COSC 316 COMPUTER HOSTS SECURITY

1
COSC 316 COMPUTER HOSTS SECURITY

• SOUNDARARAJAN EZEKIEL
• COMPUTER SCIENCE DEPARTMENT
• INDIANA UNIVERSITY OF PENNYLVANIA
• INDIANA, PA 15705

2
Part IV SECURE OPERATIONSChapter 17 KEEPING
UP TO DATE

• We will talk about
• Discusses strategies for downloading security
  patches i.e. Software Management system
• Keeping your OS up to date i.e. updating system
  software

3
Chapter 17 Keeping up to date

• From the moment a Unix workstation or server is
  connected to the internet, it is open to
  discovery and access by unwanted outsiders
• Attackers find new internet host with amazing
  speed
• Computers with DSL or cable internet connections
  are especially targeted by automated attck tools
  because they are usually operated by people with
  little or no security knowledge
• It is necessary that any Unix system that will
  be on a network be kept up to date with security
  fixes- both before connecting it to the network
  and after

4
Software Management System

• Software management system is a set of tools and
  procedure for keeping trck of which versions of
  which software you have installed, and whether
  any local changes have been made to the software
  or its configuration files
• Without this, it is impossible to know whether a
  piece of software need to be updated or what
  local changes have been made and need to be
  preserved after the update
• It is essential to keep software management
  system up to date for security purpose
• All of the Unix system provide some form of
  software management

5
Package-Based System

• A typical package file is a file containing a set
  of executable programs, already complied, along
  with any supporting files such as libraries,
  default configuration files, and documentation.
• Package contains
• Version information for the software it contains
• Information about compatible OD version or
  hardware
• List of other package that the package require
• List of other packages with which the package
  conflict
• List of which included files are configuration
  files
• Commands to run before, during, or after the
  included files are installed

6
Continue

• The other important component of a package-based
  system containing information about which
  versions of which packages have been installed
• It is easy to use- a simple command
• System administrators can update
• Solaris 2.x provides the pkgadd, pkgrm,
  pkginfor, showrev, commands for adding, removing,
  and querying packages from the shell and
  admintool for managing software graphically

7
Continue

• Several Linux distributions have adopted the RPM
  Package manager (RPM) what is RPM means Red
  Hat Package Manager
• It uses a single command rpm for all of its
  package management system
• Debian GNU/Linux uses an alternative package
  management system called dpkg
• The BSD based Unix system focus on sources based
  updates, but also provide a collection of
  precompiled packages that are managed with the
  pkg_add, pkg_delete, and pkg_info commands

8
Source- Based System

• Source based system focus on helping the system
  administrator maintain an up-to-date copy of the
  OS or application source code, from which new
  executable can be compiled and installed
• Advantage- It comes with single versions
• Source code and patches-
• The simplest approach to source management is to
  keep application source code available on the
  system and recompile it whenever its changed
• Most Unix system uses /usr/src/ and
  /usr/loacl/src hierarchies to store source code
  to distributed and third party software

9
CVS

• Another approach to source management is to store
  the source code on a server using a source code
  versioning system as the Concurrent Versions
  Systems and configure the server to allow
  anonymous client connections.
• An Advantage of CVS is that the system makes it
  easy for sites to maintain their own local
  modifications to an otherwise large and unwieldy
  system
• It will detect the local modifications and
  reapply them each time a new version of the
  source code is downloaded

10
Updating system Software

• Inventory your system and keep track of new
  application that you have installed.
• Learning about patches
• Every Unix OS and most major application, such as
  web servers, have an associated mailing list for
  announcements of new versions,
• Several mailing lists collect and distribute
  security alerts for many products
• Check with your software vendor cd rom comes
  with the software will not have patches
• Automatic update system compare installed
  packages with the latest version of package
  available

11
Upgrading distributed applications

• Under package management system, upgrading a
  package is usually a very simple procedure.
• Sensitive Upgrades
• Some upgrades are best performed when the system
  is singles user mode
• Although upgrading an application doesn't
  generally affect running processes, there are
  exceptions.
• Some programs dynamically load object code while
  running, and upgrading such programs without
  first stopping them can cause problems if the
  older version of the process loads the newer
  version for the dynamic code

12
Conclusion

• Keeping your Unix system secure is ongoing
  responsibility
• Different system and vendors have different
  strategies for distributing updates and bug
  fixes.
• You must find out how this information is
  distributed for your system, and you must keep up
  to date
• Be sure that you get your updates from reliable
  sources
• After you have installed your updates, continue
  to monitor mailing lists and web sites to make
  sure that the updates themselves have not been
  compromised- there are growing number of cases
  in which people have installed security updates
  that actually contained vulnerabilities of
  full-blown Trojan horses
• Vigilance is the only way to protect yourself and
  your computer