Keeping Up with Unix's Critical Hacks
January 11, 2011
Migrating away from a boutique environment like MPE/iX opens fresh doors to the world of IT for some sites. But for everyone who embraces industry-common platforms like Unix, a new level of scrutiny must accompany a migration.
Over the four weeks that ended 2010, HP released eight alerts about security breaches for HP's Unix servers, including the newer Integrity servers. Security alerts from HP usually describe ways that Denial of Service attacks (to bring a server down by unavailability) or hacks for illegal access to data. The four weeks was a tough period for the OS, one that kept HP busy revising HP-UX 11i.
Unix on every platform has foundation programs, and it seemed nearly every one was targeted for a breach by the end of the year. HP posted security patch bulletins for the Samba file server, OpenSSL, threaded processes running in HP-UX, poisoning of the DNS nameserver cache, and two separate bulletins each for the Apache server and Java.
There's so much security work to be managed after choosing HP-UX that the vendor's deployed an automated security bulletin checker, the HP-UX Software Assistant, (which replaced the HP-UX Security Patch Check.) "It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system," HP explains. "It can also download patches and create a depot automatically."
The best security case for a site migrating to HP-UX is to be able to transfer 3000 application data to an existing app in the company -- on a server which is already secured and managed by Unix administrators.
That particular 3000 manager's quest, until the migration, is to find the best way to store the data from the 3000 for transfer to an Oracle database, a data platform usually hosted on HP's Unix servers by Hewlett-Packard customers. The security of the new platform, in a case such as that one, can be left in charge of the Unix admins who've been protecting the Integrity servers up to now.
Of course, if your IT shop is small enough that you or your staff will be coming up to speed with Unix security admin skills, that's another set of lessons. You can review the HP-UX security bulletins which the Software Assistant will analyze by visiting HP's archive of HP-UX security bulletins. The good news is that HP only issued 28 such Security Bulletins during 2010 for its enterprise alternative to the 3000's MPE/iX.
HP's stopped tracking security breaches for the 3000, by the appearance of the MPE/iX Security Alert Archive. Only one was issued for all of 2009, a January DNS breach that HP wouldn't fix (the lab was closed by that time. "The resolution is to discontinue the use of BIND/iX and migrate DNS services to another platform," HP said.
Of course, the MPE/iX security bulletins listed don't expose any 7.0 or 7.5 releases. That's the double-edged sword of working with non-standard file system implementations of stock tools such as Samba, sendmail and Apache. They're out of date, but the don't need to be patched for security.