FNAL Configuration Management

1
FNAL Configuration Management

• Jack Schmidt
• Cyber Security Workshop
• May 23-24th 2006

2
Configuration Management

• Antivirus services for Windows, Linux, Macintosh
• Patching services for Windows, Linux, Macintosh

3
AV

• AV Policy
• All Systems that offer windows services must run
  AV (Samba servers, shares)
• All Windows desktops and servers must run anti
  virus
• AV Baseline
• Defines AV service as a NIST Major Application
• Provides service settings for clients
  (workstations/servers) and AV servers

4
Windows AV

• Central Windows AV Service
• Uses Symantec Enterprise (only AV, no firewall)
• Built on cluster for failover
• AV Server contacts Symantec every 15 minutes for
  updates
• Clients contact FNAL server every 30 minutes
• Clients contact Symantec daily
• Clients available for all windows systems on the
  FNAL network (DOE/University owned) except
  home-owned systems.
• Service managed by Domain Administrators

5
Linux AV

• Linux AV Service
• No central service at this time
• Scientific Linux Fermi (SLF) distributed with
  ClamAV RPM
• Samba servers required to run centrally supported
  AV software (ClamAv or Symantec)

6
Macintosh AV

• Macintosh AV Service
• Working with Symantec on using Windows central
  service.
• Currently distribute client with no configuration
  settings
• Samba servers required to run centrally supported
  AV software (ClamAv or Symantec)

7
Windows Patching

• Windows Patching Service
• Designed by Windows Policy Committee
• Patches reviewed and rated
• Three Tier Solution
• Local Method
• Site SMS Service
• Site WSUS Service
• Site SMS WSUS service managed by Domain Admins

8
Windows Patching

• Microsoft Patch Flow
• Domain Administrators examine patches on patch
  Tuesday.
• Review patches with Computer Security Team (CST)
• Patches rated/required date set
• FNAL Mandatory. Required for system to be on
  network
• FNAL Recommended

9

• To banditos_at_fnal.gov
• Subject May, 2006 Microsoft Patches
• MANDATORY Patches
• Due Date None at this time
• RECOMMENDED Patches
• Due Date 6-15-2006
• The following is a link to the May, 2006
  Microsoft list of critical and important patches.
• http//www.microsoft.com/technet/security/bull
  etin/ms06-may.mspx
• Except for any patches that have been deemed
  Mandatory by CST, these patches should be applied
  within one month at your earliest convenience
  using patch deployment tools. If you are a
  subscriber to the central lab SMS facility,
  additional information can be found at
• http///private/sms/patchrollup/
• An announcement to all SMS OU administrators
  will be sent out once a SMS package is available.
  If you need the patches, you can also obtain them
  from \\\fermi-rollup.

10
Windows Patching

• Microsoft Patch Flow (cont)
• Domain Admins build SMS packages
• Workstation/Server Admins distribute to systems
  by given date
• CST may require central rollout of patch by
  Domain Admins
• WSUS applies mandatory patch to systems after due
  date
• Active Directory GPO points domain systems at our
  WSUS instead of Microsoft Update.

11
Windows Patching

• Other Windows Patches
• Notification via CIAC or vendor. Windows Policy
  Committee monitors lists.
• Domain Admins meet with CST. Review importance of
  patch.
• Patch rated/required date set
• SMS package made available to Workstation/Server
  Admins for distribution

12
Windows Patching

• Patch Tracking
• SMS queries used to track patch rollout no matter
  method used.
• How Are We Doing?
• Much better than visiting each system!
• Delegated patch distribution a mixed bag
  dependant on skill set of local admins.
• Pushing for central rollout of all patches.

13
Linux Patching

• Linux Patching Service
• Designed by Our Linux Gurus
• Errata review process
• Service managed by SLF Experts
• FNAL uses YUM to distribute errata. SLF comes
  with YUM preconfigured for FNAL servers.
• SL Scientific Linux (http//www.scientificlinux
  .org)
• SLF Scientific Linux Fermi

14
Linux Patching

• SL(F) Errata Flow
• Errata examined by SL(F) maintainers
• Review errata with Computer Security Team (CST)
• Errata rated/required date set.
• Errata built by SL maintainers and released to SL
  community for testing.
• After SL testing/feedback, errata moved to SLF
  servers and distributed.

15
Linux Patching

• Linux Errata Flow(cont)
• Clients check for errata from distribution
  servers nightly.
• Clients check for mandatory errata hourly

16
Linux Patching

• Errata Tracking
• Building inventory system based on OCSInventory
  NG
• How Are We Doing?
• Central patching via YUM has been in use for
  years. Works well.
• Local Admins have the ability to disable YUM
  updates.
• SL Caveat. Must build errata from source, cant
  use commercial patching solutions

17
Macintosh Patching

• Mac users must patch their own systems
• No defined patch identification policy
• Testing Central patching solutions
• SMS add-ons (Vintella/Quest)
• Apple Workgroup Server

18
Questions?