freebsd security - May 2006 - FreeBSD Security Survey

Dear FreeBSD users and system administrators,

While the FreeBSD Security Team has traditionally been very good at
investigating and responding to security issues in FreeBSD, this only
solves half of the security problem: Unless users and administrators
of FreeBSD systems apply the security patches provided, the advisories
issued accomplish little beyond alerting potential attackers to the
presence of vulnerabilities.

The Security Team has been concerned for some time by anecdotal reports
concerning the number of FreeBSD systems which are not being promptly
updated or are running FreeBSD releases which have passed their End of
Life dates and are no longer supported. In order to better understand
which FreeBSD versions are in use, how people are (or aren't) keeping
them updated, and why it seems so many systems are not being updated, I
have put together a short survey of 12 questions. The information gathered
will inform the work done by the Security Team, as well as my own personal
work on FreeBSD this summer.

If you administrate system(s) running FreeBSD (in the broad sense of "are
responsible for keeping system(s) secure and up to date"), please visit
  http://people.freebsd.org/~cperciva/survey.html
and complete the survey below before May 31st, 2006.

Thanks,
Colin Percival
FreeBSD Security Officer

On May 21, 2006, at 11:55 , Colin Percival wrote:
> The Security Team has been concerned for some time by anecdotal  
> reports
> concerning the number of FreeBSD systems which are not being promptly
> updated or are running FreeBSD releases which have passed their End of
> Life dates and are no longer supported. In order to better understand
> which FreeBSD versions are in use, how people are (or aren't) keeping
> them updated, and why it seems so many systems are not being  
> updated, I
I have a 6-STABLE box that is not going to be updated to 6.1 any time  
soon, because my personal mail will have to be offline while I do so  
--- including nuking and rebuilding all ports because the ports tree  
has been thrashed by multiple low level updates that affect a large  
percentage of the tree --- and it's only a 600MHz box so it will be  
offline for most of a week during that upgrade.  And I'm uncertain  
how downgrading it to 6.0-RELEASE+security patches will complicate  
things (downgrading via cvsup/buildworld is not a supported option,  
last I checked).  Granted, I probably should have stuck with 6.0-R  
--- but then, experience has shown me that the more reliable option  
is to wait a week or two after release and then install -STABLE.

In short:  keeping FreeBSD up to date tends to be painful at best.

-- 
brandon s. allbery     [linux,solaris,freebsd,perl]       
allbery@kf8nh.com
system administrator  [openafs,heimdal,too many hats]   
allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university       
KF8NH

On May 21, 2006, at 20:55, Colin Percival wrote:
> If you administrate system(s) running FreeBSD (in the broad sense  
> of "are
> responsible for keeping system(s) secure and up to date"), please  
> visit
>   http://people.freebsd.org/~cperciva/survey.html
> and complete the survey below before May 31st, 2006.

What doesn't fit into the survey very well is that all my servers are  
production ones and it causes a lot of grief for users when I bring  
them down.  I try to hold updates to once per year because of that.   
I am currently in the middle of upgrading from 5.3 to 6.0.  The easy  
machines are done but there are still a few that will take  
considerable on-site time which is not easy to come by.

On Sun, 21 May 2006, Colin Percival wrote:
> In order to better understand
> which FreeBSD versions are in use, how people are (or aren't) keeping
> them updated, and why it seems so many systems are not being updated, I
> have put together a short survey of 12 questions.
I applaud this survey, however question 9 missed an important point,
at least to me.  I was torn between answering "less than once a month"
and "I never update".

While I find ports to be the single most useful feature of the FreeBSD
experience, and can't thank contributors enough for the efforts, I on
the other hand find updating my installed ports collection (for security
reasons or otherwise) to be quite painful.  I typically use portupgrade
to perform this task.  On several occasions I got "bit" by doing a
portupgrade which wasn't able to completely upgrade all dependencies
(particularly when X, GUI's, and desktops are in the mix -- though I
always follow the special Gnome upgrade methods when appropriate).

I can't rule out some form of pilot error, but the end result was pain.

After several instances of unsatisfactory portupgrades (mostly in the
5.2 through early 5.4 timeframe), I adopted the practice of either not
upgrading ports at all for the life of a particular installation on a
machine (typically about one year), or when necessary by removing *all*
ports from the machine, cvsup'ing, and reinstalling.  This has served
me quite well, particularly considering the minimal threat profile these
particularly systems face.

So, in short, that's why *I* rarely update ports for security reasons.

There are steps that could be taken at the port maintenance level that
would work well for my particular case, however that's beyond the scope
of the survey.  Thanks for taking the time put the survey together, I
certainly hope it proves useful.

