Keeping Software Upto Date

Many security problems can be traced back to buggy software. Buggy servers—particularly if they must run as root—can give anybody on the Internet access to your computer. Servers aren't the only potential source of problems, either. Network clients can contain bugs that can be exploited by miscreants. Such problems have been documented in e-mail readers and web browsers, for instance. Under Linux, such problems are unlikely to give an attacker control of the computer, because these programs are normally run with ordinary user privileges. Nonetheless, buggy user software can give a cracker access to sensitive personal data. Some programs also run SUID root, and a bug in such a program could be devastating.

Warning The risk of a security-related bug is one of many reasons you shouldn't browse the Web, read e-mail, or perform other routine tasks as root. A typo or slip of the mouse when performing a routine task as root could wipe out the entire system, whereas the same mistake as an ordinary user would, at worst, wipe out only your personal data.

Fortunately, bugs in Linux software are usually fixed soon after they're discovered. Therefore, if you monitor such things closely, chances are you'll find fixes for problems before crackers can widely exploit them. The question is how best to watch for updated software. Chapter 11 describes one class of tools designed to help automate software updates: Tools such as Debian's Advanced Package Tool (APT), Red Hat's Update Agent, and SuSE's YaST can notify you of important updates soon after they become available, or at least make it easy for you to check for them. In some configurations, these tools can even update your system automatically, although this practice isn't without its risks—an update might damage a configuration file or break a delicate set of dependencies, for instance. Overall, these update tools are an invaluable security boon.

Whether or not you use automatic update tools, there are other sources of information you should monitor for important security notices. You may hear of a problem before an update becomes available. If the problem is serious enough, you might want to temporarily disable a server or remove the affected software. Important sources of security information include:

Security Websites Many security websites exist. Three of the most important are the sites for the Computer Incident Advisory Capability (CIAC; http://www.ciac.org/ciac/), the Computer Emergency Response Team (CERT; http://www.cert.org), and the Center for Internet Security (CIS; http://www.cisecurity.org). All three sites offer information on the latest threats, pointers to additional information, and so on. CIAC, CERT, and CIS cover security for all platforms. A similar Linux-specific site is Linux Security (http://www.linuxsecurity.com). All of these sites are good places to look for more information if you hear of a new threat but need more details.

Security Mailing Lists Many security websites offer companion mailing lists or e-mail newsletters. Check their web pages for details. You can subscribe to the CERT advisory mailing list by sending e-mail to [email protected] containing the text subscribe cert-advisory. Once on the list, you'll receive a copy of every CERT advisory in your e-mail, so you can respond quickly should the need arise.

Security Newsgroups Several Usenet newsgroups cover security. Of particular interest to Linux users are comp.security.unix and comp.os.linux.security. Newsgroups devoted to specific security topics, such as comp.security.firewalls, also exist, as do groups for specific Linux distributions, such as linux.debian.security. These newsgroups can be a good place to go to ask advice or to lurk to watch ongoing discussions and notices of new problems.

Distributions' Websites Most distributions have security-related pages on their websites. These may be accessible as links from the main page or buried under some other topic. If you don't see a security link, look for words such as errata or updates. Some distributions are now relying on their update tools and giving security web pages a less prominent position on their sites.

Individual Program's Website If you run particularly visible or sensitive servers, you may want to monitor their home pages. This action is particularly advisable if you've replaced a standard package with one that normally doesn't come with your distribution, and therefore may not be handled by your automatic package update tools or mentioned on your distribution's web page.

Each of these sources of information has its advantages and drawbacks. For instance, certain mailing lists can alert you to problems soon after they're discovered; but these alerts may not provide you with the simplest upgrade path. For that, you may need to look to your distribution's or the program's website or an automatic upgrade tool. Newsgroups and security web pages are useful general education resources. In sum, these information sources are best used together to help you know when to upgrade your system, as well as how to deal with security threats generally.

Team LIB

0 0

Post a comment