[pca] safe mode and hardening

Glen Gunselman ggunselm at emporia.edu
Thu May 15 16:19:01 CEST 2008 

 
I'll start a new thread adding my hardening question.
 
How do you handle hardening (JASS) and patching?
 
Is --safe a good indicator that re-hardening is/maybe needed?
 
Do you always/never re-harden after patching?
 
 
Thanks,
 
Glen Gunselman
Systems Software Specialist
TCS
Emporia State University

>>> Martin Paul <martin at par.univie.ac.at> 5/15/2008 7:39 AM >>>
Chris Coffey wrote:
> Or something similar where files/perms/links aren't kosher to proceed with a
> patch.  I think this is related to using the safe switch, is that correct?

Correct. Don't use the safe option, and the errors will be gone. You 
provide a good example of what --safe can do for you, BTW:

   ERROR: /etc/init.d/init.wbem
     permissions <0744> expected <0600> actual
   ERROR: /etc/rc2.d/S90wbem
     pathname not properly linked to <../../etc/init.d/init.wbem>

This tells me that you manually have changed the permissions of 
init.wbem to 600 and removed the S90wbem link in /etc/rc2.d/. You did 
this to stop the wbem stuff from starting automatically.

When you install 112945-46, the permissions will be changed back to 744 
and the missing link will be re-established, resulting in the wbem 
processes again being started on next reboot. You probably don't want 
that, and that's what --safe warns you about.

The problem with --safe is that it sometimes shows false positives - 
files which you didn't modify yourself or never heard of, and which you 
don't care about being modified by the patch. This happens e.g. when a 
script in a patch modifies a configuration file without updating its 
checksum in the package database later on. You can just ignore what 
--safe tells you in that case and install the patch without --safe.

The decision on whether you prefer hands-off patching or the extra 
safety provided by using --safe is on you.

Hope that helps,

Martin.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.univie.ac.at/mailman/private/pca/attachments/20080515/09d0514a/attachment.html

More information about the pca mailing list