Sun Ray Server software patches are not tested in a development environment first before deploying to production.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16100	SUN0120	SV-17088r1_rule	DCCT-1	Medium

Description
Organizations need to stay current with all applicable Sun Ray Server software updates that are released from Sun Microsystems. New Sun Ray Server patches and updates should be reviewed for the Sun Ray Server before moving them into a production environment. Sun Ray Server patches will be tested first in a development environment and any issues or special precautions will be documented, as a patch could technically disable all Sun Ray Desktop Units, cause unexpected performance or availability issues.

Description

Organizations need to stay current with all applicable Sun Ray Server software updates that are released from Sun Microsystems. New Sun Ray Server patches and updates should be reviewed for the Sun Ray Server before moving them into a production environment. Sun Ray Server patches will be tested first in a development environment and any issues or special precautions will be documented, as a patch could technically disable all Sun Ray Desktop Units, cause unexpected performance or availability issues.

STIG	Date
Sun Ray 4 STIG	2015-04-02

Details

Check Text ( C-17146r1_chk )
1. Ask the IAO/SA where the test and development Sun Ray Servers are located. Access those servers and perform the following commands: # /opt/SUNWut/lib/utspatches Should return the following: 127554-02 127557-01 OR # patchadd –p \| grep SRSS Patches need to be at one of the following: Solaris/SPARC 127553 Solaris/x86 127554 Linux/x86 127555 SRWC 2.0 Patches need to be at one of the following: Solaris/SPARC 127556 Solaris/x86 127557 Linux/x86 127558 If the preceding patches are not returned, this is a finding. Check Sun Microsystems’s website for updated patches that may have been released after this checklist. 2. Request from the IAO/SA for a documented procedure on how their patches are tested on a development system before using on production systems. If no procedure is provided, this is a finding.

Check Text ( C-17146r1_chk )

1. Ask the IAO/SA where the test and development Sun Ray Servers are located. Access those servers and perform the following commands:

# /opt/SUNWut/lib/utspatches

Should return the following:
127554-02
127557-01
OR
# patchadd –p | grep

SRSS Patches need to be at one of the following:
Solaris/SPARC 127553
Solaris/x86 127554
Linux/x86 127555

SRWC 2.0 Patches need to be at one of the following:
Solaris/SPARC 127556
Solaris/x86 127557
Linux/x86 127558

If the preceding patches are not returned, this is a finding. Check Sun Microsystems’s website for updated patches that may have been released after this checklist.

2. Request from the IAO/SA for a documented procedure on how their patches are tested on a development system before using on production systems. If no procedure is provided, this is a finding.

Fix Text (F-16207r1_fix)
Implement the latest patches for the Sun Ray system. Check Sun Microsystems’s website for updated patches that may have been released after this checklist. Create patch procedures for testing before deploying patches to the production system.