJ0UiQElP/9H0 QCU5GibcVMERqipgCZRI8SogDnukZnQJKZEho05UdeSmg904geZSUrhNukqYb4qLi1qSlvhqniOT qnDhGiiG6yUlMtY0US091MEnRo+ag+Qkp//S9GO3gJASkPIJ4J0CKlSBwmk/BLYZklOGg8lJSwPh qnBhMSQYCcDTXRJSxeeygZKmSANAo6JKUAQlOvKm0AhRLDKSmQPYapbZ1KW6BCYvJ0SU/wD/0/Rw AdJUpa1QGvCRb4mEVLPdPCZpSjXRSASUtu8FJuupUHAgqTYiSUlLu93CiWQFOWhR55OiSlhITgHu lpymJKSlyG90vhoEhPhqlEauPySU/wD/1PRwY0ak4QOZKZvkJKltJ5RUj1TsKk4gaBRhJS5IJ4SM p5ACaZSUrb4n5JAeSbvpqpapKXAJ1KTiAmc48BQM90lLh5lORPKiG90jokp//9k= ------=_NextPart_000_0000_01C16CE7.50549450--