250 lines
6.2 KiB
HTML
250 lines
6.2 KiB
HTML
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>Step 2: Updating</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
|
||
|
"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Security Quick-Start HOWTO for Red Hat Linux"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="Step 1: Which services do we really need?"
|
||
|
HREF="services.html"><LINK
|
||
|
REL="NEXT"
|
||
|
TITLE="Step 3: Firewalls and Setting Access Policies"
|
||
|
HREF="firewalls.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="SECT1"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
SUMMARY="Header navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Security Quick-Start HOWTO for Red Hat Linux</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="services.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="firewalls.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="SECT1"
|
||
|
><H1
|
||
|
CLASS="SECT1"
|
||
|
><A
|
||
|
NAME="UPDATES">4. Step 2: Updating</H1
|
||
|
><P
|
||
|
> OK, this section should be comparatively short, simple and straightforward
|
||
|
compared to the above, but no less important.</P
|
||
|
><P
|
||
|
> The very first thing after a new install you should check
|
||
|
the errata notices at <A
|
||
|
HREF="http://redhat.com/errata/"
|
||
|
TARGET="_top"
|
||
|
>http://redhat.com/apps/errata/</A
|
||
|
>,
|
||
|
and apply all relevant updates. Only a year old you say? That's a long
|
||
|
time actually, and not current enough to be safe. Only a few months or few
|
||
|
weeks? Check anyway. A day or two? Better safe than sorry. It is quite
|
||
|
possible that security updates have been released during the pre-release
|
||
|
phase of the development and release cycle. If you can't take this step,
|
||
|
disable any publicly accessible services until you can. </P
|
||
|
><P
|
||
|
> Linux distributions are not static entities. They are updated with new,
|
||
|
patched packages as the need arises. The updates are just as important
|
||
|
as the original installation. Even more so, since they are fixes. Sometimes
|
||
|
these updates are bug fixes, but quite often they are security fixes because
|
||
|
some hole has been discovered. Such <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"holes"</SPAN
|
||
|
> are
|
||
|
<EM
|
||
|
>immediately</EM
|
||
|
> known to the cracker community, and they are
|
||
|
quick to exploit them on a large scale. Once the hole is known, it is quite
|
||
|
simple to get in through it, and there will be many out there looking for it.
|
||
|
And Linux developers are also equally quick to provide fixes. Sometimes the
|
||
|
same day as the hole has become known! </P
|
||
|
><P
|
||
|
> Keeping <EM
|
||
|
>all</EM
|
||
|
> installed packages current with your release
|
||
|
is one of the most important steps you can take in maintaining a secure
|
||
|
system. It can not be emphasized enough that all installed packages should be
|
||
|
kept updated -- not just the ones you use. If this is burdensome, consider
|
||
|
uninstalling any unused packages. Actually this is a good idea anyway. </P
|
||
|
><P
|
||
|
> But where to get this information in a timely fashion? There are a number of
|
||
|
web sites that offer the latest security news. There are also a number of
|
||
|
mailing lists dedicated to this topic. In fact, Red Hat has the <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"watch"</SPAN
|
||
|
>
|
||
|
list, just for this purpose at <A
|
||
|
HREF="https://listman.redhat.com/mailman/listinfo/redhat-watch-list"
|
||
|
TARGET="_top"
|
||
|
>https://listman.redhat.com/mailman/listinfo/redhat-watch-list</A
|
||
|
>. This is a very low
|
||
|
volume list by the way. This is an excellent way to stay abreast of
|
||
|
issues effecting your release, and is <EM
|
||
|
>highly
|
||
|
recommended</EM
|
||
|
>. <A
|
||
|
HREF="http://linuxsecurity.com"
|
||
|
TARGET="_top"
|
||
|
>http://linuxsecurity.com</A
|
||
|
> is a good
|
||
|
site for Linux only issues. They also have weekly newsletters available:
|
||
|
<A
|
||
|
HREF="http://www.linuxsecurity.com/general/newsletter.html"
|
||
|
TARGET="_top"
|
||
|
>http://www.linuxsecurity.com/general/newsletter.html</A
|
||
|
>.
|
||
|
</P
|
||
|
><P
|
||
|
>
|
||
|
Red Hat also has the <SPAN
|
||
|
CLASS="APPLICATION"
|
||
|
>up2date</SPAN
|
||
|
> utility
|
||
|
for automatically keeping your system(s) up to date ;-). See the man page
|
||
|
for details. </P
|
||
|
><P
|
||
|
> This is not a one time process -- it is ongoing. It is important to stay
|
||
|
current. So watch those security notices. And subscribe to
|
||
|
that
|
||
|
security mailing list today! If you have cable modem, DSL, or other
|
||
|
full time connection, there is no excuse not to do this religiously.
|
||
|
All distributions make this easy enough!
|
||
|
</P
|
||
|
><P
|
||
|
> One last note: any time a new package is installed, there is also a
|
||
|
chance that a new or revised configuration has been installed as well.
|
||
|
Which means that if this package is a server of some kind, it may be
|
||
|
enabled as a result of the update. This is bad manners, but it can
|
||
|
happen, so be sure to run <SPAN
|
||
|
CLASS="APPLICATION"
|
||
|
>netstat</SPAN
|
||
|
> or
|
||
|
comparable to verify your system is where you want it after any
|
||
|
updates or system changes. In fact, do it periodically even if there are no
|
||
|
such changes. </P
|
||
|
><DIV
|
||
|
CLASS="SECT2"
|
||
|
><H2
|
||
|
CLASS="SECT2"
|
||
|
><A
|
||
|
NAME="AEN571">4.1. Summary and Conclusions for Step 2</H2
|
||
|
><P
|
||
|
> It is very simple: make sure your Linux installation is current. Check
|
||
|
the Red Hat errata
|
||
|
for what updated packages may be available. There is nothing
|
||
|
wrong with running an older release, just so the packages in it are
|
||
|
updated according to what Red Hat
|
||
|
has made available since the initial release. At least as long as
|
||
|
Red Hat is still supporting
|
||
|
the release and updates are still being provided. For instance,
|
||
|
Red Hat has stopped providing updates for 5.0 and 5.1, but still does for
|
||
|
5.2.
|
||
|
</P
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
SUMMARY="Footer navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="services.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
ACCESSKEY="H"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="firewalls.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>Step 1: Which services do we really need?</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
> </TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
>Step 3: Firewalls and Setting Access Policies</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|