wiki:HowTo/ManageCustomImages

Version 4 (modified by lnevers@bbn.com, 5 years ago) (diff)

--

Managing Custom Images

Users in GENI have the ability to create image snapshots known as "custom images" this is a feature available to facilitate the running of experiments, but as is usual with any image creation, there are associated administrative task that must take place, such as:

  • monitoring security alerts and installing required updates to block security attacks.
  • Cleaning up bad, duplicate, or old images on GENI racks.

This page outlines some guidelines on how image maintainers can find when there are new attacks (e.g. Heartbleed) and take appropriate steps. Also covered are maintenance guidelines/procedures for cleaning up obsoleted and bad images.

Security Alert Handling

GENI Custom Image maintainers should subscribe to appropriate security mailing lists, or get alerts for the Operating Systems used to create the custom images. This function was initially owned by the GPO. The goal is to have different ways that look for a virus once you know it exists, find a resolution and apply it to the appropriate custom image.

Security Alerts Sources

In GENI there are mostly CentOS or Ubuntu image. Both have security notices available at:

Additionally, you may subscribe or review the Ubuntu and CentOS security mail lists. These lists are very low traffic and fairly easy to digest:

For Ubuntu, the list is ubuntu-security-announce@lists.ubuntu.com, you can subscribe at https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce or review threads at https://lists.ubuntu.com/archives/ubuntu-security-announce/

For CentOS, the list is centos-announce@centos.org, you can subscribe at https://lists.centos.org/mailman/listinfo/centos-announce or review threads at https://lists.centos.org/pipermail/centos-announce/

As an example vulnerability announcement, here are the emails from both Ubuntu and CentOS Security lists regarding the libc vulnerability announced on in February 2016:

https://lists.centos.org/pipermail/centos-announce/2016-February/021668.html

https://lists.ubuntu.com/archives/ubuntu-security-announce/2016-February/003305.html

Of note, these emails are only sent after a fix has been posted. How does one know there is a problem in the first place? If it's a big enough deal, slashdot, or other news sites, will cover it.

In most cases, the OS vendors release patches the same day as the bug is publicly announced, as they are coordinating amongst themselves and with the upstream developers. As was the case with this libc bug in February.

So how do we confirm we might be effected, if there is no patch immediately available? There will probably be an article on slashdot, or other news outlets. From there they might link to a vendor's page.

Here's an ongoing Vulnerability that you can reference:

https://access.redhat.com/security/vulnerabilities/drown

You can click on diagnose and there's a script you can download, to see if you are effected, or maybe some mitigation steps.

Once we identify the package, we'll check to see what we have installed and compare it to the effected versions. Remember there are various factors to consider depending on the bug. Maybe its package specific or perhaps it is OS version specific (CentOS 5 is effected but 6, or Ubuntu 12.04 is affected, but not 14.04). As an example, the libc vulnerability was addressed by different package names. The Ubuntu package is called libc6, and the CentOS is called glibc and to address the vulnerability the following instructions were given:

CentOS: # yum info glibc
Ubuntu: # dpkg -s lib6