On 02/10/2013 03:37 AM, James Hogarth wrote:
>> I would assume (and I know it's not good to do that!) that the updates
>> and patches that are pushed out through the repos are something not to
>> be ingored,....so why would the severity of one be that big an
>> issue?....(and I'm just curious...not trying to start a war!..LoL!)
>>
> For a start there's threes categories: bug fixes, enhancements and security
> fixes.
>
> The first will cover things like typos in man pages or behaviour that is
> not right but has no risk to the system.
>
> The second adds something new to a package - tzdata is a good example here.
>
> The third is security issues - these will generally fix one or more CVE
> announcements.
>
> Within that third category there are different levels of security issue
> depending on the nature of the problem.
>
> For example if something needs an interactive login as an unprivileged user
> to cause a process (eg mysqld) to fail that could be low security risk
> given the need to be on the system and only a denial of service to that one
> subsystem and no data loss.
>
> A higher category might be an unprivileged user being able to escalate
> their privileges to obtain increased access to a system they shouldn't have
> - there was a sudo exploit last year that would fall into this.
>
> The most severe category of security issue would allow am unprivileged user
> to remotely gain privileged access... This leads to full system compromises
> and should always be patched asap - especially on public facing systems.
>
> Sometimes it's possible to chain these things together... Fire example
> there might be a way for an unprivileged user to run arbitrary code (think
> a php big perhaps) which you could then chain to a local privilege
> escalation to take full control of a system.
>
> This is also why selinux is important to confine services to prevent them
> from going out of their allowed domain and mitigating security issues as
> and when they arise.
>
> As an admin rather than just updating everything all the time it's best
> practice to schedule updates and test them before major roll outs.
> Depending on the severity of the issue it may be something you delay to a
> standardised patching schedule (eg once a month update things) or treat as
> an emergency an roll out much quicker.
>
> Does that help explain things?
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
Most DEFINITELY! I can see I'll be "picking your brains" as MUCH as
possible....as I attempt to get an RHCSA certification!...LoL! I've been
using Fedora 18 and CEntOS on two different machines now, and I would
always see these "SEL Alerts"...not knowing what they were....I will be
paying MUCH more attention to them from now on. Also I am going to check
for updates more frequently, I currently have my machien just give me a
notification when there's new updates available, but maybe scheduling it
for the last / first of every month isn't such a bad idea, at least I'd
be able to keep track of what's going on on those machines! As it stands
now I can't tell you when last either one of them were updated!....well
thnaks so much for the info Mr. Hogarth!....Have a good weekend!
EGO II
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
