Hi All,
I try to answer some of your question about OSCT Pakiti server.
As far as I can remember I mentioned Pakiti as early as March 2009, if not
earlier. I gave a update to dteam after OSCT face to face meeting (in March)
and also mentioned it in various situation after that. But at that time Pakiti
was still in very early stage. On 1st July 2009 I again talked about Pakiti in
my presentation at UK security workshop. By then, Pakiti server was still not
deployed yet. The Pakiti server was only recently setup (a few weeks ago).
So how does it work? The Pakiti test is part of SAM test, like other SAM test,
it is a regular job running at your WN. It collected information of all
installed packages and shipping it back to Pakiti server, where the server
will compare it with a list of latest package and flag any CVE
vulnerabilities. For more information, please refer to Pakiti website
http://pakiti.sourceforge.net/.
Note, the test is non-intrusive, anyone who can run a job at your site can
collect these information.
Another note, Pakiti 2.0 is different from previous versions, which have been
used by some sites. The previous version called yumit required root privilege
to run the client code.
The result of Pakiti run by OSCT is encrypted and only authorized users
(members of OSCT) can view the content. There is no way to open it (OSCT
Pakiti server) to all site admins. If you want to know patching status you
should setup your own Pakiti server to monitor your site. Frankly speaking,
you should have done so long time ago.
About the false positives, OSCT Pakiti server is monitoring all EGEE sites and
it is understandable if there are a few false positives. And that is the
reason why I immediately followed up with UK sites flagged as vulnerable. RAL
Tier1 is probably the first victim of false positives. Developers will fix the
problem if they are made aware of it.
I am not sure if some of you have strong feeling against OSCT patch
monitoring, or the way how the whole thing was handled?
I do not have inside knowledge of how EGEE PMB made the decision, I simply
passed it to all GridPP sites. But I am glad that EGEE PMB and also GridPP PMB
took security issues very seriously. Well, how to enforce the PMB decision is
separate issue.
Cheers,
Mingchao
|