[CentOS] what percent of time are there unpatched exploits against default config?

Wed Dec 28 13:43:51 UTC 2011
Johnny Hughes <johnny at centos.org>

On 12/27/2011 11:01 PM, Bennett Haselton wrote:
> Yeah I know that most break-ins do happen using third-party web apps;
> fortunately the servers I'm running don't have or need any of those.
> 
> But then what about what my friend said:
> "For example, there was a while back ( ~march ) a kernel exploit that
> affected CentOS / RHEL. The patch came after 1-2 weeks of the security
> announcement. The initial
> announcement provided a simple work around until the new version is
> released."
> Is that an extremely rare freak occurrence?  Or are you just saying it's
> rare *compared* to breakins using web apps?  Or am I misunderstanding what
> my friend was referring to in the above paragraph?
> 

There have been NO critical kernel updates.  A critical update is one
where someone can remotely execute items at the root users.

Almost all critical updates are Firefox, Thunderbird, telnetd (does
anyone still allow telnet?), or samba (never expose that directly to the
internet either :D).  There was one critical issue on CentOS-5.x for exim:

http://rhn.redhat.com/errata/RHSA-2010-0970.html

All the other issues (non-critical) will require the user to get a "user
shell" and then elevate their privileges some way
================================================

If you want to know what the different classifications mean:

https://access.redhat.com/security/updates/classification/

================================================
If you want objective numbers for security exploits, here is some info
for RHEL:

http://www.redhat.com/security/data/metrics/

and

http://www.awe.com/mark/blog/tags/metrics

===============================================
If you want to search for a specific CVE:

https://www.redhat.com/security/data/cve/

===============================================

CentOS is currently completely updated with all released updates for
CentOS-4.9, CentOS-5.7, and CentOS-6.2.

We also provide a CR repository for "Point Release" transitions (though,
we will not always use the CR repo if we can get the point release out
within 2-3 weeks).  Here is info on the CR repository:

http://wiki.centos.org/AdditionalResources/Repositories/CR

=============================================

Long winded discussions on the list about people's opinions concerning
security might help you make decisions on the best practices for setting
up your server (do not allow ssh logins by password, limit logins by IP
addresses (or at least block problem subnets), disable root logins
directly, try to use SELinux for your web apps, etc.) ... but really,
each install is unique.

A google search will provide many suggestions for best security
practices, here is what upstream recommends:

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/pt-security.html

The bottom line is, a default installation requires hardening.  The
amount of hardening needed depends on each individual install and its
requirements.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20111228/3c14b922/attachment-0005.sig>