[Servercert-wg] Ballot SC29: System Configuration Management

Neil Dunbar ndunbar at trustcorsystems.com
Thu Apr 2 02:55:16 MST 2020 

On 01/04/2020 11:36, Dimitris Zacharopoulos (HARICA) wrote:
>
> The team considers this "Emergency Change Order" to cause unnecessary 
> delay in some cases, for some categories of OS patches (e.g. security 
> updates). Whenever the vendor has patches that *the vendor* labels as 
> security updates, we would like to have the option for these patches 
> to be applied as soon as possible, without requiring additional human 
> review by the CA.
>
> Just to avoid any misunderstanding, only existing installed packages 
> would be updated. This would not invoke installation of new packages 
> (e.g. bluetooth packages or other unwanted software). Servers that 
> follow the NSRs 1g already ensure that only the utmost necessary 
> software is installed.
>
> We would also like to remind everyone that this ballot affects 
> "Certificate Systems, Issuing Systems, Certificate Management Systems, 
> Security Support Systems, and Front-End / Internal-Support Systems", 
> which covers almost every system under the CA's PKI management.

Well, yes. I would consider it strange to have an audited system which 
wasn't managed via a well described change management process.

So, I'm trying to summarize the disconnect here. Most of the strongest 
objection centres around being able to apply patches without any further 
intervention in order to shorten any potential vulnerability.

As for ECOs getting in the way - really? I've been at places where the 
ECOs were in place within _minutes_. Are we really saying that CAs need 
to apply unaudited patches in a sub-hour period? If a CA's belief is 
that patches must be put in place within seconds of a vendor announcing 
availability, then I don't think we can see eye-to-eye on this one.

All CAs are required to have a means of reconfiguring their systems 
according to well described change protocols; they are required to keep 
their software development life cycle via well described change 
protocols; they are required to be able to provide a system inventory 
for each object in their network (in terms of function, sensitivity). 
And yet the core OS deployment and updating should be treated as 
something entirely outside of a CA's descriptive purview? That doesn't 
seem (to me) to be a tenable position.

> Again, we are not discussing about upgrading something that is outside 
> the installed software stack. According to NSRs 1g, only necessary 
> software should be installed in the first place. But, just to 
> entertain the idea, and assuming we have allowed the Bluetooth stack 
> to remain installed, what potential "harm" would you see if a patch 
> for the Bluetooth stack were installed unattended?

Because that patch might introduce further vulnerabilities which can be 
exploited; if the patch wasn't installed then it couldn't provide that 
avenue of vulnerability. We're all in complete agreement that if 
software doesn't need to be on a host, then it shouldn't be. However, 
some packages (like kernels) provide functionality which is broader than 
strictly needed, and thus CAs need to know what's in a given patch to 
see whether its worth installing or not.

I do hope that no-one understands SC29 as meaning that every CA is 
required to perform exhaustive source code analysis and formal proof of 
every patch for every package that they ever deploy. I see it as simply 
meaning that continuous risk assessment is performed by reviewing the 
changelogs, sensitivity and deployment reach of each package, putting 
that into a curated repository and deploying from that. If the 
vulnerability highlighted by a package is ultra-serious and there's 
really no time to test properly, file an Emergency Change Order and 
deploy to production. At least there's a paper trail to illustrate what 
state a host is in, so if it does get compromised, you have an idea of 
what moving parts that box had before it got owned.

I guess I might just be a bit salty on this one. Patch review is one of 
the most boring parts of my job, and I don't see why anyone else should 
have a more interesting job than me. :-)

Regards,

Neil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200402/0b1be5f8/attachment.html>

More information about the Servercert-wg mailing list