Re: Migrating RHEL6 hosts - - Final Reminder

[Gordon Saksena]

Presumably the background behind this is that the infosec community is now on high alert, given the war in Ukraine, and that unpatched servers have been implicated in a large proportion of successful attacks, used as network entry points or as staging for lateral movement within the network.

I wonder whether another option might be acceptable other than upgrading or shutting down the node: perhaps the node could be placed into isolation, like was done in the past for Docker nodes that allowed end users to sudo.  Or, related, a vlan containing perhaps a handful of nodes and its own NFS share, which I believe is how the lab networks are currently set up.  I expect this would be unpalatable to the end users for nodes used for general purpose, but might wind up being a less painful path forward for nodes dedicated to legacy custom applications.  Just a thought, as I don't have authority over these nodes.

Gordon

On Tue, Mar 22, 2022 at 4:06 PM Shiv Patil <spa...@broadinstitute.org> wrote:

Hi All,

Consistent with Broad Information Systems Acceptable Use policy(Section 6.4), it is important that we continue running on supported platforms. We are reaching out to you one last time about the following RHEL6 hosts that need to get upgraded, as limited vendor maintenance support ended November 2020. Since we have not heard from you in more than six months, we are planning to shut down these hosts in 30 days (4/21/2022).

Please refer to SN Ticket INC0232068 for more details and let us know if you have any questions or concerns.

Hosts:

cga-kras voki muon

vgdac1

fbdev  

cga03

Thanks

Team Devnull

BITS - Broad Institute

[David Heiman]

It should be okay to migrate most of these to RHEL7 - preferably during the next quarterly maintenance (4/3 I believe?).

Ignaty, we'll need your input on voki/muon.

I'm trepidatious about cga03 - this is an actual server, not a VM, and is far out of warranty, so I worry that the upgrade might kill it.

Will all the crontabs be maintained? Several of these machines have cron jobs on them that are part of our lab's infrastructure.

Thanks,

David

---

David Heiman

Principal Software Engineer 

Gad Getz Lab

GDAN Processing Genome Data Analysis Center

CPTAC Proteogenomic Data Analysis Center

Broad Institute of MIT and Harvard

415 Main Street, Cambridge, MA 02142

On Wed, Mar 23, 2022 at 7:45 AM David Bernick <dber...@broadinstitute.org> wrote:

There are compliance things beyond security to consider — EoL systems are a huge compliance and liability risk on paper outside of the security systems. We should endeavor to get eol software off of our networks rather than craft workarounds (that still won’t mitigate our compliance risk).

This doesn’t have much to do with Ukraine or any particular high alert. The AuP has long been in place and we need to upgrade old systems. Yes, unpatched systems represent a lateral movement risk. We are addressing these issues as we discover them and while this hasn’t been something we have concentrated on in the past as we have had higher risks to deal with, this is now something we have to address.

--

David Bernick
Sr Director, Chief Information Security Officer
Typed on a tiny keyboard!