Thank you,
Brent Casavant

Doug Hardie wrote:
> On May 21, 2006, at 20:55, Colin Percival wrote:
>> If you administrate system(s) running FreeBSD (in the broad sense of 
>> "are
>> responsible for keeping system(s) secure and up to date"), please
visit
>>   http://people.freebsd.org/~cperciva/survey.html
>> and complete the survey below before May 31st, 2006.
>
> What doesn't fit into the survey very well is that all my servers are 
> production ones and it causes a lot of grief for users when I bring 
> them down.  I try to hold updates to once per year because of that.  I 
> am currently in the middle of upgrading from 5.3 to 6.0.  The easy 
> machines are done but there are still a few that will take 
> considerable on-site time which is not easy to come by.
A good failover strategy comes into play here.

If you have one, then taking a single production machine off-line for a 
short period should be no big deal, even routine, and should not even be 
noticed by users if done correctly.  This should be planned for and part 
of the network/system design. Yes, it definitely requires more resources 
to support, but I'll rephrase the same problem: what happens when (and I 
mean *when* and not *if*) a motherboard or network card fries or you 
suffer a hard disk crash (even 2+ drives failing at the same time on a 
raid array is not particularly unusual considering that drives are quite 
often from the same manufactured batch)?

Lack of a failover on mission critical systems that *can't* be offline 
is like playing russian roulette.

On 5/22/06, Colin Percival <cperciva@freebsd.org>
wrote:
>
> If you administrate system(s) running FreeBSD (in the broad sense of
"are
> responsible for keeping system(s) secure and up to date"), please
visit
>  http://people.freebsd.org/~cperciva/survey.html
> and complete the survey below before May 31st, 2006.
>
One of those "Missing Option" messages: Whether valid or not, the
reason that I would avoid a binary update system is that I customise
CPUTYPE, and believe, rightly or wrongly, that this would make binary
updating impossible.

Of course, the main reason I would not use binary updating you/they
have made source updating so easy!

Hi,

We don't use binary update as we use custom kernels.
We're using portaudit for security flaw with the installed ports but I
don't
think there is any equivalent for the base and kernel? I'm subscribed and 
I'm monitoring the FreeBSD Security Advisories mailing-list but there is (as
far as I know) no easy system like portaudit to compare you installed base
and kernel source tree against security advisories. Are there best practices
in this area knowing that all my system are not running the same level of
patches and non of them are running something else then -STABLE? I'll
probably switch from -STABLE to -RELENG in the future (was not possible in
the beginning as features we're looking for were only in -STABLE) and apply
security fixes but I think it won't change the amount of work to perform
compared to a non source based operating system.

Regards,

Benjamin Constant
> -----Original Message-----
> From: owner-freebsd-stable@freebsd.org [mailto:owner-freebsd-
> stable@freebsd.org] On Behalf Of Colin Percival
> Sent: lundi 22 mai 2006 5:55
> To: freebsd security; FreeBSD Stable
> Subject: FreeBSD Security Survey
> 
> Dear FreeBSD users and system administrators,
> 
> While the FreeBSD Security Team has traditionally been very good at
> investigating and responding to security issues in FreeBSD, this only
> solves half of the security problem: Unless users and administrators
> of FreeBSD systems apply the security patches provided, the advisories
> issued accomplish little beyond alerting potential attackers to the
> presence of vulnerabilities.
> 
> The Security Team has been concerned for some time by anecdotal reports
> concerning the number of FreeBSD systems which are not being promptly
> updated or are running FreeBSD releases which have passed their End of
> Life dates and are no longer supported. In order to better understand
> which FreeBSD versions are in use, how people are (or aren't) keeping
> them updated, and why it seems so many systems are not being updated, I
> have put together a short survey of 12 questions. The information gathered
> will inform the work done by the Security Team, as well as my own personal
> work on FreeBSD this summer.
> 
> If you administrate system(s) running FreeBSD (in the broad sense of
"are
> responsible for keeping system(s) secure and up to date"), please
visit
>   http://people.freebsd.org/~cperciva/survey.html
> and complete the survey below before May 31st, 2006.
> 
> Thanks,
> Colin Percival
> FreeBSD Security Officer
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
The information contained in this transmission may contain privileged and
confidential information.  It is intended only for the use of the
person(s) named above. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or
duplication of this communication is strictly prohibited. If you are not
the intended recipient, please contact the sender by reply email and
destroy all copies of the original message.

