Shulou(Shulou.com)06/01 Report--

In most enterprises and companies, there are no dedicated information security departments and security engineers, so the responsibility for fixing security vulnerabilities falls to the engineers of the operation and maintenance department, so when you get a security assessment report, how to deal with the repair of security vulnerabilities?

First of all, clarify the type of risk and determine the level. Basically, risk can be divided into network services, systems, applications, middleware, database categories; from the level, can also be divided into high, medium and low three categories. It is very important to do a good job in this step. it is convenient for you to sort out your head, have a clear target, and do not grasp the eyebrows. Focus on priority to solve high-risk vulnerabilities, according to the level of security impact and customer requirements to appropriately deal with medium-risk vulnerabilities, low-risk vulnerabilities can be appropriately ignored.

Secondly, report, time and manpower coordination, do a good job in the implementation of the plan. Because the repair of vulnerabilities and version-related upgrades will affect production applications and internal and external services, it is necessary to report the situation and possible risks to superior leaders, and get their approval and support. Then formulate a detailed plan to issue to the relevant personnel, arrange the appropriate time window, and inform all departments to coordinate and cooperate.

Finally, prepare the plan and timely feedback. In the process of upgrading and patching, there will often be some minor problems and accidents. it is important to prepare a plan, estimate and solve the problems that may arise in advance, so as to avoid mistakes. In addition, in the whole process, timely information feedback is very important, which is conducive to the smooth flow of information and action cooperation.

Whether it is the repair of security vulnerabilities or version upgrades, it is important to make backup and contingency plans in advance. Keep in mind that safety first and prevention before it happens, which is not only the embodiment of specialization, but also a kind of professional ethics.

Example of an application patch security upgrade scenario:

Prophase analysis

General scanning and analysis tools will list specific vulnerability names and risk levels. You will usually expand each vulnerability with specific vulnerability information and solutions. Let's take a look at a picture below, which is the vulnerability details map given by Green League.

Note the red line in the diagram, which versions are analyzed in the vulnerability description and patch download information is given in the solution below. Generally speaking, you have found multiple vulnerabilities in an application middleware and do not need to fix them one by one. You can consider an appropriate version upgrade, such as version 7.0, which can now be upgraded to the highest level in version 7.0. If it is a cross-version upgrade, it needs to be carefully tested. Generally, the cross-version upgrade will not be rushed in the actual environment, which will have a great impact and great risk. After upgrading to a certain version, other vulnerabilities can be fixed individually. Therefore, after negotiation, the plan was decided to upgrade to the highest level in version 7.0, with a single fix for other individual vulnerabilities.

I. apply backup

Before backing up, check to confirm that the relevant file system needs to be expanded (mainly to ensure that there is enough space) to ensure a successful backup and a successful installation of the software.

Back up the existing environment, mainly the software installation directory and related configuration files

Tar-cvf / backup/was.20130924.tar / usr/was/WebSphere/AppServer

Tar-cvf / backup/http.20130924.tar / usr/was/HttpServer

II. Software and patch installation

Note that WAS software and patches are installed using wasuser users. Root is required for IHS

Upload the patch or new version to the appropriate machine and set the correct owner and permissions.

WS-UPDI-AixPPC64.tar.gz

WS-IHS-AixPPC64-FP0000045.pak

WS-PLG-AixPPC64-FP0000045.pak

WS-WAS-AixPPC64-FP0000045.pak

Set the correct ownership and permissions

Chown wasuser:wasgroup WS-UPDI-AixPPC64.tar.gz

Chmod 644 WS-UPDI-AixPPC64.tar.gz

Stop the WAS and HTTP services, and the application will not be accessible and used during this period.

Stop WAS

Cd / usr/was/WebSphere/AppServer/profiles/Server1/bin

. / stopServer.sh xxx-user wasadmin-password *

. / stopNode.sh-user wasadmin-password *

Su-wasuser

Cd / usr/was/WebSphere/AppServer/profiles/Dmgr01/bin

. / stopManager.sh-user wasadmin-password *

Stop HTTPServer

/ usr/was/HttpServer/adminctl stop

/ usr/was/HttpServer/apatchectl stop

IV. Software installation

Install the patch, upgrade or patch on the appropriate machine, and start the WAS service and HTTP service on the appropriate machine.

Install WAS UpdateInstaller on the appropriate host

Copy the patch file to / usr/was/WebSphere/AppServer

Gunzip WS-UPDI-AixPPC64.tar.gz

Tar-xvf WS-UPDI-AixPPC64.tar

Install the WAS patch on the host (requires a graphical interface for installation)

Cd / usr/was/WebSphere/UpdateInstaller

. / update.sh to install, select the directory / usr/IBM/WebSphere, and install the appropriate patch.

Install the HTTP patch on the host (requires a graphical interface for installation)

Cd / usr/was/WebSphere/UpdateInstaller

. / update.sh to install, select the directory / usr/was/HTTPServer, and install the appropriate patch.

Install the PLUGIN patch on the host (requires a graphical interface for installation)

Cd / usr/was/WebSphere/UpdateInstaller

. / update.sh to install, select the directory / usr/was/HTTPServer/Plugin, and install the patch.

Start the new version service

/ usr/was/HTTPServer/bin/apachectl start

/ usr/was/HTTPServer/bin/adminectl start

/ usr/ was/WebSphere/AppServer/profiles/Dmgr01/bin/startDmgr.sh

/ usr/ was/WebSphere/AppServer/profiles/AppServ01/bin/startNode.sh

/ usr/ was/WebSphere/AppServer/profiles/AppServ01/bin/startServer.sh clserver1

5. Verify that the WAS service is normal

1. Make business query through the business system to verify that WAS can provide services normally.

2. Test whether the applications and interfaces are normal.

3. System application check

Test whether the function and the whole are normal.

VI. Fallback plan

If the service cannot be provided normally after the WAS upgrade, you need to stop the new version of WAS and HTTP services and restore to the original version level through the backup before the upgrade.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.