Keeping Up With DoD Security Requirements In Linux? 211
ers81239 writes "I've recently become a Linux administrator within the Department of Defense. I am surprised to find out that the DoD actually publishes extensive guidance on minimum software versions. I guess that isn't so surprising, but the version numbers are. Kernel 2.6.30, ntp 4.2.4p7-RC2, OpenSSL 9.8k and the openssh to match, etc. The surprising part is that these are very fresh versions which are not included in many distributions. We use SUSE Enterprise quite a bit, but even openSUSE factory (their word for unstable) doesn't have these packages. Tarballing on this many systems is a nightmare and even then some things just don't seem to work. I don't have time to track down every possible lib/etc/opt/local/share path that different packages try to use by default. I think that this really highlights the trade-offs of stability and security. I have called Novell to ask about it. When vulnerabilities are found in software, they backport the patches into whatever version of the software they are currently supporting. The problem here is that doesn't give me a guarantee that the backport fixes the problem for which this upgrade is required (My requirements say to install version x or higher). There is also the question of how quickly they are providing the backports. I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions. How do you balance security with stability?"
Re:I am surprised (Score:2, Insightful)
I think there might be some changelog analysis going on too. If you see "Huge exploit xyz fixed in this patch", you're more likely to use the new, untested version just because a known exploit is closed. With security software, they're always usually fixing, improving, and generally securing their software.
I personally keep pretty up-to-date, and I can understand that a government agency would want to be completely on top of things.
"It's safer"
Switch distros? (Score:4, Insightful)
Re:I am surprised (Score:3, Insightful)
Why would they possibly need the latest kernel version?
Re:Doing your job? (Score:1, Insightful)
working smarter vs working harder?
It's a trap! (Score:3, Insightful)
I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions. How do you balance security with stability?"
Computer security configuration data is on a need-to-know basis. Anyone revealing UCI will be receiving a call or visit from an armed person who had his sense of humor surgically removed. :-)
/workedtoolongforDOE
Re:I am surprised (Score:3, Insightful)
It's simple, really (Score:3, Insightful)
If you lose data or your system gets abused and you're patched to the latest version you're off the hook. If you don't have the latest patch however you're fired. Even if the latest patch fixes a local privilege escalation on libgd2 and all your server does is DHCP and it was actually exploited by someone cleverly guessing your co-worker's password.
Same thing with firewalls: if all you run is a web server, I say you make sure nothing else is running that opens any ports. It's no use to setup a firewall, because the thing that is most vulnerable, port 80, will need to be open anyway. But get caught without a firewall in some places and you're fired.
It's a lot easier to write a meaningless list of requirements than to think about needs and policies and design the requirements
It's a lot safer to follow some dumb list of requirements than to try to understand what your systems are doing and configure accordingly
It's a lot easier for an auditor to check a list of requirements against the output of some version-checker than to actually know what these things do
It's the dumbing down of engineering that passes for systems administration these days. It's the Windows way of thinking.
Re:I am surprised (Score:3, Insightful)
Because the people who write the requirements need to justify their jobs.
Re:Rolling Distrobution (Score:2, Insightful)