wiki:HowTo/ManageCustomImages

Version 13 (modified by lnevers@bbn.com, 8 years ago) (diff)

--

Managing GENI Custom Images

Users in GENI have the ability to create image snapshots known as "custom images", this feature is available to facilitate the running of experiments, but as is usual with any OS image, there are associated administrative tasks that must take place, such as:

  • monitoring security alerts and installing required updates to block security attacks.
  • Cleaning up bad, duplicate, or old images on GENI racks.

This page outlines some guidelines on how image maintainers can find when there are new attacks and take appropriate steps. Also covered are maintenance guidelines/procedures for cleaning up obsoleted and bad images.

Security Alert Handling

GENI Custom Image maintainers should subscribe to appropriate security mailing lists, or get alerts for the Operating Systems used to create the custom images. This function was initially owned by the GPO. The goal is to have different ways that look for a virus once you know it exists, find a resolution and apply it to the appropriate custom image.

Security Alerts Sources

In GENI there are mostly CentOS or Ubuntu image. Both have security notices available at:

Additionally, you may subscribe or review the Ubuntu and CentOS security mail lists. These lists are very low traffic and fairly easy to digest:

Ubuntu list ubuntu-security-announce@lists.ubuntu.com
to subscribe https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
to review threads https://lists.ubuntu.com/archives/ubuntu-security-announce/
CentOS list centos-announce@centos.org
to subscribe https://lists.centos.org/mailman/listinfo/centos-announce
to review threads https://lists.centos.org/pipermail/centos-announce/

As an example vulnerability announcement, here are the emails from both Ubuntu and CentOS Security lists regarding the libc vulnerability announced on in February 2016:

CentOS https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html
Ubuntu https://lists.ubuntu.com/archives/ubuntu-security-announce/2016-February/003305.html

Of note, these emails are only sent after a fix has been posted. How does one know there is a problem in the first place? If it's a big enough deal, slashdot, or other news sites, will cover it. In most cases, the OS vendors release patches the same day as the bug is publicly announced, as they are coordinating amongst themselves and with the upstream developers. As was the case with this libc bug in February.

So how do we confirm that are images are affected if there is no patch immediately available? There will probably be an article on slashdot or other news outlets. From there they might link to a vendor's page.

If you interested in an ongoing Vulnerability that you can reference, see here, where you can click on diagnose and download a script download, to see if you are affected, or maybe some mitigation steps.

Once you identified a package that is affected, you need to check if you have that package installed and compare it to the affected versions. Remember there are various factors to consider depending on the bug. Maybe its package specific or perhaps it is OS version specific (CentOS 5 is effected but 6, or Ubuntu 12.04 is affected, but not 14.04). As an example, the libc vulnerability was addressed by different package names. The Ubuntu package is called libc6, and the CentOS is called glibc and to address the vulnerability the following instructions were given:

CentOS: # yum info glibc
Ubuntu: # dpkg -s lib6

Managing Images