Automating Security Patches For Chrooted Environment
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Automating Security Patches For Chrooted Environment

  1. #1
    Junior Member
    Join Date
    Apr 2006
    Posts
    20

    Question Automating Security Patches For Chrooted Environment

    Hi All-

    I am relatively new to the Linux world. I want to know if there is a way to automate the patching of a chrooted environment. I am running RHEL ES 3.0 U7. When I receive critical RPM(s) via RedHat, I know that the server is being patched, but the chrooted environment isn't. I have chrooted SSH which occasionally needs patches.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yes it is possible. There are several docs on the RH site which provide step by step procedures for this. The key here is that the root user will configure everything to run in the chrooted environment. Why would you want patches to install without looking at what they impact first? Sounds a bit dangerous.

    Good luck.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    Thanks for the help. I will definitely look for these docs on the RH site. The reason why we want to automate this process is because we know exactly what we have as far as daemons and such in our chrooted environment, and we want to setup a process so that when patches from RH come out for those particular daemons, libraries, etc, they will be patched right away. This isn't a production environment and we do keep track as far as what patches are applied... they just won't be applied manually.

  4. #4
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    I haven't been able to find anything significant on the RH site (I'm probably not searching with the right keywords). Anyway, I did find something through Google about using the chroot command to run a command with a directory as the NEWROOT.

    So would this work?

    chroot /jail up2date -up



    I do understand that I would need up2date setup in my chroot environment.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    That *should* work.

    If I get some downtime later on, I will look for those docs for you.


    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    Actually I would like to run this command:

    chroot /jail up2date -uik /jail/tmp

    However, I don't know if the directory I specify is relative to the /jail or to the real /. In other words, does the directory I specify need to be in the chrooted environment as well?

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Without testing I would tend to believe that the actual path would be used.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    I am making progress slowly but surely. Anyway as an FYI, the path to use when using the chroot command is relative to the chrooted environment. In my case I must use:

    chroot /jail up2date -uik /tmp ... not chroot /jail up2date -uik /jail/tmp

    I am now struggling with getting the up2date working in the chrooted environment. I am able to enter up2date as a command and bash doesn't scream with the "command not found" message, but nothing happens. I have copied over these files into the chrooted environment:

    /usr/lib/libglib-2.0.so.0
    /lib/tls/libc.so.6
    /lib/ld-linux.so.2
    /usr/bin/up2date
    /usr/bin/up2date-config
    /usr/bin/up2date-nox
    /usr/sbin/up2date
    /usr/sbin/up2date-config
    /usr/sbin/up2date-nox
    /etc/sysconfig/rhn/sources
    /etc/sysconfig/rhn/systemid
    /etc/sysconfig/rhn/up2date
    /etc/sysconfig/rhn/up2date-keyring.gpg
    /etc/sysconfig/rhn/up2date.rpmnew
    /etc/sysconfig/rhn/up2date-uuid
    /etc/sysconfig/rhn/rhnsd
    /usr/share/rhn/RHNS-CA-CERT
    /usr/share/rhn/RPM-GPG-KEY

    Using ldd pointed out all of the library files that I needed. I am not sure if any additional files are needed.

    Any help is much appreciated.

  9. #9
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    You'll probably need to build an rpm database in the jail (put rpm in there as well) Trial and error can get you a long way. I'm an apt man myself, but I would try using rpm itself to install everything in the jail, something like:

    rpm --root=/jail --initdb
    rpm -ivh --root=/jail rpm-*.*.rpm
    rpm -ivh --root=/jail up2date-*.*.rpm

    etc.

    -Maestr0

    P.S. You'll probably need a /var/lib/rpm in the jail, initdb might make one, then again might not.
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  10. #10
    Junior Member
    Join Date
    Apr 2006
    Posts
    20
    Thanks Maestr0 for the suggestion. I tried this, but for some reason I had to specify the full path where my rpms were located.

    ex. rpm -ivh --root=/jail /var/lib/rpm/rpm-*.*.rpm

    I don't think this really matters but after I ran this it appeared to install. However, when I go into the chrooted environment, I cannot run the rpm or up2date commands.

    Before I installed the rpm's, I cleaned up what I had done at that point (I removed the files that I listed in my previous post) assuming that the installation of these packages would recreate them.

    Do you think I should place the files back into the chrooted environment, and then re-run the rpm installations?

    Thanks in advance!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •