On Feb 28, 2008, at 1:48 PM, Ed Brown wrote:
I've asked RedHat to respond through our support channel, but I'd
like to raise this issue here too, for discussion, and to see if
others see a need for a response by RedHat.
There are third-party 'benchmarks' or configuration guides for RHEL5
that are becoming standards, or mandates, at least for some
government sites. E.g.:
http://www.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.0.pdf
(requires registration to download)
or:
http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf
Each is over a hundred pages of configuration recommendations, from
the common sense (turn off services you don't need) to the micro-
managed and essentially arbitrary (chmod /etc/sysctl.conf from 0644
to 0600). Whether or not these documents induce a gag reflex,
compliance with some such configuration standard is becoming de
rigeur for some sites, how else to prove your system is securely set
up?
So these are my questions:
- Are RedHat's "enterprise" operating systems insecure as shipped?
Is third-party expertise on how to secure RHEL systems necessary?
It really depends on what packages you install and services you turn
on. For some services the person is required to be an expert in setup
and security to run those services. For example the web server in
RHEL5 in it's default state is wide open to abuse. There are quite a
few steps RH could take to make it more secure. Things like setting
allow_url_fopen = Off in php.ini or shipping modsecurity with the
webserver package would help. RH is trying to create balance of
features and security. In some cases sure they can do a much better
job with the out of box setup but so could everyone else.
- Why isn't RedHat providing a certified secure OS installation? Why
aren't they working with CIS or other third-party 'authorities' to
either implement these security must-haves, or to educate the
security 'experts' on what is appropriate? Or are they?
RH could ship a very small and secure distro but I don't think the
market is large enough for return on investment on RH part.
Unfortunately a lot of these security procedures and requirements from
companies and governments are dictated by what is at risk. Although
they may mean well by them, often times they are very hard to
implement. I don't think any amount of security experts or money will
make it much easier due to how fast technology changes.
- To what degree are the so-called benchmarks arbitrary and
unnecessary?
Only after you become compliant with any computer related security
regulations or requirements put on you by your customers/contractors.
- What possibilities exist for breaking functionality, or voiding
RedHat support, if the benchmarks are implemented? What are the
risks?
There are great possibilities that a security requirement may break
functionality and support. For example you may have a DOD contract
that requires you to install some VPN/anti-bad guy software that
completely foobar's your system. Red Hat is only going to "support"
the software they ship. As matter of fact the software bundled isn't
even guaranteed to function as advertised. We all know that software
updates can break functionality. You can submit a bug report/trouble
ticket and hope it gets fixed or grab the source and try fixing it
yourself. You are also free to use another product. This is no
different from any other Linux distributor or software vendor.
Anybody else similarly concerned, or have other perspectives?
We all hope that the product we are getting is going to be easy to
use, secure, and supported. In reality it is a mixed bag. In the end I
feel your pain! We all have to deal with this on some level or another.
David Miller.
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
