Closed citizen-boxfuse closed 5 months ago
axelfontaine
commented
5 months ago The base OS is ultra-minimal and doesn't require patching. Going up from there in the stack you are in full control. To keep track of which AMI ID corresponds to which version of your app, you can refer to the AMI's tags. We automatically add a few standard ones and you can also add your own.
citizen-boxfuse
commented
5 months ago Can you clarify what you mean by the base OS not requiring patching?
If a critical vulnerability is announced in the Linux kernel how do we know where we stand? We'd like to be able to check the version of the kernel, libraries and tools in the base OS. A means to check these either before or after deployment would do.
axelfontaine
commented
5 months ago It would have to be a vulnerability in a very specific part of the kernel such as the TCP or IPv4 code. This is highly unlikely. Regular privilege escalation vulnerabilities don't matter as you can't log into the machine and there is only once process (besides init, acpId and ntpd), your app.
That being said the logs an instance boot show which versions of the components were used to build the image. See https://cloudcaptain.sh/docs/commandline/logs
We'd like to check the patch status of a deployed AWS EC2 instance. It looks like SSH is disbled, which is fine. Is there an option to set up a user so we can log into the instance by serial access?
Or, are there alternative steps we can take to check the patch status of a Linux image before or after deployment?