[CentOS] bounties for exploits against CentOS?

Tue Jan 17 15:47:20 UTC 2012
Eero Volotinen <eero.volotinen at iki.fi>

> Well one of the lessons of the recent threads seems to be that there is
> a lot of disagreement over what constitutes a "misconfigured server".
> Some people consider a server misconfigured if it doesn't use a firewall
> to limit access to sshd, some people consider it misconfigured if sshd
> uses passwords instead of keys, some people consider the server
> misconfigured if it doesn't use SELinux, etc.  Because there are
> mutually contradictory definitions of "misconfigured", if you find out
> that a server was broken into you can always come up with a reason,
> after the fact, why the server should be considered "misconfigured",
> depending on whose definition you use.

Well, first you need to select security baseline and apply it to server.
(for example: http://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL_5.0-5.1_Benchmark_v1.1.2.pdf)



>
> But there seems to be some consensus, at least, that exploits do get
> found which allow apache to run arbitrary code (even under its
> unprivileged account), and exploits do get found that elevate an
> unprivileged user to root privileges.  So you could offer, for example,
> a bounty for anyone who finds a way to elevate the privilege of an
> unprivileged account.  That's a lot less powerful than a complete
> exploit that can be used against any server on the Internet, but it's
> the kind of thing an attacker might use as part of a larger exploit.  So
> would you feel safer using CentOS/Red Hat if Red Hat, for example,
> offered a prize to anyone who could find a privilege-escalation exploit
> like that?  Knowing that it would reduce the chance of a black hat
> finding the exploit and using it as part of an attack?

well, not really.

--
Eero