LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-14-2013, 02:29 PM   #1
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 193

Rep: Reputation: 47
Best practices when a cve alert is issued for software on your machine


I would like to pick the brains of the more experienced sys admins on this site for a moment.

So let's say you install some server software via yum or apt-get (whether it by MySQL, Bind, DHCPD whatever) and a little while later there is a CVE alert issued for that particular version of the server software, whatever it is.

It takes a while (if it ever happens) for software bug fixes and security patches to get pushed out via the repositories as they need to be tested so as to not damage any systems that download it.

In that time, rather than leave the system with a glaring security hole, I remove the older package and build the latest build from source via the software vendors site.

Do you then monitor the repositories to see if that bug is fixed and then remove the software you've built from source and re-apt-get or yum? At that point I'd just leave it and just keep updating the software manually...in which case I ask what is the point of using apt-get and yum for software like the examples I gave earlier? Does it make more sense to build these packages from source from the very beginning? What does everyone else do? Just kinda looking for best practices.
 
Old 08-14-2013, 02:53 PM   #2
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux
Posts: 2,870
Blog Entries: 1

Rep: Reputation: 902Reputation: 902Reputation: 902Reputation: 902Reputation: 902Reputation: 902Reputation: 902Reputation: 902
What you are doing is similar to what I do.

I use package managers to keep everything up to date. There is a yum plugin for security, which checks for security patches available.

We have a repo mirror of Scientific Linux, so we dont use too much bandwidth. In addition, we have a custom, local repository for just such things. If a bad exploit comes out, and I have to build the newest version, Ill build the rpm and put it into my custom security repo so that all of our servers will install my newest version.

In other words,. build and use your own custom repo with custom builds of software you are worried about. Don't install from source over and over. Do it once, package it and send it out to your servers.

Last edited by szboardstretcher; 08-14-2013 at 02:54 PM.
 
Old 08-14-2013, 02:54 PM   #3
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 14,223

Rep: Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474Reputation: 2474
Quote:
Originally Posted by YankeePride13 View Post
I would like to pick the brains of the more experienced sys admins on this site for a moment.
So let's say you install some server software via yum or apt-get (whether it by MySQL, Bind, DHCPD whatever) and a little while later there is a CVE alert issued for that particular version of the server software, whatever it is.

It takes a while (if it ever happens) for software bug fixes and security patches to get pushed out via the repositories as they need to be tested so as to not damage any systems that download it.

In that time, rather than leave the system with a glaring security hole, I remove the older package and build the latest build from source via the software vendors site.

Do you then monitor the repositories to see if that bug is fixed and then remove the software you've built from source and re-apt-get or yum? At that point I'd just leave it and just keep updating the software manually...in which case I ask what is the point of using apt-get and yum for software like the examples I gave earlier? Does it make more sense to build these packages from source from the very beginning? What does everyone else do? Just kinda looking for best practices.
I would answer with "it depends".

I would first look at the vulnerability itself, and the likelihood that it would affect the server. If it's a fairly serious network vulnerability on a server in the DMZ, then yes, I'd build the latest version from source that addresses that bug, then monitor the repos to see when the 'real' package has been updated and install it, as you said. Given the same software on the INTERNAL network, behind several layers of firewalls/DMZ/etc., then I'd probably just wait for the official update.

I tend to treat servers on the internal network differently than the ones that are externally facing. Internally, I'd have Snort and other things watching my systems, and can easily trace back events to a specific area (and DESK, often times). If anything hinky is going on, I shovel all the documentation over to internal security, and wait to see who they escort out of the building later that day.

Externally, I'm FAR more stringent.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Trade Practices Implications of Infringing Copies of Open Source Software LXer Syndicated Linux News 0 09-19-2010 04:50 AM
LXer: Governments slammed for anti-competitive software tendering practices LXer Syndicated Linux News 0 04-23-2007 12:16 PM
Best Practices When Installing Software Hangetsu Linux - Security 7 12-01-2005 09:35 AM
Timed-alert software mpn Linux - Software 5 03-24-2005 07:02 PM
software management - best practices? curmudgeon42 Linux - Software 1 06-03-2004 09:12 PM


All times are GMT -5. The time now is 11:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration