[CentOS] bounties for exploits against CentOS?
Bennett Haselton
bennett at peacefire.org
Tue Jan 17 15:04:30 UTC 2012
On 1/16/2012 3:13 PM, Eero Volotinen wrote:
>> Well I wasn't necessarily advocating it here, just asking whether people
>> would feel more or less secure using CentOS if such a prize program
>> existed (whether run by CentOS or RHEL), and why or why not.
> Well, no.
>
> Usually attacks to system are caused by misconfiguration of server or
> firewall or bugs in web applications *)
>
> *) https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Well one of the lessons of the recent threads seems to be that there is
a lot of disagreement over what constitutes a "misconfigured server".
Some people consider a server misconfigured if it doesn't use a firewall
to limit access to sshd, some people consider it misconfigured if sshd
uses passwords instead of keys, some people consider the server
misconfigured if it doesn't use SELinux, etc. Because there are
mutually contradictory definitions of "misconfigured", if you find out
that a server was broken into you can always come up with a reason,
after the fact, why the server should be considered "misconfigured",
depending on whose definition you use.
But there seems to be some consensus, at least, that exploits do get
found which allow apache to run arbitrary code (even under its
unprivileged account), and exploits do get found that elevate an
unprivileged user to root privileges. So you could offer, for example,
a bounty for anyone who finds a way to elevate the privilege of an
unprivileged account. That's a lot less powerful than a complete
exploit that can be used against any server on the Internet, but it's
the kind of thing an attacker might use as part of a larger exploit. So
would you feel safer using CentOS/Red Hat if Red Hat, for example,
offered a prize to anyone who could find a privilege-escalation exploit
like that? Knowing that it would reduce the chance of a black hat
finding the exploit and using it as part of an attack?
Bennett
More information about the CentOS
mailing list