Keeping Up With DoD Security Requirements In Linux?

ers81239 writes "I've recently become a Linux administrator within the Department of Defense. I am surprised to find out that the DoD actually publishes extensive guidance on minimum software versions. I guess that isn't so surprising, but the version numbers are. Kernel 2.6.30, ntp 4.2.4p7-RC2, OpenSSL 9.8k and the openssh to match, etc. The surprising part is that these are very fresh versions which are not included in many distributions. We use SUSE Enterprise quite a bit, but even openSUSE factory (their word for unstable) doesn't have these packages. Tarballing on this many systems is a nightmare and even then some things just don't seem to work. I don't have time to track down every possible lib/etc/opt/local/share path that different packages try to use by default. I think that this really highlights the trade-offs of stability and security. I have called Novell to ask about it. When vulnerabilities are found in software, they backport the patches into whatever version of the software they are currently supporting. The problem here is that doesn't give me a guarantee that the backport fixes the problem for which this upgrade is required (My requirements say to install version x or higher). There is also the question of how quickly they are providing the backports. I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions. How do you balance security with stability?"

Re:I am surprised

[Dragon_Hilord]

I think there might be some changelog analysis going on too. If you see "Huge exploit xyz fixed in this patch", you're more likely to use the new, untested version just because a known exploit is closed. With security software, they're always usually fixing, improving, and generally securing their software.

I personally keep pretty up-to-date, and I can understand that a government agency would want to be completely on top of things.

"It's safer"

Switch distros?

[HFShadow]

Take a look at gentoo, it'll definitely be bleeding edge enough to have the latest versions. Ubuntu server might satisfy your needs too.

Re:I am surprised

[characterZer0]

Some of the stuff that they do is as boring as public relations and kitchen supplies.

Why would they possibly need the latest kernel version?

Re:Doing your job?

[Anonymous Coward]

working smarter vs working harder?

It's a trap!

[bugnuts]

I'm hoping that there are 100s of DoD Linux administrators reading this who can bombard me with solutions. How do you balance security with stability?"

Computer security configuration data is on a need-to-know basis. Anyone revealing UCI will be receiving a call or visit from an armed person who had his sense of humor surgically removed. :-)

/workedtoolongforDOE

Re:I am surprised

[RichardJenkins]

The submitter says using back-ported security fixes (presumably from some official repository) is not an option because it doesn't give a guarantee of fixing the vulnerability the original update was for. If this is a problem I'm curious as to why he thinks manually installing the latest versions is any better. Is someone being paid to guarantee the efficacy of security fixes but only in those latest versions? If that is the case why not just pay them to audit the back-ported fixes in a repository instead? If you're using Linux and have been shrewd enough to install all of your applications through the distribution maintainers repository, then the sweet-spot between security and stability *is* using back-ported security fixes.

It's simple, really

[KGBear]

In this, like in many other things, the Windows way of thinking has poisoned the issue. The way Windows people think, reinforced by Microsoft's implementation of Patch Tuesday, has been picked up by systems auditors and managers and bureaucrats everywhere. So the mantra today is that you must patch. Hurry! There's a new version! If you don't install it now we're all gonna die! This comes from the fact that that is a pretty simple metric that can be written in policies and checked during audits.

If you lose data or your system gets abused and you're patched to the latest version you're off the hook. If you don't have the latest patch however you're fired. Even if the latest patch fixes a local privilege escalation on libgd2 and all your server does is DHCP and it was actually exploited by someone cleverly guessing your co-worker's password.

Same thing with firewalls: if all you run is a web server, I say you make sure nothing else is running that opens any ports. It's no use to setup a firewall, because the thing that is most vulnerable, port 80, will need to be open anyway. But get caught without a firewall in some places and you're fired.

It's a lot easier to write a meaningless list of requirements than to think about needs and policies and design the requirements

It's a lot safer to follow some dumb list of requirements than to try to understand what your systems are doing and configure accordingly

It's a lot easier for an auditor to check a list of requirements against the output of some version-checker than to actually know what these things do

It's the dumbing down of engineering that passes for systems administration these days. It's the Windows way of thinking.

Re:I am surprised

[pizza_milkshake]

Why would they possibly need the latest kernel version?

Because the people who write the requirements need to justify their jobs.

Re:Rolling Distrobution

[m1xram]

Let's take it a step further. Why not have the DoD make DoD Linux SS (super secret) version and DoD Linux RE (regular edition) with the specific packages they want. Lots of people roll their own, why not the DoD? Then the DoD posts the links to their new distros on DistroWatch.org.