Bookmark and Share
RSS

Recent Posts

AIX, Security and the Basics

February 27, 2018

Are you patchable, and will efixes help you?

This year I have been much more active with assisting clients to get their systems secured. Securing systems begins with the basics. Administrators know this—but does the business know their risks when admins cannot do their part?
 
Quick Check: The Basics
 
Do You Have a Support Contract?
All answer affirmative. However, two areas where things still might go wrong are that the contract hasn’t been (recently) renewed, or the OS is not at a TL level that’s still supported. The former is easy to resolve—even if it’s a system that is being phased out (e.g., when a new system was purchased and was recently installed and has the support contract, but migration is taking longer than planned).
 
OS Release and TL Level Past Support
The situation I see frequently is that OS TL level is past support. Again, there are different ways to resolve this: a) See if an extended service contract is possible for an older level (this means a new contract), or b) update to the latest level. The above seems extremely logical but I’m running into security concerns with clients, especially when the OS level is no longer supported. There are no patches!
 
 Fig1.jpg
(Click on image to open full-size in new window.)
 
The figure above shows that this year, to date, there have been four security-related efixes announced. When you read the details, you’ll see some AIX 5.3 TL12 in them, as well as some AIX 6.1—but only AIX 6.1 TL9. These fixes aren’t intended for AIX 6.1 TL0 through AIX 6.1 TL8 (or other unsupported TL of AIX 7.1). In other words, unsupported versions and/or TL levels of AIX aren’t getting security efixes.
 
ATTENTION: AIX 6.1 regular support ended 30 April 2017. AIX 6.1 support is only available with an extended support contract! See related links below.
 
Message to the Business
BOTTOM LINE: there are many excuses given for why a system is not at the latest TL level. And the reasons given are most often something along the line of “the business won’t give us the window to patch.” (If that’s not your reason I tend to say, “shame on you!”)

“Planned Maintenance” or “Cleanup and Uncertainty?”
There’s a cost to security. But what is going to be the primary factor in your cost calculation: planned maintenance or cleanup after a breach? (Statistically, two years after a serious security breach, 50 percent of affected companies no longer exist.)
 
I offer this reminder – for the business. Planned downtime is much easier to arrange than to deal with an unplanned or rushed outage because of a security breach within the “enterprise”. And the uncertainity – did we get it all cleaned up in time? What did we lose?
 
Secure systems are no longer a “nice to have”. Once the outer layer is breached internal systems become the staging area and core servers are the (new) target. After all, that is where the money (information) is. “Hackers” acquire and sell information. Are they selling yours?
 
Current Supported Levels: Where do you Stand?
FYI: Here’s the AIX supported level diagram (last updated with the TLSP releases in October 2017, courtesy of IBM FixCentral; see http://www14.software.ibm.com/webapp/set2/sas/f/genunix3/AIXcurrent.jpg for the latest version).

Check out the related links for the latest info. 
 

Fig2.jpg
Related links:
 

Posted February 27, 2018| Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus