On Thu, Dec 29, 2011 at 2:01 AM, Bennett Haselton bennett@peacefire.org wrote:
(Side note: my friend replied to clarify that the "kernel exploit" he was talking about that was found in March of this year, was one that allowed a local user to gain root privilege, not one that allowed a remote user to get in through the webserver or sshd.
Look back through the changelogs if you want to see what vulnerabilities have existed for long intervals before being fixed - but perhaps not long after being found and published. If you have a web service running, I'd say it is a fairly safe bet that there is a vulnerability somewhere in the server, language(s), libraries, or the application itself that can be exploited to execute some arbitrary command. That turns what is classified as a local root exploit into something anyone on the internet can do. And I've seen some very sophisticated attempts show up in the logs...
So let's say it really is true that running automatic "yum" updates is not the most important thing to keep out remote users, and that the majority of webserver hacks do occur through out-of-date web apps.
I'm not convinced. Assume that some people will know the vulnerabilities before they are published (otherwise they obviously would never be published/fixed) and that a lot of other people will start attempting exploits immediately after publication. Look through your logs to see how many hits you are getting that are likely to be probes for vulnerabilities to get a feeling for how much of this is going on.
Would it not be best for the vast majority of those users to have updates turned on by default? If not, why not? (Power users can always turn them off, after all.)
If your service is important, then it is worth testing changes before making them on your important server. But no one else can tell you whether your server is that important or not... It's fairly trivial to run a 'yum update' on a lab server daily, and if anything updates, make sure that things still work before repeating it on the production box(es). The update checks can be scripted, but the "does it still work" test will be unique to your services.
What would your proposal be? (Remembering that you can't change human nature, so if it relies on the majority of end users devoting time that you think they "should" do, it won't happen :) )
Mine is to assume that there are very good reasons for 'Enterprise' distributions to go to the trouble of publishing updates. Install them. Always assume that there are still more vulnerabilities that you don't know about yet - and if you have to ask the question, you aren't going to do better than the developers and Red Hat at keeping up with them.