James Gregory wrote:
How to manage and apply security? Similar and a little more than how you manage
However, Oscar: I am, for the sake of argument willing to accept your
position that unnecessary features should be disabled in order to
maximise security. I mean, I don't leave a crow-bar lying next to my car
when I park it. But, what I'd like to know is: how do you manage to
apply security patches to all of these machines that you administer? Do
you go to each one and manually apply the patch and rebuild/reboot etc?
If that is what you do, how do you mitigate the risk of leaving some
servers unpatched whilst working on others to go through this rigorous
process?
the distribution, and maintenance of some Linux Distro.
Once a working system is done, that includes recompilation, testing, and then
auditing, the master copy of the source and package binaries are place in some
secure place in accordance with a prescribed security policy. Some small
organisations would put their copies in Bank Safe Deposit Boxes. But larger
organisations build special places for the safety and security of these things.
From then on, installation, distribution, and maintenance is the same as you would with any system. So, for a kernel-bridge-firewall installation for example build-once and distribute-to-many is the procedure. One does not re-compile physically on each computer in the organization every time there is a patch that is to be made.
BTW, the exclusion process of parts of OS is operationalised thru the standard kernel reconfiguration process. So, the kernel re-compilation is exactly the same as one re-builds kernels, except for the fact that you have lots of "#CONFIG_???? is not set" in your .config file.
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
