Ben Reser wrote: > Even with an insignificant performance problem (which is debatable). > It would have little purpose. As an admin a tool like this wouldn't > give me better sleep. As I've pointed out before there have been ways > found around such tools. The only better sleep I get is by verifying > that I am patched against the vulnerability with a real fix.
Well, and if the patch doesn't exists yet? And furthermore I repeat, in most cases there aren't ANY sysadmin who worries about upgrades. > As far as worms go there have been realtively few Linux worms. And all > of them have been for well known and already patched issues. Something well, not as nimda (btw, aften one year I still get apache logs full of nimda and red worm attempts, this means that sysadmins often upgrades their machines ASAP...), but the fact that there aren't so much (especially because on Linux hasn't the email as main vehicle for the propagation) doesn't mean they aren't dangerous. > like StackGuard provides an insignificant amount of added protection for > people who apply the proper updates. when updates doesn't cause you to reconfigure your daemons... ;-) > > I just don't think it's worth it. If it was then all the distros would > already be doing it and the Immunix patches would have been merged into > the mainline gcc. tell me of the latest 100 security linux advisors for daemons having buffer overruns the possibility to obtain a remote shell (or root shell) and how many of them would have been blocked (with a DOS for instance) if the daemon have had libsafe active or was compiled with stackguard enabled. If we had based our security to what other distros do, then we wouldn't have had any msec, libsafe, kernel-secure, etc. and all our security tools would have been tcp_wrappers... Bye. Giuseppe.
