how-to

OS updates & security

  • 18 March 2024
  • 4 replies
  • 202 views

Userlevel 1
Badge +4

As a software publisher, we care about the security of the software we offer and make continuous updates as security vulnerabilities or potential issues are discovered or reported to us via the security@centreon.com address, through our Customer Care service The Guard or here on The Watch. Note that a page describes our security policy and we also have the process to report a vulnerability

 

However, even if your Centreon applications are up-to-date, it is important to follow best practices to keep the Operating Systems on which they run secure, as well as the third-party components running on these systems.

We recommend applying security updates as soon as they are available (and restarting the affected services afterwards; if in doubt, system reboot is also possible).

 

This article is aimed at providing some tips to do so if you are not familiar with Linux systems maintenance.

 

Automatic update tools:

There are tools such as dnf-automatic (for RHEL-like systems) or unattended-upgrades (for Debian) that can apply security updates automatically: 

https://dnf.readthedocs.io/en/latest/automatic.html

https://wiki.debian.org/UnattendedUpgrades

 

Example of a targeted update:

If you are aware of a specific Common Vulnerabilities and Exposures (CVE) and its identifier, it is possible to directly check on your system if it is properly resolved.

 

Here is an example of a process you can use for the CVE-2022-1292 affecting OpenSSL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292

 

AlmaLinux:

If you are on AlmaLinux 8, a search will take you to this page: https://errata.almalinux.org/8/ALSA-2022-5818.html which references the vulnerability (as it has been fixed upstream by RedHat): https://access.redhat.com/security/cve/CVE-2022-1292.

You can also read the "changelogs" from the system itself, with this command for example: rpm -q -changelog followed by the name of the library or program concerned with a grep on the CVE ID:

 

rpm -q -changelog openssl |grep CVE-2022-1292

- Fix CVE-2022-1292: openssl: c_rehash script allows command injection

 

Debian:

If you are on Debian 11 Bullseye, a search will take you to this page: https://security-tracker.debian.org/tracker/CVE-2022-1292.

From the system, you can search directly in the changelogs with grep, which will confirm that it is properly fixed:

 

zgrep CVE-2022-1292 /usr/share/doc/openssl/changelog.*

/usr/share/doc/openssl/changelog.Debian.gz:    - CVE-2022-1292 (The c_rehash script allows command injection).

/usr/share/doc/openssl/changelog.gz:   CVE-2022-1292, further bugs where the c_rehash script does not

/usr/share/doc/openssl/changelog.gz:   When the CVE-2022-1292 was fixed it was not discovered that there

/usr/share/doc/openssl/changelog.gz:   (CVE-2022-1292)


4 replies

Badge +2

Hello, thanks.

→ Are there any compatibility to keep between the OS/packages and the centreon packages on a working Server/Poller ?

For exemple, can “dnf update --exclude=centreon*” (update all the packages except centreon ones) have any impact on centreon plugins ?

Will any working Centreon version will be OK with the OS/packages update ?

Or is it mandatory to always update the centreon plugins at the same time “dnf update” ?

 

Thanks

 

Badge +2

instead of “centreon plugins” I meant “centreon packages”

Userlevel 1
Badge +4

Hello @frantz,

Centreon packages get the recent dependencies they need, but the reverse is not true.

So, it’s rare but possible to encounter issues if the system is up-to-date but the Centreon packages are not. Especially for the centreon-plugins on a poller, which often depend on Perl packages of the system.

Centreon updates can also solve security problems.

I recommend to keep an eye on Release Notes https://docs.centreon.com/docs/releases/centreon-os/ for security concern if you want to decorellate system updates and Centreon updates.

Badge +2

Hello @AltGr 

Thanks for your answer. I was wondering both ways.

 

So If I understand well ? :

→ We must be carefull while upgrading the OS but not the centreon packages “dnf update --exclude=centreon\*” as there may be compatibility issues.

→ Upgrading the centreon packages (but not the OS) with “dnf update centreon\*” should work as dependencies are checked

→ Upgrading both (OS + centreon) with “dnf update” will always work

 

Is that it ?

 

Best regards

Reply