Re: patch validation

2006-05-03 Thread Bob Beck 
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-05-02 20:07]:
 yea. i'll keep that in mind.  too bad it doesnt work in an audit.  

(Ahem) horseshit. If you as your regular business practice
set up a procedure that the admins keep notes on a system and documents
whenever fixes are applied (try a tool such as plod), and that you have
a documented process saying that is what you do this, it will work
absoultely fine in an audit. 

If you just decide to keep a piece of paper in your desk, or
some shitty little file in your homedir that nobody knows about, 
and only you do it, and it's not documented as part of your process
anywhere, it will not work as part of an audit.

-Bob

Re: patch validation

2006-05-02 Thread Nick Guenther 

On 5/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

I  brought up a 3.9 server and have patched it with the sendmail patch.  My 
question is how does one prove that the box has been patched in 2,3 or 4 months?
TIA
Mike



Keep notes?

Re: patch validation

2006-05-02 Thread Ioan Nemes 
 Nick Guenther [EMAIL PROTECTED] 03/05/2006 09:07:35 am 
On 5/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 I  brought up a 3.9 server and have patched it with the sendmail
patch.  My question is how does one prove that the box has been patched
in 2,3 or 4 months?
 TIA
 Mike


Keep notes?

You wanna a stupid answer to a stupid question?

Ioan

Re: patch validation

2006-05-02 Thread Claus Assmann 
On Tue, May 02, 2006, [EMAIL PROTECTED] wrote:
 I brought up a 3.9 server and have patched it with the sendmail
 patch.  My question is how does one prove that the box has been
 patched in 2,3 or 4 months?

Check the version:

-char   Version[] = 8.13.4;
+char   Version[] = 8.13.5.20060308;

sendmail -bt -d0.4 /dev/null

Re: patch validation

2006-05-02 Thread Michael Erdely 

[EMAIL PROTECTED] wrote:

Keep notes?
yea. i'll keep that in mind.  too bad it doesnt work in an audit.  

Come on... official change logs are a good thing to keep for all servers.

But, you didn't give any information about how the patch was applied.

Assuming from local source... when you go to apply the patch again, 
it'll ask if you're trying to reverse the patch.


If it does that but you can't be sure it had been compiled and or 
installed, compile and install again if you're that paranoid.


-ME

--
http://erdelynet.com/
Support OpenBSD: http://www.openbsd.org/orders.html

Re: patch validation

2006-05-02 Thread Nick Holland 

[EMAIL PROTECTED] wrote:
yea. i'll keep that in mind.  too bad it doesnt work in an audit.  

seriously,  is there anything that 
a) can be queried against?

sometimes

b) compared against?

sometimes

c) hashs of files?

don't count on it.

d) etc?

yes.

Seriously, tell us what your criteria is on the first question, then.

The nature of a patch is usually that it changes the absolute minimum
required to fix the problem.  That usually involves no version number
changes.  Some things embed the compile time in the binary, so hashes
are useless for this.


Still...how about a nice, simple ls -l?

For example:
Patch is released on Mar 25, 2006.
Look at your binary's date.  If your binary is dated May 2. 2006,
either it has the patch or your process is broken.  Why would you
build if you haven't recently updated the code (if that's your
purpose).  If it is dated Mar 24, 2006, it probably isn't patched.

Seems pretty simple to me.
If you are running on a VAX or mac68k, add the number of days it takes
you do a build.

Nick.

Re: patch validation

2006-05-02 Thread Philip Guenther 

On 5/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

yea. i'll keep that in mind.  too bad it doesnt work in an audit.


Since you didn't state the requirements of the audit, it's not
surprising that the answers don't satisfy that.



seriously,  is there anything that
a) can be queried against?
b) compared against?
c) hashs of files?
d) etc?


You still don't say what you're trying to verify.  If you're trying to
prove that a given binary was built from patched source, you should
build the binary you'll use and take a cryptographic hash of it (say,
using the 'sha1' command) and write down the hash somewhere
unalterable (CDROM?  Paper in a safe?  Lithograph on your wall?).  You
can then verify whether that *EXACT* binary is still in use by taking
the hash again and comparing against your earlier copy.  But that's
*not* the same as asking whether a patched binary is in use.

Note that the binary you build might not have the same hash as one
built on another system; the path of your build tree is included in
the ELF bits of the binary, as may other pieces of information...


Philip Guenther

Re: patch validation

2006-05-02 Thread Eric Furman 
--- [EMAIL PROTECTED] wrote:

 yea. i'll keep that in mind.  too bad it doesnt work
 in an audit.  
 
 seriously,  is there anything that 
 a) can be queried against?
 b) compared against?
 c) hashs of files?
 d) etc?
 
 is it something others have concerns about?
 M
  Ioan Nemes [EMAIL PROTECTED]
 wrote: 
   Nick Guenther [EMAIL PROTECTED] 03/05/2006
 09:07:35 am 
  On 5/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
 wrote:
   I  brought up a 3.9 server and have patched it
 with the sendmail
  patch.  My question is how does one prove that the
 box has been patched
  in 2,3 or 4 months?

Are you looking for a patch administration
command sort of like Solaris's pkgparam or
patchadd? I could be wrong, but I don't think
OBSD has anything like that.

Sorry I could not be more helpful.
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com