>> ports tree in the process, the end result is a bit more undefined.  One
>> thing that I wish for is that the ports tree would branch for releases,
>> and that those branches would get security updates.  I know that this
>> would involve an exponentially larger amount of effort from the ports
>> team, and I don't fault them for not doing it.  Still, it would be
nice
>> to have.
>
>Yes, totally agree.
>That's the way OpenBSD ports tree works and it worked very well for me.
>Thus not to say FreeBSD's one didn't, but it takes a lot more
attention,
>which isn't always a bad thing ;)
OpenBSD doesn't have next to 15000 ports. In my opinion, this richness is
one of the main assets of FreeBSD, and by necessity implies a great difficulty
to maintain everything in a coherent and secure state. You have only to
contemplate the years it took to release Debian Sarge to convince yourself.
Personnally i am quite pleased with the present state of the FreeBSD ports,
i think it is in a much better state than a couple of years before, and
for my own use, security is a very secondary issue. People who have machines
exposed on the internet usually have a small number of ports installed, and
can maintain them in the latest secure version. I have around 600 ports
installed on my 6.1 machine, which will certainly grow in time, and no
intention whatsoever to run portupgrade on that.


-- 

Michel TALON

As an administrator, time is always an issue.  FreeBSD has proven
   itself time and again.  Having said that, one "wish" would be to
have
   a default/built-in security update mechanism.
   Since time is always and issue, if the system could by default
   (without an admin having to write scripts and/or apps, or manually
   update) update itself for both system and installed ports/packages, it
   likely would reduce security issues exponentially.
   This of course would be a massive project/challenge. Varying system
   and kernel configurations alone would make this a huge challenge, not
   to mention the potential security implications.
   The survey is a great idea.  I suggest adding a section for
   administrators to add comments and/or "wishes".
   Sejo
   Brent Casavant wrote:
> On Sun, 21 May 20
 06, Colin Percival wrote:
> 
> 
>>In order to better understand
>>which FreeBSD versions are in use, how people are (or aren´t) keeping
>>them updated, and why it seems so many systems are not being updated, I
>>have put together a short survey of 12 questions.
> 
> 
> I applaud this survey, however question 9 missed an important point,
> at least to me.  I was torn between answering "less than once a
month"
> and "I never update".
> 
> While I find ports to be the single most useful feature of the FreeBSD
> experience, and can´t thank contributors enough for the efforts, I on
> the other hand find updating my installed ports collection (for security
> reasons or otherwise) to be quite painful.  I typically use portupgrade
> to perform this task.  On several occasions I got "bit" by doing
a
> portupgrade which wasn´t able to completely upgrade all dependencies
> (particularly when 
 X, GUI´s, and desktops are in the mix -- though I
> always follow the special Gnome upgrade methods when appropriate).
> 
> I can´t rule out some form of pilot error, but the end result was pain.
> 
> After several instances of unsatisfactory portupgrades (mostly in the
> 5.2 through early 5.4 timeframe), I adopted the practice of either not
> upgrading ports at all for the life of a particular installation on a
> machine (typically about one year), or when necessary by removing *all*
> ports from the machine, cvsup´ing, and reinstalling.  This has served
> me quite well, particularly considering the minimal threat profile these
> particularly systems face.
> 
> So, in short, that´s why *I* rarely update ports for security reasons.
> 
> There are steps that could be taken at the port maintenance level that
> would work well for my particular case, however that´s beyond the scope
> of the sur
 vey.  Thanks for taking the time put the survey together,
I
> certainly hope it proves useful.
> 
> Thank you,
> Brent Casavant
I share this frustration with you.  I was once told that the pain in
upgrading is due largely to a somewhat invisible difference between
installing a pre-compiled package, and building+installing a port.  In
theory, if you stick to one method or the other, things will stay mostly
consistent.  But if you mix them, and particularly if you update the
ports tree in the process, the end result is a bit more undefined.  One
thing that I wish for is that the ports tree would branch for releases,
and that those branches would get security updates.  I know that this
would involve an exponentially larger amount of effort from the ports
team, and I don´t fault them for not doing it.  Still, it would be nice
to have.
Scott
_____________________________________
 __________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"

>   As an administrator, time is always an issue.  FreeBSD has proven
>   itself time and again.  Having said that, one "wish" would be
to
have
>   a default/built-in security update mechanism.
>   Since time is always and issue, if the system could by default
>   (without an admin having to write scripts and/or apps, or manually
>   update) update itself for both system and installed ports/packages, 
it
>   likely would reduce security issues exponentially.
>   This of course would be a massive project/challenge. Varying system
>   and kernel configurations alone would make this a huge challenge, 
not
>   to mention the potential security implications.
Time is an issue indeed, but I reckon you would have to spend time even 
if a "default/built-in" mechanism for updates was in place. You would 
still have to consider new features and do further tweaking of .conf 
files and yet even write your own apps again to facilitate new needs 
with the new features.
Might be wrong, but anything "auto-magic" sounds like not a very good 
idea, saves time probably in the short term, but I''m not sure
that's
what you want...

