[Info-vax] New VSI Roadmap (yipee!)

JF Mezei jfmezei.spamnot at vaxination.ca
Sun Mar 1 14:24:38 EST 2015 

On 15-03-01 12:26, Kerry Main wrote:

> Simon - not sure if you work in a med-large Operations shop, but when 
> you have hundreds+ of OS instances to harden, someone has to review 
> these large number of security patches every month and match them
> against those hundreds of OS instances. 

A good system manager knows what is on its systems.  And a good system
manager knows how to work uppose management when exceptions are required.

Here is an example:

new decserver delivered. the telecom dept (their turf) physically mount
the decserver, plug in the ethernet and start the RS232 cables between
each port and their serial network controller.

I am asked to submit the plan , dates, and rollback for the
configuration of ports, plan, dates and rollback for enabling of ports.

(on the IBM mainframes, adding a terminal required deed down reconfig of
OS so they were batched together, and enabling done on saturday night to
minimize any problems).

My response: if you insist on keeping port unconfigured and disabled,
you must have emergency change committee meting to grant me the right to
immediatly change the decserver to disable the ports because those ports
are autoconfigured and autoenabled, works right out of the box.

It took a while for me to convince the change management folks that the
DEC/VMS environment was different from IBM and couldn't be managed the
same way, but it did happen.

And when I wouild come and tell them that such and such a change did
require a reboot or had potential stability issues, they believed me.



Back to security:

If management know you have a good grasp on your systems and what they
run, they will trust your judgement when you state "this new patch does
not affect any software we use, we can wait to install when other
patches come in". or "this is an urgent patch, we are seriously
vulnerable, we need to shut down our web server until the patch is
installed".

Cale in point: the government of canada shutdown all its https servers
when that tls bug was found some time ago and each server was re-enabled
as the patch was installed.

More information about the Info-vax mailing list