Keeping Up With DoD Security Requirements In Linux? 211
ers81239 writes "I've recently become a Linux administrator within the Department of Defense. I am surprised to find out that the DoD actually publishes extensive guidance on minimum software versions. I guess that isn't so surprising, but the version numbers are. Kernel 2.6.30, ntp 4.2.4p7-RC2, OpenSSL 9.8k and the openssh to match, etc. The surprising part is that these are very fresh versions which are not included in many distributions. We use SUSE Enterprise quite a bit, but even openSUSE factory (their word for unstable) doesn't have these packages. Tarballing on this many systems is a nightmare and even then some things just don't seem to work. I don't have time to track down every possible lib/etc/opt/local/share path that different packages try to use by default. I think that this really highlights the trade-offs of stability and security. I have called Novell to ask about it. When vulnerabilities are found in software, they backport the patches into whatever version of the software they are currently supporting. The problem here is that doesn't give me a guarantee that the backport fixes the problem for which this upgrade is required (My requirements say to install version x or higher). There is also the question of how quickly they are providing the backports. I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions. How do you balance security with stability?"
repo (Score:3, Funny)
Re:I am surprised (Score:4, Funny)
Some of the stuff that they do is as boring as public relations and kitchen supplies.
Why would they possibly need the latest kernel version?
They probably believe it provides the kitchen sink ;)
Re:Who sets those minimum versions? (Score:3, Funny)
My Netgear box routes packets over open air without too much trouble.
Re:Who sets those minimum versions? (Score:3, Funny)
802.11(b,g,n)?
Re:Who sets those minimum versions? (Score:3, Funny)
"And some even more restrictive than that.
You're getting me curious! What are those networks like?"
Their TCP three-way handshake goes like this: SYN SYN NACK.
Welcome, BARACK.OBAMA@WHITEHOUSE.GOV, to area52.31337.nopeeping.nuh-uh.icu.goaway.clubhouse.nwo.mil.
Your security clasification: ACCESS DENIED
Would you like to play a game?
$ls ..
NO
$cat .
NOPE
$pwd
AS IF
$cd
YEAH RIGHT
It simplifies things immensely.
Obey the rules. (Score:2, Funny)
First rule about DoD security and stability? Don't talk about DoD security and stability. :>