thanos

___________________________________________________
Try the New Netscape Mail Today!
Virtually Spam-Free | More Storage | Import Your Contact List
http://mail.netscape.com

Should something like automatic security updates not be a goal? If
   done correctly, and on a per-stable/version basis, it is "possible"
to
   increase security exponentially. The responsible administrator will
   naturally keep ontop of all changes and fixes.  But just like in the
   wintel and other *nix worlds, not every administrator updates their
   servers. Ok, maybe only a few FreeBSD administrators don´t update...
   What I am trying to suggest is a mechanism that incorporates all
   security fixes and specified (or installed) ports/packages for a given
   server, within a per-stable/version basis.  Tools that exist already
   accomplish this, and run by a custom script via cron.  There still
   would likely be a strong need for an administrator to buildworld,
   especially for those of us who prefer configuring custom kernels and
   bulilding (mostly) by source.
   It is naturally a "wish" that could potentially save a busy
   administrator some time. As I said, this of course would be a massive
   project/challenge. Varying system and kernel configurations alone
   would make this a huge challenge, not to mention the potential
   security implications.
   Granted, many FreeBSD versions will not be maintained for long periods
   of time.  But are there no out dated versions running now?
   Is something like this not worth looking at for the future?
   Sejo
   -------- Original Message --------
   From:Peter Jeremy
   Sent: Tue 23 May 2006 05:23:50 1000
   To: FreeBSD User
   Subject: Re: FreeBSD Security Survey
On Mon, 2006-May-22 15:20:11 -0000, FreeBSD User wrote:
>   Since time is always and issue, if the system could by default
>   (without an admin having to write scripts and/or apps, or manually
>   update) update 
 itself for both system and installed ports/packages, it
>   likely would reduce security issues exponentially.
I think it would substantially reduce the reliability and security.
Firstly, automatically installing arbitrary "fixes" on a production
system is almost always a bad idea.  The release engineering and
security teams do regression testing but can´t test exactly your
system configuration and there´s a non-trivial likelihood that
installing patch X will break something that your configuration relies
on.  This can be mitigated by using a test system and rolling out the
updates from it, but that negates the whole point.
It´s also likely to inconvenience users.  Our ITS department take it
upon themselves to automatically roll out (wintel) desktop updates.
This almost always results in your desktop machine insisting that it
needs to be rebooted immediately when you are in the middle of doing
 
something crucial - thus breaking your concentration and potentially
losing data (my manager managed to lose 3 man-hours work once).  I,
for one, would hate it if my FreeBSD boxes started doing the same.
Specific FreeBSD versions aren´t maintained forever.  An "install it
and forget it" philosophy will increase the number of machines that
aren´t being patched because they are running unmaintained versions
of FreeBSD.  With the current approach, the sysadmin is aware that
particular machines need to be updated to a newer version.  If
everyting is automatic, the sysadmin will probably forget.
Finally, it only takes one security failure in the update process for
someone undesirable to "own" all the FreeBSD machines that have been
left in this default mode.  Despite the best efforts of FreeBSD
developers, FreeBSD will always contain bugs and some of them will
be security holes.  Any automatic upda
 te process needs to balance
the benefits of reducing the number of unpatched boxes against the
risks of the update system being subverted.
-- 
Peter Jeremy
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"

On May 22, 2006, at 12:38 AM, Brent Casavant wrote:
> So, in short, that's why *I* rarely update ports for security reasons.
Another valid reason is configuration management.  We run web  
services, and in order to ensure nothing breaks, we have to use a  
fixed set of code.  Upgrading any piece of that requires many steps,  
including verifying functionality and checking for regressions, etc.   
Basically we have to run our full regression tests on any changes,  
then roll them out in a controlled fashion minimizing down time.

Peter Jeremy wrote:
> One of the major problems with unattended/automatic updating is
> that it is hard to filter them.
It's hard to make a good case for automatic updates when manual
updates are so easy. The main area this could be improved on would
be in a daily report, emailed to root, detailing which installed
ports are out of date. We do this with a shell script
<http://www.roble.com/docs/cvsup-ports-rep>.

One issue with identifying out-of-date installed ports is the
port-version number. We usually ignore port-version-only updates
because it's difficult to tell what was changed and few changes
aren't detailed in /usr/ports/UPDATING.

Another issue has to do with policy regarding -release, -rc, -alpha
versioning. Too many ports maintainers think nothing of using
-pre-release versions that are usually not appropriate on -release
systems.

All that said FreeBSD's ports are still the reference
implementation, head-and-shoulders better than up2date, yum, rpm,
apt-get, or anything else out there.

-- 
Roger Marquis
Roble Systems Consulting
http://www.roble.com/