BBS水木清华站∶精华区
发信人: cybergene (活泼的基因), 信区: Linux
标 题: Linux Security: It's Not Just About Security
发信站: BBS 水木清华站 (Sun Jan 9 10:23:27 2000)
Linux Security: It's Not Just About Security
jeff covey - January 08th 2000, 23:59 EST
Jon Lasser began the Bastille Linux Project in order to harden the
security of Red Hat Linux, the distribution he uses at work. In the
process, he began looking at the other distributions to see how they
handle security updates, and he was not at all happy with what he found.
In today's editorial, he shares his concerns and explains why it
matters to you even if you do all your security monitoring for yourself.
------------------------------------------------------------------------
--------
Copyright notice: All reader-written material on freshmeat is the
property and responsibility of its author; for reprint rights, please
contact the author directly.
------------------------------------------------------------------------
--------
As a professional Unix systems administrator, I'm concerned about system
security. Keeping unauthorized users off my systems is simply part of
my job; doing this requires vigilance in the form of monitoring
performance, reading logs, and keeping patches up-to-date. For me,
security is about security; it's about keeping my users' projects safe
and keeping them comfortable despite a full-time connection to the
Internet.
As Lead Coordinator of the Bastille Linux Project, a hardening script
for Red Hat Linux, I thought my job was to make Linux more secure so
beginning users could easily keep their boxes secure. Often, new Linux
users have no experience as system administrators or often even any
experience with Unix. I thought the best way to tackle the problem was
to make it easy to do the right thing.
Recently, I've been asked lots of questions about Linux system
security by reporters. Often, I'm put on the defensive right away:
Does Linux have a security problem? Why is Linux less secure than
other operating systems? Is open-source software inherently less
secure than commercial systems?
I usually begin by explaining that more holes are reported in
open-source software before they're exploited, and that the number of
actually-exploited holes is no greater -- perhaps even less -- than
commercial software. I explain that one reason there are so many
break-ins into Linux systems is that there are so many Linux systems
on the Internet, and I explain that Linux can be as secure as any
other operating system.
But Linux does have a security problem. It's not a universal problem,
but look at the following list of security Web sites, mailing lists, and
update tools for some common Linux distributions:
Red Hat Linux
http://www.redhat.com/support/errata
redhat-watch-list-request@redhat.com
Update Agent available only to purchasers of Red Hat 6.1
Debian
http://www.debian.org/security
debian-security-announce-REQUEST@lists.debian.org
apt-get update
SuSE
http://www.suse.de/security
suse-security-announce-subscribe@suse.com
No official tool for auto updates -- AutoRPM works on both SuSE and
Red Hat.
Mandrake
http://www.linux-mandrake.com/en/security.php3
symp@linux-mandrake.com
MandrakeUpdate
Caldera
http://www.calderasystems.com/support/security
announce-subscribe@lists.caldera.com is not just security updates but
also product announcements, press releases, etc.
No official tool for automatic updates
Corel
No known web page for security
No known mail list for security
No known tool for security updates. 'apt-get update' probably works,
as it's based on Debian Linux
Turbo Linux
No known web page for security
No known mail list for security
No known tool for security updates
Slackware Linux
No known web page for security
No known mail list for security
No known tool for security updates
These are all mainstream Linux distributions, tending towards a
general audience; at the least, they're not aiming at the router
market or the embedded devices market. These are all products intended
to be used by normal people and thrown up on a corporate network or even
the Internet. Some may be aimed at relatively expert users, but I'm a
fairly advanced user myself, and I still expect that my software
distributor is watching out for security at least minimally. That's
one of the reasons I don't roll my own distribution.
Of the eight common distributions I could think of, three have nothing
whatsoever to do with security, and at least one of the others didn't
seem to be doing anything useful. No wonder Linux has a security
problem: while those four distributions have probably less than a
quarter of the Linux market, they tend to be high-profile
distributions which garner more than their share of media coverage.
These distributions aren't just putting their users at risk; they're
damaging Linux's credibility and its image in the marketplace. Every
time I'm asked by a reporter why Linux is so insecure, I have to
consider Caldera, Corel, Turbo Linux, and Slackware before I can answer.
These distributions' total lack of concern with security is an
embarrassment to the entire Linux and Open-Source communities.
Because of these distributions, I'm forced to admit to reporters that
many Linux installations are insecure, and there's little the average
user can do about it without dedicating an inordinate amount of time
to security work. Most users aren't paid to worry about security, as I
am. For many, computing may be only a small part of their work. These
people can't rightly be asked to read Bugtraq; they've got work to do.
If only systems were kept up to patch, huge numbers of systems
wouldn't be cracked. On the university campus where I work, systems have
been exploited using the automount daemon bug which is more than a year
old, and which has been patched nearly that long. Being a professional,
I know that they shouldn't even be running it, because I know that
they're not using it. But I can't expect them to know, and I can't
even fix it myself: I didn't know that some of these machines existed
until I found out that they'd been hacked. Asking these users to read
a single, low-volume, vendor-specific mailing list is a pretty good
solution -- when those lists exist.
Experienced users should abandon Linux distributions which don't provide
security fixes in a timely manner and post that information to a Web
site, a mailing list, or both. They should abandon these distributions
not because they necessarily need the security notices for themselves,
but because these distributions are ruining Linux's image not only
with novice users, but with the reporters and editors who shape
managers' opinions on whether Linux is a viable solution.
You may claim that you're a hobbyist, and you couldn't care less if
businesses use Linux; that's your right, certainly. However, you lose
nothing when businesses use Linux, you lose nothing when security
updates are made available and publicized, and you gain nothing when
businesses reject Linux because some vendor couldn't be bothered to
package up an already publicly-available solution to a security hole.
The rest of us do lose. It hurts our professional reputations when we
stand behind a piece of software with frequent and highly-publicized
security lapses. It wastes our time, tracking down hacked user
machines for which we're not responsible and rebuilding them from the
ground up. It wastes our money, when businesses and government
agencies buy more expensive hardware and software for the illusion of
security.
Solving this problem isn't difficult or time consuming; simply pick
distributions which express a basic level of concern for security
issues, and let vendors know -- at trade shows, in e-mail, in letters to
the editor of your favorite publication -- that security isn't just
about security. It's about preserving our reputation for quality, and
it's about saving time and money.
------------------------------------------------------------------------
--------
Jon Lasser is a Unix Systems Administrator, Lead Coordinator for the
Bastille Linux Project, and author of a forthcoming Unix book from
Macmillan tentatively titled Think Unix. He's never bothered to take a
computer course, except a single Pascal class in high school. He lives
in Baltimore with his wife Kathleen, and their three cats: Mallet,
Dashigara, and Spike. If for some reason you want to know more, check
out his home page.
--
每个人都会经过这个阶段,见到一座山,就想知道山后面是什么。我很想
告诉他,可能翻过山后面,你会发现没什么特别。回望之下,可能会觉得这一
边更好。但我知道他不会听,以他的性格,自己不走过又怎会甘心?
Welcome to DNA Studio: http://dnastudio.dhs.org
new software, navupdate, wallpapers, mp3z, linux, forums......
※ 来源:·BBS 水木清华站 smth.org·[FROM: 202.112.85.250]
BBS水木清华站∶精华区